Slashdot Mirror

← Back to Stories (view on slashdot.org)

PC Invader Costs a Kentucky County $415,000

Posted by kdawson on from the don't-be-stupid-out-there dept.

plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky. "The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."

8 of 192 comments (clear)

  1. Re:Windows TCO by Jurily · · Score: 2, Interesting

    But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.

    Actually, if you root a *nix box, this part looks kinda trivial.

  2. enh, the criminals we get these days... by roc97007 · · Score: 4, Interesting

    All that work, and they netted less than a half million?

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  3. HOW DID THE VIRUS/TROJAN get onto the PC? by davidsyes · · Score: 3, Interesting

    From the site:

    http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html?hpid=sec-tech

    one reader wrote in:

    "I guess we don't know how the attackers somehow got the Zeus Trojan on the county treasurer's PC (presumably the county doesn't want to say and the FBI told them not to discuss details of the case anyway), but I'm curious whether that PC had security software installed, whether it was up to date, which security software can deal with the Zbot (ZeuS bot) Trojan, etc.

    ---------

    Well, i have an idea, and it's TFO (Totally Frackin' Obvious)... and might be how it happened. A poor old cleanup crew member may have been elicited to put a USB device on a bank manager machine that might not have been watched by a camera. Might have trained the cleaner to surveil the PCs, determine their visibility to cameras, then trained the dupe into deftly/swiftly attaching a USB attack device while feigning scraping something sticky from the floor, or emptying waste bins that were tough to get the bag from....

    Just my eye-dea... and the FBI may not want THAT to get out lest other banks suffering poor camera placement succumb to the same thing...

    Or, a native of the Ukraine/U-area working at the bank might have been subjected to manipulation of some sort, but trained to be deft and not come under suspicion. Just my inflation-deprived-$0.02-cents...

    --
    Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  4. Re:Next time try a bigger county by nanospook · · Score: 2, Interesting

    It was a test run..

    --
    Have you fscked your local propeller head today?
  5. How does a keylogger ever spread? by gd2shoe · · Score: 4, Interesting

    I have a much more likely scenario. They simply spread their malware everywhere, and waited to see what sensitive systems they'd netted! They needed to dupe people into sending money overseas to them. I doubt they have any non-electronic influence in the states. The story indicates that the fake company name has been repeatedly tarnished... meaning it's very likely that they've done this before and will do this again. It probably got on by worm or trojan. Once there, it sat dormant while the hackers figured out which computers were of value to attack.

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    1. Re:How does a keylogger ever spread? by mistahkurtz · · Score: 2, Interesting

      I have a much more likely scenario. They simply spread their malware everywhere

      with drive-by downloads, phony system messages, work attachments from infected friends, lovers, coworkers, etc. just like what happened to a coworker, an above-average computer user for an IT company. all of a sudden he's got (literally out of nowhere) a new, very microsoft-looking anti-virus* (and considering that ms just came out with, or is coming out with a free fully-featured AV app, (which he knows, since he's in charge of enterprise software, including microsoft EA, etc.) he almost leaves it alone, until it asked him for $70 USD) that claimed to have found a nasty trojan that needed to be removed IMMEDIATELY or else the moon falls, internet dies, cthulhu comes a'calling, etc etc etc.

      we've all seen the hokey web popups that claim to have found problems with your PC. this is just the not-new next step. which is all the easier to accomplish with software that you understandably *don't* want the user looking at...


      * note: when i saw the phony AV malware, i, too, thought it was the new MS antivirus, until i poked around in it and found misspellings, grammar mistakes, etc. (all you anti-grammar-nazis out there, this is why people bitch about it - it's very hard to take someone seriously when their thoughts are misspelled, unorganized, and give the impression they're representative of someone uneducated/irrelevant - imagine if you booted into AIX, or Windows, or were poking around in Excel, or your legit AV and were greeted with a screen that said "Weclome, user, our helps desk are for 24/7 hour service".....pardon the flamebait at the end please)

      --
      not only is time travel possible, it's irrelevant.
  6. Re:Bank hold some responsibility by plover · · Score: 5, Interesting

    My wife has long had to transfer money between various commercial accounts at her jobs. As far back as I can remember, the banks issued her RSA tokens which were required to authorize the transfers.

    I can't imagine a commercial bank NOT using a secure crypto system with an air gap. If the county is concerned about two authorizations, so much the better: issue the judge his own token.

    Even that could be compromised by a hacker who owned the treasurer's computer, but it would have been almost impossible to run the scam 500 times in a few days like this guy did.

    --
    John
  7. Re:Linux is not the holly grail by Dullstar · · Score: 2, Interesting

    Actually, Linux usually won't even need security software in the first place. You're right about some points, but not all of them. I'm going to say that your points about the victims in the scenarios you gave are relevant. And the ones who can't find the print button are just idiots. We need to get tough on the criminals, yes, but, however... it helps if people take better measures to make it harder to occur too. So Linux is the answer... but it is the only answer? No. There's Mac OS X.