Was Citigroup Hacked Or Not?
by Blight Crusader
The Wall Street Journal is reporting that Citigroup was the victim of a botnet attack this year which resulted in the theft of “tens of millions of dollars,” but SCMagazine is already refuting this with a vigorous denial by the bank.
Of course, banks rarely wish to draw attention to such security breaches, since what all financial institutions fear is a withdrawal frenzy by their depositors. So one wonders whether the bank doth protest too much, in this case.
Complicating the situation, the article ominously points out that the FBI has not officially commented on the subject, which might just possibly be due to the fact that the United States government now owns over a fourth of the bank itself. Meaning a steep drop in share price could be harmful to taxpayers, as well as other investors.
So it’s hard to say what is really going on over at Citibank, other than the obvious assumption that they’re probably beefing up their fraud security right about now.
The full SCMagazine article is worth reading. Here are a few key excerpts:
Citigroup representatives are refuting a published report alleging the financial services firm was the victim of tens of millions of dollars being siphoned out of customer accounts.
The Russian Business Network (RBN), a notorious gang linked to several hacking schemes, as well as various criminal activities, is cited as being behind the heist, according to a report in Tuesday’s edition of The Wall Street Journal. The FBI was said to be investigating, though a representative at the agency did not return a phone call by SCMagazineUS.com seeking comment.
But Joe Petro, managing director of Citigroup’s security and investigative services, in a release sent to SCMagazineUS.com on Tuesday, said: “We had no breach of the system and there were no losses, no customer losses, no bank losses. Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”
According to the Journal story, the hacking activity was traced via traffic on ISPs previously used by the RBN. A hacking software program called Black Energy, credited to a Russian, enabled the attack. The program is used to command a botnet. Earlier this year, a customized iteration of the code was discovered online capable of collecting banking information, the report said.
. . .
But Citi denies an incident beyond typical probing.
“Denial-of-service attacks are directed against companies around the world,” the Citi statement said. “While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi.”
Andrew Storms, director of security operations at vulnerability management firm nCircle, said he wonders why the FBI hasn’t commented publicly considering Citigroup already has denied that a breach occurred.
According to the Journal report, the government owns 27 percent of Citi. Shares of the firm are down more than 50 percent this year.
“You have to wonder if there isn’t some other triage being done here that has more to do with Citi’s battered stock price than fair disclosure,” Storms said.
“My analysis of this report is that we are talking about a man-in-the-browser attack,” said Imperva CTO Amichai Shulman. “That is, a trojan controlled through a botnet that operates from within the browser and inserts false transactions into a user’s sessions. In view of this, it is clear why Citibank did not report or ‘notice’ any breach. The breach is not on Citi’s side, but rather on the consumer side. It does point to the growing sophistication of attacker.”
Jacob Jegher, a senior analyst at Celent, a Boston-based financial research and consulting firm, said, “Banks are being continuously victimized by cunning and ever evolving fraudsters who will stop at nothing in order to get their hands into the cookie jar. The challenge of late is that the attacks are becoming more sophisticated and the fraudsters are taking the banks and their clients to the cleaners.”
Many banks are fearful to admit that they have been victims or targets of fraud, Jegher added. “They don’t want to draw negative attention. Banks should use these unfortunate incidents to improve security processes and customer communication and education.”
