Page 9 - Cyber Warnings
P. 9
Cashing out
It’s not easy to make a billion dollars disappear, but there have been big cash-out operations
before.
In 2013, for example, hackers who penetrated a US based payroll card processor hired BadB,
a high-profile carder (credit card fraudster) to run a lightning-quick cash out operation in which
dozens of runners were sent to hit thousands of ATMs in 280 cities worldwide, withdrawing $45
million from bogus payroll cards set up by the hackers.
There’s also the example of the Mt.Gox bitcoin exchange, where bitcoins worth $450 million
were stolen and made their way through a huge money laundering operation.
But laundering close to $1 billion? This has never been attempted before, and requires careful
planning and hard work. And, here’s how it happened. The $81 million in transfers were made
to a bank in the Philippines, and then laundered via a Chinese-owned Casino (and some other
laundering routes).
There was also a $20 million transfer directed at a Sri Lankan non-profit organization (that’s the
one with the spelling mistake that triggered the detection). This heist had to have involved a
very serious organization with people highly skilled in cyber theft.
Can RATs be detected?
RATs are often used today by cyber criminals to attack online banking users. In the UK, RAT
related online banking fraud increased by 72% in 2015. 2016 brings with it fraudsters that are
becoming even more cheeky, as they know they can’t be detected – at least not with traditional
anti- fraud tools. The average RAT fraud today costs $26,000, which is way more than the
norm. Plus, the time that a RAT operator spends inside a victim’s account is only 31 minutes on
average.
In corporate online banking, it’s even worse. Fraudsters hitting corporate customers have
already attempted huge international money transfers, including a single wire of over 2 million
dollars to a bank in central Asia. The trouble with corporate banking is that a high number of
international transfers are not that uncommon. Remotely controlling a victim’s device with RATs
assures that the traditional security tools are blind.
The session can be done from a user’s regular PC, so that the bank sees valid credentials
coming from a trusted device. And since RATs are not malware and do not inject any
unauthorized code into the session, malware detection will not spot any issue.
But banks are getting smarter and starting to put up a good fight. The bank hit with the $2
million RAT attack managed to detect it and stop the money from being sent over using a new
type of technology known as Behavioural Biometrics.
9 Cyber Warnings E-Magazine – April 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide