2009年12月24日木曜日

シティ ハッカー被害なしか

シティがハッカー被害はないと言う。
 シティグループは、傘下の銀行に対するハッカー攻撃で数千万ドル
(数十億円)の損害が出た恐れがあるとする報道は誤りだとする声明を
発表した。
 FBIがシティグループ傘下の銀行に対するハッカー攻撃を捜査している
と報じていた。

現在の捜査では、Black Energyを使ったThe Russian Business Network
によるものだと言う。
ボットネットやマルウェアに感染させたPCをシティに向けて攻撃する
方法が使われているようだ。詳細は、不明。

2007年、ニューヨークでは、セブンイレブンのサーバが、露からの
SQLインジェクションの脆弱性をついた攻撃を受け、5500台のシティ
バンクブランドのATMがアクセスに影響を及ぼした事件があり、裁判を
行っているようだ。

実質、窃盗の国際犯罪だが、売名行為の方がはるかに得るものが多い
と思う。


---ハッカー被害なしとシティ 損害報道は誤り---
2009/12/23 14:07 【共同通信】
http://www.47news.jp/CN/200912/CN2009122301000245.html

 【ワシントン共同】ダウ・ジョーンズ通信によると、米金融大手シティグループは22日、傘下の銀行に対するハッカー攻撃で数千万ドル(数十億円)の損害が出た恐れがあるとする報道は誤りだとする声明を発表した。
 米紙ウォールストリート・ジャーナルは同日付で、米連邦捜査局(FBI)がシティグループ傘下の銀行に対するハッカー攻撃を捜査していると報じていた。


---米シティにハッカー侵入か FBIが捜査と米紙---
2009.12.23 00:45
http://sankei.jp.msn.com/world/america/091223/amr0912230046001-n1.htm

 22日付の米紙ウォールストリート・ジャーナルは米連邦捜査局(FBI)が米金融大手シティグループ傘下の銀行に対するハッカー攻撃を捜査していると報じた。ロシアのサイバー犯罪集団と関連があり、数千万ドル(数十億円)の損害が出た恐れがあるという。
 報道によると、今年夏ごろに発覚したが、その1年前から侵入されていた可能性がある。同じハッカーは米政府機関を含む複数のシステムへの侵入も試みている。
 シティグループは同紙の取材に対し「われわれのシステムに対する妨害行為は複数あるが、いずれも侵入や顧客情報の漏えいに至っていない」と被害を否定している。(共同)


---Citi Denies Theft Report, Says Accounts Are Safe---
Bank Disputes Journal Article on Cyber Breach, Gives Employees a Memo to Help Respond to Clients' Questions
DECEMBER 23, 2009
By DAVID ENRICH
http://online.wsj.com/article/SB126152915252002233.html?mod=googlenews_wsj

Citigroup Inc. denied a report in The Wall Street Journal that federal authorities are investigating the theft of tens of millions of dollars from customer accounts by hackers, and sought to reassure clients that their funds are safe.

The New York financial company sent employees in U.S. bank branches a memo to help respond to questions. The moves came after The Wall Street Journal reported that the Federal Bureau of Investigation is probing a computer-security breach aimed at accounts of the company's Citibank unit.

It couldn't be learned how funds were stolen, whether through Citibank's systems or by other means. The breach could have involved a contractor that processes transactions for the U.S. financial institution. Investigators suspect that the theft was conducted by a well-known Russian cyber gang.

"Allegations reported today by The Wall Street Journal of a breach of Citi systems and associated losses are false," Citi said in a statement Tuesday. "Any allegation that the FBI is working on a case at Citigroup involving a breach of Citi systems resulting in tens of millions of dollars of losses is false. There has been no breach and there have been no associated losses.'' Citi added: "Occasionally, as with virtually all financial institutions, there are instances of fraud or breaches of third-party systems that result in our taking actions to protect our customers and Citi. However, contrary to the Wall Street Journal report today, there has been no breach of Citi's systems."

Citigroup officials fielded inquiries Tuesday from customers wondering whether their money was vulnerable due to the attack, according to people familiar with the matter.

The internal memo urged employees to respond to questions by assuring customers that "we take the security of our customers and systems very seriously," adding that Citi has "state-of-the-art processes to detect and prevent criminal activity."

Other large U.S.-based banks declined to comment on whether they have faced similar attacks. Experts said financial institutions are grappling with increasingly frequent attempts to pierce their technological defenses, often by hackers with ties to organized crime rings in Eastern Europe.

Such attacks can occur through breaches of internal bank systems; by accessing data through outside firms that process transactions for financial firms; or by infecting customers' computers to gain access to bank systems when customers log on to bank Web sites.

The shift of bank transactions to online channels from traditional branches is one source of the crime wave, said Steve Kenneally, vice president at the American Bankers Association, a bank trade group in Washington. "It creates a bigger threat," he said. "Bank robbers go where the money is. Banks recognize that."

Banks have been redoubling efforts to tighten security. Bank of America Corp. is offering online-banking customers a free, one-year version of antivirus software to install on their computers. "We're always taking steps to protect the safety and security of our systems," spokeswoman Tara Burke said Tuesday.
-Siobhan Gorman contributed to this article.


---FBI investigates cyber attack on Citigroup, WSJ reports---
The FBI is investigating a hacker attack that targeted Citigroup and resulted in the theft of tens of millions of dollars, The Wall Street Journal reported, but the bank denied its systems had been breached.
Reuters
Published: 7:02AM GMT 23 Dec 2009
http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/6870681/FBI-investigates-cyber-attack-on-Citigroup-WSJ-reports.html

"There has been no breach and there have been no associated losses," Citigroup said in a statement.

"Occasionally, as with virtually all financial institutions, there are instances of fraud or breaches of third-party systems that result in our taking actions to protect our customers and Citi," the bank added.

The cyber attack, believed to be linked to a Russian gang, was aimed at Citigroup's Citibank subsidiary, the Journal reported paper reported, citing unnamed government officials. It also said the hackers may have gained access to the bank's systems through third parties.

The attack on Citibank is believed to have taken place over the summer and was detected at that time, but investigators suspect it could have taken place up to a year earlier, the paper said.

Two other entities, including a US government agency, were also attacked by hackers, the paper said, citing people familiar with the Citibank incident.

FBI spokesman Richard Kolko declined to comment, saying it is agency policy to neither confirm nor deny whether investigations are in progress. A spokesman for the Department of Homeland Security also declined to comment.

The issue of computer hacking financial institutions has been a growing concern. And after months of searching, the White House said on Tuesday that President Barack Obama picked Howard Schmidt, a former eBay and Microsoft executive, to serve as the national cyber security coordinator.

Mr Schmidt is president of the Information Security Forum, a non-profit consortium of 300 large corporations and public-sector organizations working on cybersecurity issues. He also worked under US President George W. Bush on cyber issues.

The Wall Street Journal mentioned a Citibank customer who saw more than $1m removed from his account and sent to banks in Latvia and Ukraine. The bank helped him recover most of the money and reimbursed him for the rest, the newspaper reported, adding that it was not clear whether the incident was part of the larger attack on Citigroup.

In a statement, the bank said it was an isolated case of fraud.

Citigroup also said that attacks are directed against companies globally, and while there had been attempts to interfere with the bank's systems, none had been successful.

But Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, said, "I don't want to sound alarmist ... but the evidence is just overwhelming today that attacks are successful in many instances, particularly socially engineered attacks."


---FBI Probes Hack at Citibank---
Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach
DECEMBER 22, 2009
By SIOBHAN GORMAN and EVAN PEREZ
http://online.wsj.com/article/SB126145280820801177.html?mod=rss_Today%27s_Most_Popular

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The attack took aim at Citigroup's Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn't be learned whether the thieves gained access to Citibank's systems directly or through third parties.

The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.

The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment.

The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.

Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.

Last month, a federal indictment in Atlanta named eight alleged Russian and Eastern European hackers, most still at large, who prosecutors say broke into a U.S. unit of Royal Bank of Scotland in 2008 and stole $9 million from ATMs in 280 cities world-wide in a matter of hours. RBS cooperated with investigators and ensured that its customers were reimbursed.

Losses to online crime of all types exceeded $260 million in the U.S. last year, the FBI estimates. Attacks on corporations are "at an epidemic level," former White House cyber-security director Melissa Hathaway said recently.

U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank's largest depositors. Citibank said at the time that it was able to recover most of the money and that the attack didn't put customer funds at risk.

The new attack targeting Citibank highlights the growing sophistication and threat posed by overseas criminal networks. "There were a couple of days of struggling," said one person familiar with the attack. "There were some sophisticated elements that made it hard to block."

Among weapons the hackers used, according to people familiar with the case, was a small army of infected computers commanded by software called Black Energy. Hackers use Black Energy primarily to block access to Web sites. Somebody used it during Russia's brief 2008 war with Georgia to shut down Georgian government and bank Web sites. Someone also used it in 2007 to block government and bank Web sites in Estonia and to attack the Web site of a political foe of Vladimir Putin, then Russia's president and now its prime minister.

Black Energy was written by a Russian hacker who goes by the name Cr4sh, said Joe Stewart, a researcher for SecureWorks, a computer-security company. The software sells online for $40, according to Jose Nazario, a manager at Arbor Networks, which analyzes computer threats.

Black Energy can be upgraded to invade computer systems and snatch data. DigitalStakeout, a firm that monitors cyber attacks, found in April that Black Energy was being used with a tool that steals bank-account log-on information. The combination was being sold online for $700 as a package called the YES Exploit System, said DigitalStakeout's chief executive, Adam Mikrut.

Over the summer, Mr. Stewart said, he discovered that Cr4sh had developed a new version of Black Energy with an added feature that steals banking credentials. In the Citi attack, the software included a tailor-made feature designed to attack the bank, according to two people familiar with the incursion. The thieves stole an estimated tens of millions of dollars, according to three people familiar with the matter. It remains under investigation, and whether any of the money has been recovered couldn't be learned.

The migration of payments to the Internet, in combination with new bank systems that settle transactions the same day, "has enabled bank heists to occur in seconds from thousands of miles away," said Tom Kellermann, a former World Bank cyber-security official and now an executive at Core Security Technologies.

Robert Blanchard, co-owner of Bridge Metal Industries, a lighting company in Mount Vernon, N.Y., can attest to that.

At 3 a.m. on July 6, Mr. Blanchard tried to log on to his company's Citibank account but couldn't do so with his regular password and token code. He says he called Citibank and was told it would change his password and send him a new one by overnight mail. "I thought at that point I was safe," he says.

But he still couldn't get in. By the time he called his local bank branch to sort out the problem, he says, online thieves had sent $1,007,655 to banks in Latvia and Ukraine. "Even the bank can't act as quickly as these guys," Mr. Blanchard says.

It isn't clear whether the incident was part of the larger attack on Citibank.

Investigators discovered that a computer at Mr. Blanchard's lighting company had been infected by a computer at another company he co-owns. That one then dragooned his lighting-company computer into a group of computers used to attack others -- the same modus operandi as Black Energy's.

The software loaded on one of Mr. Blanchard's computers included a spyware program that logged the keystrokes he typed and could capture the data he used to sign on to his bank account, he says. He adds that after days of prodding, Citibank sleuths began working to help him recover $810,855 from the Latvian bank, and Citibank then gave him the remainder.

Asked about the Blanchard case, Citigroup said: "While we do not discuss customer details, the individual case described was an isolated incident of fraud. Consistent with legal requirements, our customers are not liable for any unauthorized use of their accounts."
-David Enrich contributed to this article.


---Report: Russian Gang Linked to Big Citibank Hack---
December 21, 2009 10:50 PM
By Owen Fletcher, IDG News Service
http://www.pcworld.com/businesscenter/article/185271/report_russian_gang_linked_to_big_citibank_hack.html

U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack, according to a news report.

The security breach at the major U.S. bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, The Wall Street Journal said Tuesday, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography and spam. The Federal Bureau of Investigation is probing the case, the report said.

It was not known whether the money had been recovered and a Citibank representative said the company had not had any system breach or losses, according to the report.

The report left unclear who the money was stolen from but said a program called Black Energy, designed by a Russian hacker, was one tool used in the attack. The tool can be used to command a botnet, or a large group of computers infected by malware and controlled by an attacker, in assaults meant to take down target Web sites. This year a modified version of the software appeared online that could steal banking information, and in the Citi attack a version tailored to target the bank was used, the Journal said.

The attackers also targeted a U.S. government agency and one other unnamed entity, the report said, adding that it was unknown if the attackers accessed Citibank systems directly or through other parties.


---7-Eleven Hack From Russia Led to ATM Looting in New York
By Kevin Poulsen Email Author
December 21, 2009 5:03 pm
http://www.wired.com/threatlevel/2009/12/seven-eleven/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Flashback, early 2008: Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs - $180,000 is stolen from cash machines on the Upper East Side in just three days. After a stakeout, police arrest one man walking out of a bank with thousands of dollars in cash and 12 reprogrammed cards. A lucky traffic stop catches two more plunderers who’d driven in from Michigan. Another pair are arrested after trying to mug an undercover FBI agent on the street for a magstripe encoder. In the end, there are 10 arrests and at least $2 million dollars stolen.

The wellspring of the dramatic megaheist turns out to be more prosaic than imagined: It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com.

In his most-recent plea agreement, filed in court Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.

The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”

At the time, there were 5,500 Citibank-branded ATMs at 7-Eleven stores around the country. According to SEC documents, 7-Eleven ran its own transaction-processing server to handle 2,000 of them: advanced models called Vcom machines, manufactured by NCR. The 7-Eleven Vcoms support special functions like bill payment, check cashing and money-order purchases. For two weeks in September 2007, anyone who typed a PIN in one of these was exposed.

Court records from the New York-area Citibank cases show how that single breach from Russia trickled over the internet and down to the streets of New York.

The first break in the case had its roots in a Jan. 30, 2008, traffic stop. Westchester County police pulled a car over for speeding on the Saw Mill River Parkway in Dobbs Ferry, New York. The driver, 21-year-old Nue Quni, was driving on a suspended license, so the officers decided to have the vehicle impounded. While they waited for the tow truck, they conducted a routine “inventory search” of the car.

Inside, police found $3,000 in cash, a laptop computer, a magstripe writer - which is used to reprogram cards - and 102 blank, white plastic cards. They also recovered receipts showing cash withdrawals from ATMs in Manhattan and the Bronx, and more showing wire transfers.

Facing federal access-device-fraud charges, the passenger in the car, 22-year-old Luma Bitti, began cooperating with the FBI. She explained that she was hired over the internet in December 2007 to program cards with the stolen information, then withdraw money from ATMs and wire it to other people. With Bitti’s consent, an FBI agent took over her IM and e-mail accounts, and began corresponding with the person who hired her.

The FBI arranged in April 2008 to meet the man in Manhattan, supposedly to provide him with a magstripe writer. An FBI agent, still posing as a fraudster, showed up at the meeting with a magstripe writer in hand.

But the man, who is identified in one court record by the initials “DK”, double-crossed the undercover agent, and sent two proxies in his place: 21-year-old Andrey Baranets and one Aleksandr Desevoh, according to an FBI affidavit. When the agent refused to hand over the magstripe writer, Desevoh took a swing at the agent, who ducked the blow and ran away.

The two men gave chase through the streets of Manhattan, before they were grabbed by other FBI agents who’d been watching the scene. In pleading guilty last February, Desevoh said DK had told him to “take this device using force.”

Federal prosecutors in New York had by then charged three more people in the ATM-cashing conspiracy, including 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, and 30-year-old Ivan Biltse.

In addition to looting Citibank accounts, Ryabinin had participated in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts, issued by St. Louis-based First Bank, in the fall of 2007. On Sept. 30 and Oct. 1 - just two days - the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in $5 million in losses.

At the time of the ATM capers, FBI and U.S. Secret Service agents had been investigating Ryabinin for his activities on Eastern European carder forums. Ryabinin used the same ICQ chat account to conduct criminal business, and to participate in amateur-radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by New York ATM cameras in the Citibank and iWire withdrawals, and determined it was the same man - right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer and $800,000 in cash - including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe-deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.

Two of the ATM scammers arrested by the FBI filled in the bureau on the details of the operation, explaining how, beginning in December 2007, they began working with a ringleader in Russia, who provided them with ATM account numbers and PINs. The deal was straightforward: They’d use the information to encode fraudulent ATM cards and withdraw cash, sending 70 percent of the take to the Russian and keeping 25 percent for themselves. Another 5 percent went for expenses.

The duo initially used Western Union money transfers to get cash to their boss in Russia, according to an FBI affidavit. Later, they exploited a relationship with 30-year-old Ilya Boruch, an “exchanger” for the site WebMoney, a PayPal-like internet-payment system.

Exchangers are normally legitimate businesspeople who swap cash for WebMoney’s internet currency. But according to the feds, Boruch had gone bad and become a money-laundering service for the Citibank ATM heists, transferring hundreds of thousands of dollars to the ringleader in Russia, without reporting the transactions to the government, as required by U.S. law.

Through his business, Bidding Expert, Boruch allegedly funneled as much as $80,000 to $100,000 a week on behalf of the two fraudsters, who delivered the cash to Boruch in person, sometimes by tossing envelopes into an open window in his car.

One of the FBI informants, identified as co-conspirator 1, or CC-1, in court documents, held this instant-message exchange with Boruch on Jan. 10, 2008, according to the FBI. (Punctuation is added).

CC-1: Need more wm [WebMoney] …

Boruch: How much?

CC-1: 60 [$60,000]

Boruch: Wow. OK. Listen, is everything OK?

CC-1: So far. Why?

Boruch: Well, you need so much wm! It’s just kinda strange

CC-1: We’re working

Boruch: OK. Drop it off all in 100s …

CC-1: When can the wm be ready?

Boruch: Don’t know

CC-1: Approximately

Boruch: If you pay an additional 0.5 percent then it’ll be ready tomorrow

CC-1: And if not?

Boruch: Then I don’t know. I can buy it from my people, but they’re expensive

Boruch was charged last year with conspiracy to launder money.

The final known arrests in New York came on May 8 of last year. Citibank noticed that a large number of the fraudulent withdrawals were coming through its 65th Street branch, prompting them to put the location under surveillance. When the Citibank official staking out the spot got a call alerting him to a theft in progress, he crossed the street to peer through the vestibule glass, and watched as a man in a baseball cap, jeans and a sports coat put a thick envelope into a briefcase and moved from one ATM to the next.

The official flagged down two nearby NYPD officers who’d already been briefed on the fraud, and the cops arrested 28-year-old Aleksandar Aleksiev. With his consent, they searched his bag and found six ATM-deposit envelopes stuffed with cash, and 12 blank cards with stickers on them and a different PIN code written on each.
-

0 コメント: