I’ve written here a couple of times before about a trend that has become apparent in worm, virus, and other malware attacks: whereas they were once most like vandalism, they are now serious (criminal) business. The attacks are often targeted at specific organizations or individuals, with the aim of stealing credentials that can be used for further mischief.
A new article on the “Threat Level” blog at Wired is another example of this development. It describes how an international group of crooks, apparently assembled ad hoc via the Internet, carried out a chain of operations to net more than $2 million stolen from Citibank ATMs. The article is full of interesting details, but the key sequence of events went something like this:
- Two Russian hackers attacked the public Web site of Seven-Eleven (the convenience store chain), apparently with an SQL injection attack, and managed to gain access to the company’s servers.
- The hackers used this access to collect ATM card numbers and PINs from machines located in 7-11 stores. (These machines were provided by Citibank, and apparently at least some of them were especially vulnerable, because the offered “advanced” functions, such as selling money orders, that had to be supported by a server at 7-11.)
- Using local workers recruited via the Internet, the gang then manufactured phony ATM cards, and used the captured PINs to withdraw money from ATMs in and around New York City.
The deal was organized so that the Russians provided the card numbers and PINs, the local workers got the money, and the take was split:
The deal was straightforward: They’d use the information to encode fraudulent ATM cards and withdraw cash, sending 70 percent of the take to the Russian and keeping 25 percent for themselves. Another 5 percent went for expenses.
One of the local participants also was allegedly involved in another scam to loot iWire pre-paid MasterCard accounts, which resulted in 9000 attempted withdrawals from cash machines around the world in just two days, and caused losses of approximately $5 million.
It should be apparent that this kind of organized crime operation is not the work of bored teenagers. If you run a business, or are responsible for systems security at one, this is another wake-up call. Just making sure that you put anti-virus on all the PCs doesn’t cut it anymore (if it ever did). Any machine that is connected to the outside world (meaning the Internet, in particular) is a potential attack point.