01:46 PM
Connect Directly

Keyloggers Foiled In Attempted $423 Million Bank Heist

British authorities stymied a massive bank heist that reportedly was dependent on a keylogger, the same kind of spyware that has jumped three-fold in the last year and puts consumers at risk from hackers and phishers.

British authorities stymied a massive bank heist that reportedly was dependent on a keylogger, the same kind of spyware that has jumped three-fold in the last year and puts consumers at risk from hackers and phishers.

According to reports in the British media from the BBC and the Financial Times, among others, the scheme was set to steal 220 million pounds ($423 million) from the London offices of the Japanese bank Sumitomo Mitsui. The National Hi-Tech Crime Unit (NHTCU), the country's cyber-cops, began investigating last October after the bank discovered that hackers had infiltrated its network and were using a keylogger to capture keystrokes.

Keyloggers, a type of spyware, are used by hackers and increasingly, by phishers, to snatch users account information--such as log-in names and passwords--and grab other lucrative data, including credit card numbers.

Police arrested an Israeli man, identified as Yeron Bolondi, 32, in Israel after an attempt was made to transfer 13.9 million pounds ($26.8 million) into an account there. All told, the gang was planning to transfer the $423 million to 10 different bank accounts, said police.

Bolondi appeared in a Tel Aviv district court early Thursday, and was charged with attempted money laundering and deception. He will be kept in custody for at least a week as police continue their investigation.

If it had been successful, the robbery would have dwarfed Britain's previous record, the armed theft of £26 million ($50 million) from Belfast's Northern Bank in December, a crime thought to have been conducted by the IRA.

The NHTCU would not confirm whether the keylogger was planted by an inside accomplice, or inserted by hackers working outside the bank's network.

"From what we know from our SpyAudit data, there's a good chance this wasn't even a planned attack," said Richard Stiennon, the vice president of threat research for Boulder, Colo.-based anti-spyware vendor Webroot.

According to Webroot's SpyAudit, a for-free spyware auditing tool it makes available on its own site as well as to EarthLink subscribers, 15 percent of enterprise PCs tested have a keylogger already installed.

"They could've gotten a keylogger onto the bank's network by tricking an employee [in a phishing-style scam] or walking into the bank and sitting at an employee's terminal," said Stiennon. "But why Sumitomo? Why not a bigger bank, like Barclays? It may be because they broke into the network another way and only then noticed that a machine was already infected with a keylogger.

"It reminds me of how Microsoft was hacked back in 2004, when a Microsoft developer's home computer lead the hackers into Microsoft. The same thing may have happened here, where the thieves recognized that they'd hit the mother lode by stumbling across the keylogger-infected system."

Keylogger infections have exploded in the last year. British security firm Sophos said that the number of keyloggers it's spotting daily has jumped three-fold in the past 12 months.

"It all comes back to this ongoing trend of more and more malicious code being developed with keyloggers," said Gregg Mastora, a senior security analyst with Sophos. Criminals have pushed especially hard the last three to four months. "Clearly, [they've] upped their efforts online," he added. "A keystroke logger is just like a thief looking over your shoulder as you type in your PIN at the ATM. Except in this case, you never leave the 'security' of your own home, and neither does the thief."

Webroot's numbers are a bit more conservative, said Stiennon, but still show a big jump in keyloggers. Its audit reports, he said, have shown a doubling of keylogger prevalence on PCs, from about 8 percent 12 months ago to 15 percent today.

Both Stiennon and Mastora warned that the foiled robbery in Britain should be a wake-up call to everyone.

"A good percentage of the online community continues to put themselves at risk by accessing the Internet while being unprotected by up-to-date protection software," said Mastora.

"I think this is just the tip of the iceberg," said Stiennon. "When you hear of a bank foiling an attempt, it's almost always the case that [successful] hacks have already occurred."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.