back to article Hackers steal €500k in lightning bank raids

Attackers have pulled off a lucrative lightning raid on a single beleaguered bank stealing half a million euros in a week, Kaspersky researchers say. The crims stole between €17,000 and €39,000 from each of 190 Italian and Turkish bank accounts, with a single continuous attack. Man-in-the-middle attackers used stolen bank …

COMMENTS

This topic is closed for new posts.
  1. Neoc
    Coat

    I guess someone ran out of Luuuk.

    1. LarsG

      Yes but then it is up to the customer to prove they have not been negligent in revealing their passwords.

      The presumption of course is that the bank is not at fault.

  2. Alienrat

    But..

    Why don't they take the money back? For money to transfer out of a bank account surely it has to go somewhere? Its not like it is bitcoins or something so cant they just go to that account and say transfer back?

    Would it not be the same as breaking into a bank with a gun and asking them to transfer all the money to your account?

    On the plus side, if these are Italian banks, then people are already used to the government doing the same thing, so it isn't that much of a shock.

    1. MikeOxlong

      Money Flow

      It went from Compromised banking details on computer,

      nefarious rapscallions take the details and via online banking, transfer large wire payment to mule account. (This is tracked)

      Lowlife criminal, with bank card for mule account, goes and takes cash from ATM's over the course of a week.

      You are left with a mule account, (setup with fake details maybe?) with no money in, and some blurry non identifiable images of a person who even if you can identify him, doesn't have the money anyway as he's western union, money transferred it, "clean" to his overlords.

  3. Khaptain Silver badge

    Mule Accounts ???

    Those mule accounts were created by someone at some point in time, who.

    Also, ATM transactions are usually limited to a certain amount per month, so how on earth did they manage to pull out 1/2 Million so quickyl. That equates to a hell of a lot of ATM transactions and a lot of ATM cards.

    ATM machine have cameras in them, or were they switched off.

    Don't the banks have automatic alerts when certain machine are put into overuse ?

    Questions, questions, questions.... Something doesn't quite add up here, either the bansk are incredibly stupid or they had inside help.

    1. MikeOxlong

      Re: Mule Accounts ???

      Buy cheap second hand nondescript push bike.

      put in back of car,

      park near to town center around 11pm.

      Ride bike with cycling gear including helmet and glasses.

      Or wear a hoodie and a baseball cap

      With your 6 bank cards for 6 accounts, go and visit each banks terminal over the course of 45 minutes.

      6 banks Maximum withdrawl of £300 per bank = £1,800.

      Go and sit in a bar, drink a soft drink. chill out.

      Wait for midnight.

      Go round the cash machines again (maybe change clothes?) in 45 minutes.

      Another £1,800.

      So thats

      £3,600 for Monday / Tuesday.

      £3,600 Wednesday / Thursday

      £3,600 Friday / Sat

      £1,800 for Sunday.

      £12,600 per week on a small scale in one town, with one person and the minimum amount of time used.

      Trustworthy mules get more accounts to control. + a larger cut.

      Erm, Do I know entirely too much about this?

    2. fandom

      Re: Mule Accounts ???

      You have probably received spam with a job offer from a company that needs to move money between countries.

      The people that respond are the mule accounts owners and they get arrested all the time, I think it's been three already in my home town.

  4. Anonymous Coward
    WTF?

    WTF?

    Where the hell were the automatic systems to detect fraud?

    If I started pulling 10+k out of my account via ATM, I'd sure as hell would like them to suspend the payments, and as pointed out, is there no daily limit on these withdraws?

    This just makes no sense, unless these banks are either incompetent or corrupt and in on the act.

  5. Lionel Baden

    goto a casino

    I saw a ATM happy to spit out £2000 I think £200 was the minimum, cant remember the maximum amount

    i had to enter other amount, as i only wanted to get a drink !!!

  6. Anonymous Coward
    Anonymous Coward

    We know from the Reg last year that two-factor isn't enough any more...

    So how long will it take banks to play catch-up and give us custom 3 factor authentication?

    http://www.bbc.co.uk/news/technology-28004193

    1. Peter2 Silver badge

      Re: We know from the Reg last year that two-factor isn't enough any more...

      You could implement a half decent security system easily and cheaply if you wanted to along the lines of Phonefactor (now Azure Multifactor)

      You make an attempt to withdraw money from your account (eg, ATM) your phone then gets a telephone call with a automated message from the bank saying:-

      "There has been a request to withdraw <amount> from your account via <method>. To allow this request, please press #. Alternately, if this request was not initiated by you, please dial 999 and we will temporarily lock your account and begin a fraud investigation."

      If you do the authentication on your phone, the money comes out. If not, it doesn't. Easily accessible, since virtually everybody has a mobile, and impenetrable short of having your bank card, PIN and mobile stolen similtaniously and used before getting either your mobile or your bank account disabled.

  7. batfastad

    Bitcoi... eh?

    And this is the problem with dodgy cryptocurrencies. People setting up "banks" promising the security of a bank with the security budget and expertise of a packet of peanuts.

    Wait, what, this isn't...? Oh.

  8. Pascal Monett Silver badge

    Wait a minute

    This attack lasted an entire week and it takes a Kaspersky to find out about it ?

    What were the analysts doing in the bank, twiddling their thumbs ? Weren't there any red flags raised about suspicious or unusual activity ?

    Or is a loss of half a million euros too little to worry about for a bank ?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020