Saturday, April 23, 2016

Is the Bank of Bangladesh ready for the Global Economy?

On February 4, 2016, more than $100 Million USD were stolen from the Bank of Bangladesh's foreign exchange reserves housed at the Federal Reserve Bank in New York. The hackers had actually attempted to steal US$951 Million, in a series of three dozen SWIFT wire transfers, but were thwarted when an alert staff member found some suspicious misspellings in the name of the organization used for the fifth transfer. Five transfers were completed totaling US$101 Million, although a $20M transfer to a non-profit organization in Sri Lanka was reversed due to the spelling error, which called them "Shalika Fandation" instead of "Foundation," causing a deeper look at the transfer, and stopping an additional US$850 Million of queued transfers to other organizations. Stealing $1 Billion is huge, but especially for Bangladesh, whose total foreign currency holdings are $27 Billion.

The four successful transfers, totaling US$81 Million were sent to an account in the Philippines at Rizal Commercial Banking Corporation. Hearings held by the Philippines Senate revealed that these accounts had been opened nine months earlier by two Chinese residents. Kim Wong (AKA Kam Sin Wong) claims that he only acted as an interpreter to assist two other Chinese nationals, Gao Shu Hua and Ding Zhi Ze, from Beijing and Macau.

Gao and Wong are "junket operators" who are among the many small boat captains who are thought to ferry gamblers between the casinos in Macau and the Philippines.

In a series of quick financial operations, the funds were transferred from the Philippines to three large local casinos: Midas Hotel and Casino, City of Dreams, and Solaire Resort and Casino, and then wired back to various international accounts, using the common trick of laundering the money by claiming it as gambling proceeds. Fortune magazine reported that in the case of Solaire, the $29 Million was credited to the account of a Macau-based high-rolling gambler. Somehow I don't think this is what Solaire was thinking of when they advertise "The Great Exchange":

At least one Philippine Senator, Sergio OsmeƱa III, claims that this is a planned loop hole in the Anti-Money Laundering Act. Casinos lobbied the Senate heavily as the bill was being considered, and as a result, they are exempt from reporting suspicious financial transfers that most other commercial businesses are required to report.

RCBC & Maia Santos-Deguito

(image from The Philippine Star)

The Epoch Times reports that in at least one of these transfers, $22 Million was placed into the Jupiter Street branch of Philippines RCBC and $427,000 of those funds were withdrawn in cash and loaded into the car of Maia Santos Deguito, the brand manager. The withdrawal was handled by Deguito's assistant, Angela Torres, who had the money delivered by armored car, took the money and placed it in a box, which was then transferred to a paper bag and placed in the branch manager's car. GMA News picks up the story of testimony from bank employees ... A bank employee said in testimony that Deguito told him, "I would rather do this than me being killed or my family," claiming that her life had been threatened if she refused to participate in the illegal activity. But when deposed herself, Deguito says her life was never threatened. The transfers from the Federal Reserve Bank of New York came to RCBC accounts under the names Michael F. Cruz, Jessie C. Lagrosas, Alfred S. Vergara, and Enrico T. Vasquez. From there, $66M was withdrawn and consolidated into an account in the name of William So Go. Deguito claims that Kim Wong, the front man for the Chinese pair, was a "friend of bank President and CEO Lorenzo V. Tan." Tan denies this, although he admits having seen Wong on a number of occasions.

The Treasurer of RCBC, Raul Victor Tan, has resigned "out of decency and honor, and despite his lack of involvement." Branch Manager Deguito reported to him and is largely believed to be the main point of contact between the bank and Gao Shu Hua. RCBC's president was also placed on leave from March 23rd. The Central Bank Governor in Bangladesh, Atiur Rahman, has been forced to resign as well.

My security is so bad that I'm suing you!

According to The Epoch Times, the Bank of Bangladesh hired FireEye to investigate the situation. The initial FireEye report, released March 16th, indicated that at least 32 compromised assets had been identified that were part of a complex malware scheme for harvesting credentials needed for the SWIFT transfers and erasing logs of the activity in question.

In much the same way that small businesses have attempted to file lawsuits against their banks when their lack of security has led to malware infections that drained their accounts, the Bank of Bangladesh announced through Finance Minister AMA Muhith that they would sue the Federal Reserve Bank of New York. In Al-Jazeera, Muhith is quoted as saying "We've heard that Federal Reserve Bank of New York has completely denied their responsibility. They don't have any right."

But much like the small businesses who have lost those lawsuits once their ineptitude was put on display, Bank of Bangladesh may have trouble claiming the problem resided at the Fed. On Friday, April 22nd, Reuters and BBC both released stories exposing the horrible security at Bank of Bangladesh. The Reuters' headline read "Bangladesh Bank exposed to hackers by cheap switches, no firewall: police" while the BBC headline pronounced "$10 router blamed in Bangladesh bank hack". A forensic investigator working on the Bangladesh team, Mohammad Shah Alam, says the investigation was complicated by the lack of log files available on these discount routers, but the larger problem is the illustrated lack of any care about security that choosing such a device indicates in the first place. (It should be acknowledged that this contradicts the bank's statement that their firewall was penetrated by a sophisticated cyber attack:

"The central bank had put “zero tolerance security” and robust firewalls in place in the back office of its foreign currency division. But the cyber gang used a powerful malware to break the firewall and managed to send fake payment orders to the US bank, added the official." -- source:

Who can Join Our Network?

The bigger question raised in the Reuters story, though, is what responsibility should the western banking world hold in requesting to evaluate the security of those who would attach themselves to the trillions of dollars per day global financial markets? In the United States our regulations require that a holder of Personally Identifiable Information should require proof of the security of those they interact with in a wide variety of settings. HIPAA, the ruleset for protecting the privacy of your medical records, began requiring HIPAA-covered entities to take responsibility for the security of their vendors who may interact with sensitive records in 2013/2014. (See for example this story in IAPP -- "HIPAA Changes Mean Tightening Up Vendor Relationships"). In the same way the Payment Card Industry standard, PCI, that protects the privacy of credit card information also requires any covered entity to perform Due Diligence of their third party vendors (See their 47 page guidance on the subject, "Information Supplement: Third-Party Security Assurance").

So if my Hospital is not allowed to exchange patient data with an insurance company before checking the security of their networks, systems, and applications, and my Grocery Store is not allowed to exchange credit card information with a financial services company before checking the security their networks, systems, and applications, why would SWIFT and the Federal Reserve Bank system be allowed to move billions of dollars on behalf of banks that don't have a firewall and have $10 routers bought second hand off the Internet? SWIFT has announced they would be issuing "written guidance" to ensure their members are practicing proper security methods. Hopefully these are more robust than those in their 2012 Whitepaper "CPSS-IOSCO's Principles for Financial Market Infrastructures">. (To learn more see: SWIFT: Information Security)

Probably because we are trying to lower the barriers of entry to banks from depressed economies. "Is it fair" to require one of the poorest nations in the world to have to spend the same type of money that western nations spend on Internet security? Perhaps not. But until we do, these emerging economies are going to be a continual and growing target of the cyber criminals that are willing to invest "western-style" funds to accomplish heists that are truly worthy of a Hollywood movie.

Update 25APR2016 - BAE Analysis of SWIFT malware

Adrian Nish has published a blog post at BAE Systems Threat Research Blog Two Bytes to $951M where he documents the behavior of the malware that was likely used in the Bank of Bangladesh unauthorized SWIFT transfers. Malware that causes the SWIFT software running at the bank to bypass certain confirmations, and alter the print queue where messages are sent to hide the evidence of the transaction being performed. Great analysis! And making this attack far more advanced than the "didn't have a firewall" accusations being leveled.

Thursday, April 14, 2016

University "Paperless W2" Phish

Please visit my blog post at PhishMe to see information about a wide-spread campaign of "Paperless W2" phish that have been observed by at least twenty different universities.

Here's one example of the spam that University students, staff, and faculty have received, this one from Auburn University:

(image source: )

Monday, March 14, 2016

Spammers for Donald Trump!

As we all know by now, Donald Trump is all about Winning, and whether you like him or hate him, if you quote him in a news story you are going to generate a lot of traffic.   Apparently spammers are wise to this truth as well.   When we saw spam messages this month imitating CNN talking about Donald Trump, our immediate thought was that this must be a malware campaign, such as the CNN "Royal Baby" spam we blogged about in 2013.

PhishMe's malware analysts took a look and reported back that this was NOT a malware distribution campaign.  So what was it?

The Trump Spam

To start, we looked for spam during the month of March that had "Trump" in the subject line and "CNN" in the sender name, but did not actually get sent from CNN's IP addresses. There were many thousands to choose from, but only thirteen subject lines were used:

Subject: BREAKING:  Trump Explosion Shocks Audience
Subject: BREAKING: Trump Scandal Could End it All...
Subject: CNN: This Time Donald Trump Crossed the Line
Subject: Donald Trump Explodes on Sunday Talk Show
Subject: Donald Trump:  Here is my Secret Weapon
Subject: Donald Trump:  I have a Secret Weapon
Subject: Donald Trump: I'M DONE
Subject: Donald Trumps Reveals His Trump Card
Subject: TRUMP ADMITS: Yes, It's Rigged
Subject: Trump Debate Comment Stops the Show
Subject: Trump Explodes at Debate, Stops the Show
Subject: Trump Explodes on Sunday Talk Show
Subject: Trump Reveals his Knockout Punch

The "sender name" for these spam messages was selected from one of the following:
CNN Breaking News
CNN Breaking Now
CNN Happening Now
CNN News Now
CNN Politics
CNN Sunday
CNN Updates

However, the email addresses had absolutely nothing to do with CNN or its domain name.  The userids were:
   info, news, notification, notify, or update

followed by many different domain names, including:,,,,,,,,,,,,,,,,,,,,,,

These spam messages are from a group of spammers who specialize in using high interest headlines to do a many-level redirection that eventually lands the recipient of the email on a website promising some form of "get rich quick" scheme.

Other Spam From Same IP Addresses (Walgreens, Google, Amazon)

By selecting the thirty most common spam-sending IP addresses for the CNN/Trump campaigns, we are able to learn about other favorite campaigns being run by the same group of spammers during the month of March 2016.

Subject:  (name), Your Walgreens Card is on Hold #(random number)
Subject: Walgreens Pickup Notice (random number)

was popular at the beginning of the month, with
March 1, 2016 From:,,
March 3, 2016 From:,
March 5, 2016 From:

Beginning on March 8th, a popular "Google is hiring" scam began from the same spamming computers:

Subject: Google Inc. wants to work with you (89k working from home)
Subject: Google Inc. has three positions available - $75.00 (hour)
Subject: (3) New Positions Open With Google Inc. - Salary is 89K for 2016


Then back to Walgreens, From:,

The Donald Trump / CNN spam was well mixed throughout on March 3, 4, 6, 7, 9, 11, 12

After a brief hard-core sex campaign on March 12th, on March 13, the spammers began an "Amazon shopping voucher" campaign:

Subject: (name) - Ready to use - your Amazon shopping voucher - active today
Subject: (name) - Your Amazon Card
Subject: (name) - So much at your fingertips - activate your Amazon cash voucher now

with sender names of ", AmazonCard, ShopAmazon, and Amazon-Voucher and From:

The Redirection

In each of the spam campaigns, a single IP address was used as the source for each "from domain" and the destination URLs related to that email were all hosted on an oddly named host on the same domain.  Some examples include:

Let's take a spam message that redirects us to "" as an example.  The URL that we are supposed to has a path that looks similar to this: (we've replaced some characters to break the tracking)


When we visit that URL, we are sent to "" where the string is decoding to show an affiliate ID (who gets paid for any sales that result from this click) and a campaign ID (so they know to show us the "Trump" version of the scam).

That immediately sends us to: "" which then sends us to ""  which then sends us to "" which has a fake "Breaking News" page shown below:

The text of the page tries to convince the gullible email-clicker that Donald Trump believes "Ultimate Home Profits" is the best way to make money from the Internet.  Here's what it says:

"It's time that people realized the amazing potential the American people have to create income for themselves and their families. The truth is, the average American can double or even triple their income today without making any changes to their current lifestyle." Mr. Trump went on.

The secret, he says, is in taking advantage of the leverage available on the internet.

"It's no secret that I made my fortune in real estate and television, because those were the best opportunities available at the time. But times have changed. Right now, an average American with no special skills and no investment can go out and start earning income online today."

Mr, Trump says the best opportunity available is a new program called Ultimate Home Profits which teaches regular people to take advantage of this massive internet opportunity quickly and easily, and even places them with real online companies that pay them for their time comlpeting simple tasks.
"Emily Hudson is absolutely changing the world with her Ultimate Home Profits program" he said. "Normally, rich people keep the secrets to their wealth to themselves. But Sara, she has found an amazing opportunity, and she is sharing it with everyone. That's incredible."

Trump has not hidden his affection for Ms. Hudson. He has recently been praising her on social media for her efforts to teach regular people how to create amazing wealth in their spare time.

(End Quote)

The scam-page includes a Fake Twitter Endorsement, shown below:

Clicking any of the many links on this page forwards you to the "Ultimate Home Profits" page, which looks like this:

Trump Pills / Trump $100 Gift Cards?

 The "Ultimate Home Profits" spammers are by no means the only spammers that have been abusing Trump's name to peddle their wares (although they are certainly the highest volume spammers of the crowd!)

In this fake Fox News spam (from "") the fake headline tells us that "Donald Trump Credits $4 Billion Empire to This Pill".  The URL forwards through "" and "" and "" before landing at "" (AFFID = 1018).  Spam for this campaign includes sender names such as "Trump Reveals Trick", "Trump's Improve Thinking", "Trump's IQ Booster" and "Trump's Memory Secret", with claims that the email is endorsed by MensHealth, Forbes, CNNHealth, and as shown below, Fox News.

(Quote from "" spam affiliate site)
"Trump is a big fan of creating jobs, reading books, and doing puzzles, but according to O'Reilly, he also credits his success to an IQ boosting, brain pill that helped him with memory, and recall. "This pill is the real magic," says Mr.Trump, referring to CogniMaxx XL.

"This brain booster is not heavily advertised but that's what's great about it-- CogniMaxx XL puts all their money into finding the most organic, pure all natural ingredients and that it, it all goes into the formula, so you kind of have to be 'in the know' to get your hands on it, but I tell everyone I meet my 'secret' so I guess it's not really a secret anymore."
 (End Quote)

This spam message promises a $100 Gift Card if you will take a survey related to Trump's chance of winning.  The Trump Gift Cards is just another example of the "Survey on any popular topic that promises a gift card" spam.   In this case the spam goes to "" which redirects through the tracking sites "", "" "" and "" before landing at "".  From there it follows a fairly standard "steal all your public information and never give you a gift card" model that we've described on this blog so often before:  (For a full write-up on how Fake Surveys for Gift Cards works, see the story on this blog about fake Target Gift Cards).

The Spamming IPs?

For the spam-trackers who want to know . . .  those "thirty most popular" IP addresses on the Trump/CNN spam we saw are mostly in the US with a couple each from Canada and Romania, and one in Ireland.  In most cases, the criminal leases a box from a reseller who hosts services at one of these locations, and then spams as hard as possible until they get busted, then they rotate to a new IP and keep going.   Spamhaus has coined the term "Snowshoe spammers" for these people who often do single day, or even single hour, spam campaigns from a location before quickly moving to another location, never settling long enough to be considered a "big problem" for any given host.   ESECUREDATA - eSecureData,CA  11831  CA   ESECUREDATA - eSecureData,CA  11831  CA   WEBWORLD-AS Sternforth Ltd t/a Web World Ireland,IE  30900  IE   M247 M247 Ltd,GB  9009  RO   M247 M247 Ltd,GB  9009  RO   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US   DATANOC - Lanset America Corporation,US  16578  US   DATANOC - Lanset America Corporation,US  16578  US   RAPIDVPS-COM - Infinitum Technologies Inc.,US  17183  US   AS-CHOOPA - Choopa, LLC,US  20473  US   AS-CHOOPA - Choopa, LLC,US  20473  US   AS-CHOOPA - Choopa, LLC,US  20473  US   AS-CHOOPA - Choopa, LLC,US  20473  US   AS-CHOOPA - Choopa, LLC,US  20473  US   AS-CHOOPA - Choopa, LLC,US  20473  US   SERVERCENTRAL - Server Central Network,US  23352  US   SERVERCENTRAL - Server Central Network,US  23352  US   NDCHOST - Network Data Center Host, Inc.,US  33322  US   NDCHOST - Network Data Center Host, Inc.,US  33322  US   NDCHOST - Network Data Center Host, Inc.,US  33322  US   AS-COLOCROSSING - ColoCrossing,US  36352  US   AS-COLOCROSSING - ColoCrossing,US  36352  US   AS-COLOCROSSING - ColoCrossing,US  36352  US   ST-BGP - Sharktech,US  46844  US   ST-BGP - Sharktech,US  46844  US