Skoči na vsebino

Slovenian Police cracks down on a gang netting almost 2 million € from companies via e-banking hacks

On Thursday, 21 March 2013, the Slovenian Police performed 12 house searches and detained five Slovenian citizens in a coordinated action that concludes the investigation of series of attacks on smaller companies via the internet that started in mid-2012.

SI-CERT (the Slovenian national Computer Emergency Response Team) started receiving reports in mid-2012 on attacks that involved malware that upon infecting the victim’s computer logged passwords and installed components for unauthorized remote access by miscreants. The malware was delivered via e-mail and was targeted towards the accounting personnel in SMEs. The content usually warned of a late payment and was constructed in a way that gave the impression of coming from a local bank (in one case even pretended to be coming from the state tax authority and warned about the fictitious change of legislation that would have financial consequences for the targeted victim).

The trojan horse that was attached to the e-mail message contacted its controlling server that frequently changed network location. After installing the RAT component (Remote Administration Toolkit) on the victim computer, miscreants would observe the activity on the infected system. With stolen credentials and in the case where the victim did not remove the smart card containing the bank-issued certificate from the reader after use, the doors to the company’s bank accounts were left open to the criminal gang. The attacks usually happened on Fridays or the day before a national holidays. This left enough time for the attackers to queue bank transfer orders unobserved during weekends and holidays, provided that the victim did not shut down the computer or remove the smart card from the reader.

The criminal group used 25 money mules to transfer around 2 million Euros. Money mules were recruited with the work-at-home scam in the name of a nonexistent British insurance company.

Tadej Hren, SI-CERT (left), Dušan Florjančič, Head of the Economic Crime Division, Slovenian Police (middle), and Damjan Režek, Deputy Director, Office for Money Laundering Prevention, Ministry of Finance (right) at a press conference, Friday, 22 March 2013 (photo: Slovenian Police)

Slovenian police coordinated the investigation lasting several months with the help of SI-CERT and The Office for Money Laundering Prevention which was able to stop many of the fraudulent transactions performed by criminals. SI-CERT performed analysis of the malware and related network traffic characteristics.

SI-CERT, info@cert.si

Preberite tudi

SI-CERT TZ012 / Analiza večstopenjske okužbe s trojanskim konjem Agent Tesla

Agent Tesla je trojanski konj za oddaljeni prevzem sistema (RAT, Remote-Access Trojan), ki se je prvič pojavil že leta 2014, prvo okužbo z njim pa na SI-CERT beležimo v letu 2019. Postopek okužbe se začne z Microsoft Office priponko, ki prispe po elektronski pošti. Proces okužbe vsebuje več stopenj.
Več

SI-CERT TZ011 / Napadi z izsiljevalskimi virusi

Do leta 2019 so bile žrtve vdorov izbrane naključno, v obdobju po tem pa so napadi bolj ciljani. Vektorja okužbe sta elektronsko sporočilo z zlonamerno priponko ali vdor skozi neustrezno zaščitene storitve za oddaljen dostop (Remote Desktop). Storilci izkoriščajo tudi nove ranljivosti, ki omogočajo nepooblaščen vstop v omrežje.
Več

Kibernetski napad na medijsko hišo PRO PLUS

Medijska hiša Pro Plus d.o.o. je v torek, 8. 2. 2022, objavila, da je žrtev hekerskega napada. SI-CERT sodeluje s Pro Plus pri obravnavi incidenta, drugih podrobnosti pa ta trenutek ne moremo razkriti.
Več