杏吧原创

Attempted cyber-heist raises keylogging fears

Keystroke-logging software allegedly provided hackers with the passwords needed to attempt the theft of 拢229 million from a Japanese bank

A keystroke-logging system that allegedly allowed hackers to steal computer passwords is thought to be at the heart of a failed attempt to steal 拢229 million ($437m) from the London branch of a Japanese bank.

The attempted cyber-heist at the Sumitomo Mitsui Bank was first detected by the bank in October 2004, and the police were informed. But it only become public on Thursday after a man was arrested in Israel for allegedly preparing a bank account to receive nearly 拢14 million ($27m) of the bank鈥檚 cash.

But details on how the heist was set up are scant. Both the bank and detectives at the UK鈥檚 National High-Tech Crime Unit are refusing to comment for fear of jeopardising the ongoing investigation. 鈥淭here was an attempt on our systems which completely failed. No money was lost. We recognised the attack and reported it to the police,鈥 says a Sumitomo spokesman. 鈥淲e are saying nothing more.鈥

However, widespread media reports have cited the illicit acquisition of usernames, logins and passwords to one of the bank鈥檚 fund-transfer systems as central to the attempt.

Keystroke logging

One way such information can be harvested is using a 鈥渒eystroke logging鈥 system. Keylogging can be performed in a number of ways: with software introduced by an insider or a computer virus, or by using a hardware attachment inserted in the connecting lead between the PC and the keyboard. There are even keyboards on the market designed to log every key stroke.

Keylogger software works by installing a 鈥渂ackdoor鈥 in a PC that allows an attacker to read a file containing all the keystrokes made. It is then a simple matter to find logins and passwords.

鈥淭he greatest threat is the false sense of security people get from using antivirus software,鈥 warns Paul Woods, chief information security analyst at MessageLabs in Gloucester, UK. 鈥淎ntivirus software is not very effective against new forms of spyware, it can only protect against viruses it already knows about.鈥

Hardware-based keyloggers have to be installed by insiders. But while getting passwords is one thing, accessing a secure banking network 鈥 such as the 鈥淪WIFT鈥 system, used by banks for international transfers 鈥 is quite another.

What triggered the alarm at Sumitomo has not been revealed, but Woods find it hard to believe that somebody using usernames and passwords could access a secure fund-transfer system from outside the bank鈥檚 premises. 鈥淚 will be very surprised, unless there is some facility for remote access using a virtual private network,鈥 he says.

鈥淪pear phishing鈥

Peter Sommer at the London School of Economics, UK, is a frequently used expert witness in hacking cases, and he agrees: 鈥淢y expectation is that there will probably be an inside element in this case,鈥 he told New 杏吧原创.

Unlike Woods, Sommer thinks spyware-installing viruses would have been picked up by antivirus software, and that unauthorised transmissions of keystroke data would be blocked by firewalls. He adds that systems like SWIFT use strong 鈥渉ardware authentication鈥. This means terminals at each end of a transaction swap authentication codes that change many times throughout the day, meaning that just knowing user passwords is not enough.

The attempted heist has prompted many security experts to warn corporate computer users to be on their guard. Woods warns that companies are particularly at risk from an emerging form of attack called 鈥渟pear phishing鈥.

This is a highly targeted form of phishing 鈥 the scam wherein people are sent emails from an apparently trusted source which request personal information, like passwords. Unlike standard phishing, in which emails are sent to a general population via widespread spam emails, spear phishers target just one organisation.

鈥淭hey check out the contacts on your website and construct emails that appear to come from your trusted colleagues, soliciting information from you,鈥 Wood says. 鈥淭hey are finding that this kind of social engineering is the best way to get information out of people.鈥

Topics: Computer crime