Operation Phish Phry – How hackers drain your bank accounts

Image of a fish fry

The New York Times is reporting that the FBI indicted 53 people in three states and began arresting them for phishing users’ bank credentials and stealing their funds from Bank of America and Wells Fargo bank.

The operation was dubbed “Operation Phish Phry” by the FBI and included 47 individuals in Egypt as unindicted co-conspirators. This was a large banking fraud operation which was conducted at several levels.

It would appear that the phishing was initiated by the Egyptians, who tricked users into supplying their credentials through a phishing expedition. They cast a wide net by choosing banks that have a nationwide presence to maximize their ability to both collect valid logins and find people willing to assist in the fraud at local banks.

SophosLabs has blogged before about banks that allow logins with only a user ID and password. This is a terrible security practice for financial transactions. Some banks are now offering to SMS you when you attempt to log in and ask you to provide a detail from the text message. This type of two-factor authentication would have stopped this attack.

The Egyptians provided the stolen logins to three ring leaders in California. These ring leaders recruited “runners” who would create accounts with the two financial institutions where the victims’ accounts resided. The ring leaders then could log in and transfer the funds from the victims to the runners. This attack was not limited to account information; it also included Social Security numbers and potentially other personally identifiable data.

The ring leaders would alert the runners through SMS, internet chat, and phone calls to withdraw the cash and Western Union it to them. They could then wire the money to the Egyptians after taking their cut.

North American institutions have been among the first to deploy online banking, and seem to be the last to secure these sites effectively. In fact several American institutions are willing to send you account information over Twitter!

By embracing social media, banks and credit unions are contributing to users supplying personal and financial information in places it simply doesn’t belong. Encouraging users to be comfortable with controlling and communicating about their accounts on Twitter is absolutely a bad idea.

SophosLabs has great advice on avoiding phishing. I sincerely hope the press this story is getting is a wake up call for American financial institutions.

Creative Commons image courtesy of The Poss’ flickr photostream.