The story of the investigation into the failed multi-million pound cyberheist at Sumitomo Bank can finally be told, following the recent conviction and sentencing of its perpetrators. The audacious Mission Impossible-style scam, which brought a pair of hackers and a bent insider together with other fraudsters, sought to spirit …
iOpus Starr *is* malware
"The use of legitimate technology meant the software was not picked up by anti-virus scanners."
It's not legitimate technology if you don't want it. What scanners will pick up this crap?
Doesn't seem that hard..
I think I could do a better job than they did. No need to be a computer expert, just be reasonably competent.
Black heli and anon just in case I decide to do it better than them.
Insert witty title here
Still using the word "Cyber" are we? Feels like 1985 all over again.
Paris because she cyber Paris something cyber something something Paris.
Spot the difference?
OK, full marks to the Police team for diligence and tenacity rarely seen in their usual blunderings.
However, herein lies the evidence of the difference between Police attitudes to crimes against corporate bodies and those against typical members of Joe Public - who may well be the victims of corporate crime, but happily ignored.
"Oi Vey, money talks, my boy"
interesting. and it has an it angle for a change..
This appears to be a good example of excellent old school detective work. So there was after all no need for a DNA database or a fingerprint register - that is good to know that there still are detectives who can do a proper job without excuses pointing at technological solutions. The cameras were used yes - but this could have been done even in countries where the detectives would have had to request a court order for viewing old recordings...
So good stuff - our government should take note - no need at all for a database including the whole DNA database of the population.
There to play cards?
"When challenged by other workers, O'Donoghue claimed the pair were there only for a card game."
Why didn't the other workers report this? Since when is inviting you buddies over to your work place to play cards acceptable behavior?
And the moral is
Even the best IT security is useless if the bad guys can gain physical access to sensitive equipment.
... the banks weren't so quick off the mark when it came to their own directors contributing to a 'loss' of £20 bastard billion. These crims didn't get away with a red cent but get banged up. The banks (although not AFAIA, Sumitomo) even rewarded their directors for the rip-off.
But don't get me started...
14 bods over 2 years
No wonder they could'nt investigate Phorn then.
Now how many UK (not the UK arm of a foreign bank) banks would actually noticed something had been tried?
How many UK banks would have reported it if they had?
How many UK banks would have written off the loss if it worked as "It would undermine confidence in the banking system if we were known to have been taken"
There is a UL of a small merchant bank in the City of London where over time 1 operator was given all necessary keys to run SWIFT transfers. One Friday morning his fellow operator called in sick. The banks entire cash base hinged on one man's integrity, wheather he had any offshore bank accouts and a valid passport. It held that time. But you got to wonder has it ever failed?
I presume the security expert had admin access. Even in my place we have strict GPO along with whitelist of executables. If anything other than the whitelist are executed on the machines then this flags up on our monitoring - easy to spot in an investigation!
@AC iOpus Starr *is* malware
umm.. I don't use, (and therefore don't want IE).
by your definitions this is malware and all computers running windows are infected?
Virus scanners report malware and viruses, not legitimately installed software...
if you started tagging all legitimately installed software as a virus or malware then you'd only serve to put people in a position where they are told it's OK to ignore the messages from the virus scanner because it's probably ok, just another false positive, something that you need on there...
They should've just hypnotised the manager to open up the safe when told a magic phrase.
My money talks:- it says "Goodbye".
Mine's the one with the poem on the back:-
"Whack a Jacqui a day
Keep the miseries away"
Repeat after me...
Repeat after me "there is no such thing as an legitimate key logger".
Fail and get slap on wrist, succeed and take £229m - Worth a go innit!
4 years in prison fo failing to nick £229m? Barely a slap on the wrists and hardly a deterant is it!! Hmmm, fail and get 4yrs in prison, succeed and walk with £229 Million !!! Sounds like a risk worth talking to many a crook!
COTS software and security
I'm impressed that an international money transfer system that can shift billions around the world works using just username and password (no two factor authentication?) over a WEBSITE, and that the bank's staff just use bog standard Windows boxes (not even locked down enough to prevent or detect the installation of unauthorised apps!) to access this.
This bank almost deserved to get ripped off, and then go down when it's customers played hell and withdrew their funds!
formatting the pcs was daft
evidently there's no time to properly format them either
why did they not just remove the hard disks and then dispose of them afterwards?
also - i think using a key-logger is a bit high-tech isn't it?
most place i've worked, you'd be able to find those usernames/passwords on post-it notes and the backs of notepads on the users desks
Not a police win, more a crime loss
Looks like a bad bodge job to me...
"Security supervisor Kevin O'Donoghue" needed to spend 5 mins looking at how to fill in the form properly and he'de have had millions!
Paris, because only she would manage the same error.
Passwords are proved to be the most secure form of auth, cripes, when will people running stuff as important as this wake up?
General Sir Kevin O'Donoghue is it? I mean that would explain why he needs the money- it'd help pay for those F-35Bs he's just bought!
Of all the names in the known universe, that's an odd one to crop up twice in a day on a single website. Within a couple of hours of each other.
Anyways, well done Police! Actually detecting and spending time on things rather than just saying "Meh, I wish we had a DNA database. Then we could catch them all".
Malware vs Greyware
I suggest that the issue here is perhaps that the anti-virus software was not set to detect Spyware/Greyware, but only known Malware (i.e. containing a pattern matched to a known virus signature).
I have seen a number of organisations where the 'Greyware' option was switched off. Common arguments include 'user privacy', 'too many false alerts', 'poor performance'.
Common results when switching it on include detection of lots of interesting software installed on IT department PCs...
".. staff subjected to .. robust questioning."
Were they sent to Guantanamo for a bit of water-boarding or stress positioning?
Playmobil reenactment, or it never happened!
Re: COTS software and security
SWIFT transfers are not executed through a website. Banks generally use terminal software. In the bank I had the pleasure of working for a significant period of time (a prominent British bank), several operators could use the terminal software, but it still required approval from supervisors in the treasury department to execute the transfer.
Hence the requirement from the crims to need a "normal" user and a "supervisor" to execute the SWIFT transfers. And if everything's not perfectly in order, SWIFT won't accept the transfer and flag it up.
If you think that counter staff in a local branch are allowed to execute SWIFT transfers via Intranet sites, think again. Their requests are only queued and only executed once the written signature of the transferrer (the person requesting the transfer, i.e. the customer) is received (via scan or other managerial approval). They tend to go into batches anyway and a batch is executed.
It's not all just username and password. If it was, a LOT of people would be tempted to "just do it" and simply not come back to work that afternoon...
"Afghanistan Bananistan "
Nice. I love that film
Please don't call them hackers. They've done nothing to deserve the term. It was a clever, if botched, high-tech theft. But installing a commercial key logger hardly qualifies as hacking.
Having worked in UK finance (banks/pensions and finance companies) for well over 10 years, I have never seen a system that uses the internet to make payments, I have however seen various intranet hosted terminal apps.
Payments _always_ require to be authd, so single person can make a payment. This is two factor authentication, just because there isn't an RSA tag involved doesn't mean to say it isn't two factor. The sytems that make these payments were almost certainly around before RSA tags were an option.
at the risk of being a pedant...
...it seems to me that it wasn't "the police" that busted UK's biggest cybercrime case, it was the bank itself. Am I misunderstanding?
Can El Reg clarify who exactly it is that employs our smiling friend in the photo on the first page - Sumitomo Bank, Sumitomo's consultants, or the police? The article says that he *used* to be employed by the state.
Also: IME, police forces outside London are often not interested or skilled enough to prosecute a range of frauds, regardless of who they happen to. One of the ways companies are able to still get their frauds seen to (which is rare, but that's a different story) is by having private investigators put together what is essentially a "ready-made" package of evidence statements etc for the cops to look at and hopefully make arrests on. This is obviously an avenue open to ordinary punters too, but it's easier if your boss is the Chief Inspector's old golf buddy or you employ 300 people in the town etc.
Makes me wonder how much does get pinched by more intelligent outfits. No wonder the banks are in trouble, lending us more than we can repay and at the same time charging us plenty for covering incidents like this.
In light of recent events...
I'd say this isn't the biggest crime to have been committed in the City of London. £200-odd million is chicken feed in comparison to the billions lost in 'legitimate' business, pension swindles and extravagant bonuses. They could do a lot worse than having the odd 'cyber criminal' fleecing them once in a while rather than their own employees.
Mine's the one with the taxpayer funded golden parachute on the back
"Hackers my arse", as Jim Royle would say.
Real hackers don't screw up big time like these guys. If they wanted to leave no trace of their passing they would have done but they were so incompetent, they left a readily available key-logger on the machines. Numptys!
They should have been sentenced to 30 years, just for being so useless!!
Always wondered if anyone would finally cotton on to trying to use the Swift system to rake out cash in a similar method to the Richard Pryor character in Superman 3. A penny here a penny there, soon adds up.
Moral is as usual, the security is only as good as the weakest link, usually the link with the boney fingers sitting in front of the keyboard!
Laptop and Ponytail
I can't believe the good people of The Reg missed the comedy gold of Laptop and Ponytail. It sounds like the set up for a multi-million dollar publishing industry spanning seven thick popular novels.
If you ever cover this again, please mention Messeurs Laptop and Ponytail in the title so that I will know to read it.
7 - 14 officers over 2 years
All fine work, but I wonder how much manpower and resources would have been devoted to a murder or rape investigation. Seems the justice system always puts extra effort (and usually longer prison sentances) into solving cases where there's money involved.
How were they able to install the keylogger?
How were they able to install the keystroke logging software on the machines? Presumably these were machines running some flavor of Windows. (or perhaps xNIX) Even the laxest security policy should require a company's workstations to 'lock' the screen after some timeout period, and 'normal' users shouldn't have admin rights. And/or if some flavor of Linux or Unix, the root passwords should be unknown. So how was it done? A pw reset disk would work with Windows, if you could boot off of media on restarting the workstations, but this too could/should have been locked out on these, and while somewhat trivial to bypass, it would have required much more of a time investment. So despite a traitorous security guard, just how lax was the internal security to allow installation of a keylogger? You can of course get the type that plug between a keyboard and the workstation, and some are quite small, but the article says software was used. So how was this accomplished? Inquiring minds want to know...
not detecting legitimate technology
"Returning to work after the weekend break, Sumitomo staff noticed that PCs had been tampered with"
"The use of legitimate technology meant the software was not picked up by anti-virus scanners. And there was no traffic going into or out of the network so it couldn't be detected that way"
This doesn't make technological sense. The ability to install any software meant the so called anti-virus scanners failed. As is demonstrated in the Cornflicker infestation. And if the bank is relying on 'anti-virus scanners' to protect the network it begs the question as to the quality of security at the bank.
@The Fuzzy Wotnot
"to rake out cash in a similar method to the Richard Pryor character in Superman 3."
I have't' thought of that in years. Robert Vaugh saying how dare the Columbians disrupt a free market, after he'd cornered it.
It's called a salami fraud. SWIFT, IIRC is was restricted to transfers quite a lot above that.. When I last looked at the system it was about £15k minimum, but I imagine it's gone up
Salamini frauds are (AFAIK) only really possible with compuererised accounting systems. You might use a SWIFT transfer to get the money out of the company once it had accumulated in a holding account, but not to remove less than pennies per transaction.
Mine will be the one with the half eaten sandwich of dry processed meat products in.
WTF is a "digital fingerprint"
Sure "digital fingerprint" sounds convincing, but El Reg is a technical publication. Since it seems unlikely that the PCs did a MD5 hash of every inserted USB stick, did they mean nothing more than the "make, model and serial number" of the USB stick?
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes