Newsflash: Russian maffia cracks three Belgian Banks

I heard this on the Belgian Radio this morning: customers of three Belgian banks were hit by Russian organized crime. Two large banks and one small bank. The spokesman of the police wouldn't give any details or the names of the banks. So I searched for more information on the Net. This was the headlines of all the newspapers today. Let me list the links and then I will translate some parts of it (for the non-Dutch speaking readers).

• Maffia kraakt Belgisch internetbankieren (gva.be)
  
• Russische maffia kraakt Belgisch internetbankieren (standaard.be)
• Al 800.000 euro gestolen (standaard.be)
• Centrale systeem KBC nooit gekraakt (standaard.be)
• Eén poging verhinderd bij Dexia (standaard.be)
• Bankrekeningen gekraakt door de maffia? (Vrtnieuws.be)

Okay, some of the highlights. The three banks involved were KBC, Dexia en Argenta. It happened in May of this year and the bank accounts of about fifteen customers were involved. The banks updated their security and since June, there were no new cases of fraud. The banks have been promoting online banking for years and there were never "massive" intrusions until now. Afraid for the negative publicity, it was kept under wraps. Everything indicates that is was the work of specialists. "Massive" was the word used by the Belgian media and I just it cautiously. I hardly call 15 a massive amount. The victims were compensated for their loses, that's the good news.
There are no details about the attacks but it sounds a lot like spearphishing to me. It doesn't seem to me that the networks of the Belgian banks themselves were hacked.

Most of the Belgian banks have quite good security and most of them use two factor authentication. But even dual factor authentication by itself has it's caveats. The trick is to use another algorithm for authentication, then for signing the transfers. Good endpoint security is also important. Online banking is still safe if you are careful.

Banking trojans have been rearing their ugly heads before:

• The next step in Trojan-Spy.Banker evolution (Viruslist.com)
  
• Russian phishers loot $500K in two-year hacking spree (Register.co.uk)
  
• German authorities nab Trojan gang (Securityfocus.com)

If you are interested in more information about banking trojans, F-secure has some nice presentations:

Mika is the author of one of our analysis tools called Mstrings. The tool is part of the automation that assists us in identifying malware as Banking Trojans. His presentation, The Trojan Money Spinner, provides details on the nature of Banking Trojans and their function.

PDF files are available — Virus Bulletin Conference September 2007
The Trojan Money Spinner and Presentation Slides

There is also a video excerpt available on our YouTube Channel.

UPDATE (08/10/2007): Security.nl mentions that KBC warned their customers of the "Sinowal virus" in July. This was the same malware that was also used for Dutch bank "Postbank".