US banks have been the victim of hacking and attacked by the heartbleed cybervirus.
In this hack – which investigators are calling the largest theft of consumer data from financial institutions ever – the Heartbleed bug was exploited to gain access to “Victim 2”, an as-yet unnamed financial firm headquartered in Boston.
But it’s just one angle to this enormous attack.
The real damage appears to have been done with some social engineering, executed in a way that shows just how difficult it is to defend against determined cybercriminals.
According to investigators, hackers gained access to various networks belonging to JP Morgan and six other financial institutions, scraping personal data they would then use to manipulate stock prices.
The three indicted men – Israelis Gery Shalon and Ziv Orenstein and American Joshua Samuel Aaron – were conducting “security fraud on steroids”, prosecutors say.
Another man, Anthony Murgio, was charged over running an illicit operation trading virtual currency Bitcoin.
This is how prosecutors say Heartbleed functioned.
The hacking technique often involved using legitimate accounts belonging to Joshua Aaron.
Using this legitimate access, as if Mr Aaron was a normal customer, paved the way for the hackers to gain access to networks and systems containing reams of data about other customers – people who were investing in stocks.
Over the course of several years, they stole personal data on more than 100 million people. The hackers didn’t access bank details. They didn’t need nor want them.
Investigators said the hackers used the personal details to send out information to bosses’ email addresses, promoting certain stocks that hackers had bought cheaply. The price would rise, and the hackers would then sell off their now very valuable shares.
It’s a technique known as “pump and dump”.
The hackers were said to be using a remote server in Egypt to access the network of “Victim 3” – a financial services firm based in Omaha, Nebraska.
The remote server, which covered the accused’s real location, was used to log in to Mr Aaron’s account with Victim 3.
When info-security staff at the firm noticed the odd sign-in location, it locked Mr Aaron’s account. Good security practice.
But, according to the court papers: “Aaron called Victim 3 and, upon being notified that his account had been locked and asked by a customer service representative whether Aaron had been traveling in Egypt in March 2014, Aaron lied to the representative, and claimed that he had been in Egypt.
“In truth and in fact, and as Aaron well knew, Aaron had not been in Egypt and was merely attempting to convince Victim 3 to allow Aaron and his co-conspirators to access Aaron’s account online in furtherance of their efforts to hack into Victim 3.”
For banks – indeed any big company online – there’s a constant balance between making a system as secure as possible, but not locking it down so much that its frustrating for normal customers to use.
But that’s not all these men are accused of doing. According to the court papers, the men were involved in a myriad range of online crime.
As well as the stock manipulation, and running a Bitcoin trading platform to help launder the cash, the men were said to be running illegal online casinos, selling fake antivirus software and – that age old internet scam – offering the purchase of pharmaceuticals.
All of this added up to an alleged haul of £75 million which they kept in bank accounts in Switzerland.