US banks attacked, manipulated and left (heart)bleeding

  • Published
Security padlock on a keyboardImage source, Thinkstock

In April 2014 the cybersecurity world was rocked by the discovery of Heartbleed, the name given to a vulnerability found in one of the systems we use to securely communicate over the internet.

At the time, as is often the case with new vulnerabilities, we had no handle on how widely it had been exploited - if at all.

In this hack - which investigators are calling the largest theft of consumer data from financial institutions ever - the Heartbleed bug was exploited to gain access to "Victim 2", an as-yet unnamed financial firm headquartered in Boston.

But it's just one angle to this enormous attack.

The real damage appears to have been done with some social engineering, executed in a way that shows just how difficult it is to defend against determined cybercriminals.

According to investigators, hackers gained access to various networks belonging to JP Morgan and six other financial institutions, scraping personal data they would then use to manipulate stock prices.

Other hacks targeted financial news organisations.

The three indicted men - Israelis Gery Shalon and Ziv Orenstein and American Joshua Samuel Aaron - were conducting "security fraud on steroids", prosecutors say.

Another man, Anthony Murgio, was charged over running an illicit operation trading virtual currency Bitcoin.

Targeted mail

This is how prosecutors say they did it.

The hacking technique often involved using legitimate accounts belonging to Joshua Aaron.

Using this legitimate access, as if Mr Aaron was a normal customer, paved the way for the hackers to gain access to networks and systems containing reams of data about other customers - people who were investing in stocks.

Over the course of several years, they stole personal data on more than 100m people.

The hackers didn't access bank details. They didn't need nor want them.

Investigators said the hackers used the personal details to send out information to bosses' email addresses, promoting certain stocks that hackers had bought cheaply. The price would rise, and the hackers would then sell off their now very valuable shares.

It's a technique known as "pump and dump".

Suspicion

Could the banks have done more? It's hard to say.

There was at least one instance when one firm noticed something was a bit amiss - but wasn't able to stop it.

The hackers were said to be using a remote server in Egypt to access the network of "Victim 3" - a financial services firm based in Omaha, Nebraska.

The remote server, which covered the accused's real location, was used to log in to Mr Aaron's account with Victim 3.

When info-security staff at the firm noticed the odd sign-in location, it locked Mr Aaron's account. Good security practice.

But, according to the court papers: "Aaron called Victim 3 and, upon being notified that his account had been locked and asked by a customer service representative whether Aaron had been traveling in Egypt in March 2014, Aaron lied to the representative, and claimed that he had been in Egypt.

"In truth and in fact, and as Aaron well knew, Aaron had not been in Egypt and was merely attempting to convince Victim 3 to allow Aaron and his co-conspirators to access Aaron's account online in furtherance of their efforts to hack into Victim 3."

For banks - indeed any big company online - there's a constant balance between making a system as secure as possible, but not locking it down so much that its frustrating for normal customers to use.

Enterprise

Investigators have called it the largest theft of consumer data from financial institutions ever.

But that's not all these men are accused of doing.

According to the court papers, the men were involved in a bingo card's-worth of online crime.

As well as the stock manipulation, and running a Bitcoin trading platform to help launder the cash, the men were said to be running illegal online casinos, selling fake antivirus software and - that age old internet scam - offering the purchase of pharmaceuticals.

All of this added up to an alleged haul of $100m, kept in bank accounts in Switzerland.

Follow Dave Lee on Twitter @DaveLeeBBC, external