Operation Phish Phry - How hackers drain your bank accounts

Filed Under: Law & order, Malware, Phishing, Spam

Image of a fish fry

The New York Times is reporting that the FBI indicted 53 people in three states and began arresting them for phishing users' bank credentials and stealing their funds from Bank of America and Wells Fargo bank.

The operation was dubbed "Operation Phish Phry" by the FBI and included 47 individuals in Egypt as unindicted co-conspirators. This was a large banking fraud operation which was conducted at several levels.

It would appear that the phishing was initiated by the Egyptians, who tricked users into supplying their credentials through a phishing expedition. They cast a wide net by choosing banks that have a nationwide presence to maximize their ability to both collect valid logins and find people willing to assist in the fraud at local banks.

SophosLabs has blogged before about banks that allow logins with only a user ID and password. This is a terrible security practice for financial transactions. Some banks are now offering to SMS you when you attempt to log in and ask you to provide a detail from the text message. This type of two-factor authentication would have stopped this attack.

The Egyptians provided the stolen logins to three ring leaders in California. These ring leaders recruited "runners" who would create accounts with the two financial institutions where the victims' accounts resided. The ring leaders then could log in and transfer the funds from the victims to the runners. This attack was not limited to account information; it also included Social Security numbers and potentially other personally identifiable data.

The ring leaders would alert the runners through SMS, internet chat, and phone calls to withdraw the cash and Western Union it to them. They could then wire the money to the Egyptians after taking their cut.

North American institutions have been among the first to deploy online banking, and seem to be the last to secure these sites effectively. In fact several American institutions are willing to send you account information over Twitter!

By embracing social media, banks and credit unions are contributing to users supplying personal and financial information in places it simply doesn't belong. Encouraging users to be comfortable with controlling and communicating about their accounts on Twitter is absolutely a bad idea.

SophosLabs has great advice on avoiding phishing. I sincerely hope the press this story is getting is a wake up call for American financial institutions.

Creative Commons image courtesy of The Poss' flickr photostream.

, , , ,

You might like

One Response to Operation Phish Phry - How hackers drain your bank accounts

  1. I have been tracking a load of phishing networks from the spam I get. Looking at the way some are configured, it's obvious that these criminals are getting a lot smarter than the IT security people who the banks employ. For one thing, most go out on a Friday, take a load of cash over the weekend using a server that gets shut down in the early hours of Monday morning, hence by the time the banks security staff turn up with their weekend hangovers, it's all over bar the irate customers screaming down the phone!
    RBS had a problem with an open port I told them about last November, they did patch it, but crashed the system doing it.
    Not quite the brightest lights on the block huh?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.