49 busted in Europe for Man-in-the-Middle bank attacks

49 busted in Europe for Man-in-the-Middle bank attacks

A multination bust on Tuesday nabbed 49 suspects spread throughout Europe.

They were arrested on suspicion of using Man-in-the-Middle (MiTM) attacks to sniff out and intercept payment requests from email.

As Europol detailed in a statement, the raid was coordinated by Europol’s European Cybercrime Centre (EC3) and Eurojust, led by Italian Polizia di Stato (Postal and Communications Police), the Spanish National Police, and the Polish Police Central Bureau of Investigation, and supported by UK law enforcement bodies.

The suspects were arrested in parallel raids in Italy, Spain, Poland, the UK, Belgium and Georgia, where police searched 58 properties.

Police seized laptops, hard disks, telephones, tablets, credit cards and cash, SIM cards, memory sticks, forged documents and bank account documents.

The parallel investigations uncovered international fraud totaling €6 million (about £4.4 million or $6.8 million) – a haul that Europol says was snagged within a “very short time.”

The gang allegedly targeted medium and large European companies via MiTM attacks.

The suspects allegedly used social engineering and managed to plant malware onto the targeted companies’ networks.

Once they had established illegitimate access to corporate email accounts, they then allegedly monitored communications, sniffing around for payment requests.

The fraudsters then set up a simultaneous transaction with a targeted company’s real site.

An example of this type of attack was when crooks were targeting customers of Absa, one of the Big Four banks in South Africa, in 2013.

As Naked Security’s Paul Ducklin explained, the crooks in that scam managed to put up a page that looked perfectly professional – largely because they ripped off Absa’s own HTML and JavaScript code to make it look like the real thing.

That page, which customers accessed by clicking on the link in a phishing email (a good reason to avoid doing that; instead, type in the URL yourself), asked customers to enter their passwords.

The phishers next asked customers to put in the Random Verification Number (RVN) code that Absa sends to mobile phones as a one-time password.

Much of that varied from what and how Absa normally asked for logins, so as Paul recommended then (and it holds true today): it pays to familiarise yourself with what your bank tells you to watch out for.

After customers have entered all that sensitive data, crooks will use it to set up a simultaneous transaction with the real site; for example, if it’s a bank, they’ll tell it that you just agreed to pay out money to the crooks.

Europol says that the suspects they busted on Tuesday instructed customers to send payments to bank accounts controlled by the criminal group.

Those payments were then cashed out immediately.

The suspects, who were mainly from Nigeria, Cameroon and Spain, transferred the ill-gotten money to outside the European Union through what Europol called “a sophisticated network of money laundering transactions.”

Sophisticated attacks like this are why it’s vitally important to keep checking that you’re on a bank’s real site, not just once but throughout an online banking session.

One of the things to watch out for is the URL for your bank’s internet banking site. For example, Absa’s site uses HTTPS, or secure HTTP, which shows up in the URL, https://ib.absa.co.za/.

As Paul recommends, always look in the address bar (which can’t be directly modified by a web page, only by the browser itself) for the tell-tale HTTPS padlock.

Know what the real bank URL is, and type it in yourself instead of clicking on a link that’s purportedly sent from your bank.

Take these warning signs from the Absa case, and swap in your own bank’s details to help you spot a phishing scam:

  • Writing and spelling errors in email.
  • Clickable link to login page in email.
  • Wrong link, going to a country or site that doesn’t make sense (in Absa’s case, it was Korea).
  • Link redirects to wrong location, not where your bank is located (in Absa’s case, The Netherlands).
  • Login site doesn’t match the “real” bank’s login.
  • Login site not encrypted with HTTPS. Note that this isn’t infallible, but if the URL is missing the padlock or the stamp of secure HTTP, something’s probably not right.
  • Non-standard procedure for password entry.
  • Inappropriate request for Random Verification Number (RVN).

If you smell a phish, get off the hook as soon as possible in order to minimise the amount of sensitive data the crooks can pull out of you.

Image of Europol courtesy of robert paul van beets / Shutterstock.com .