Blog article
See all stories »

October Surprise

I just came back from RSA Conference Europe, which – as always – is an amazing time of the year. One particular perk of this event was the public display of the Engima machine, believed by the German forces of Second World War to be impenetrable, and the story of Alan Turing who broke its codes.

The intelligence gathered following the breaking of the Enigma encryption was called ULTRA and was one of Britain's greatest secrets. If you can monitor communications which the other side believes are completely secure, you should have a dramatic advantage.

One perfect example for this is the recent FBI operation in DarkMarket, a renowned fraud forum. For years the FBI monitored operations on the forum and the result was the arrest of 56 online fraudsters. This strikes fear, uncertainty and doubt among the thousands of remaining online criminals.

And today, another startling discovery was revealed.

In their Speaking of Security blog, the RSA FraudAction Research Lab shared findings based on its tracking and research of what many would dub as the 'mother of all Trojans' in recent years.

Called Sinowal, and known also as Torpig and Mebroot, this particularly nasty Trojan is more than just a piece of crimeware. Like the Enigma, which was more than just an encryption device, it was a complete operational framework: highly resilient, highly scalable, and extremely stealthy. Like the Enigma machine, it had several versions, each better than its predecessor.

The numbers behind Sinowal are nothing short of staggering.

The report says that Sinowal is triggered by 2,700 distinct websites globally, among them hundreds of financial institutions. This means that as soon as you enter such as website, the Sinowal Trojan hidden in your PC starts recording the session and submitting it to the Trojan operators.

In the past three years it collected roughly 300,000 online banking accounts and a similar number of credit and debit cards. The RSA FraudAction Research Lab says it shared the findings with law enforcement agencies.

300,000 compromised accounts. Just to give you some perspective on how much big this number is, consider the fact that the average fraud per compromised account is over 2,000 pounds. Do the math.

It seems like the online fraud underground has had a rough month. The Americans call it October Surprise. 

Sinowal Monthly Infection Rate

Comments: (6)

A Finextra member
A Finextra member 01 November, 2008, 06:33Be the first to give this comment the thumbs up 0 likes

Hi Uri,

I loved the Enigma machine, 70 years ago it was one of a group of innovative tools, although still physical, rather than digital, in the vein of somewhat earlier Alberti devices from the 1400's. While the Brits did a good job to crack it and more importantly, keep it quiet, they were only up against a German improvement on a 13th century idea.

It is now 2008 and there are 'improved' versions. Perhaps compare a 1938 race car of the day with the modern F1 equivalent and it provides some reference. Perhaps an improvement would be where it didn't matter if the device fell into the hands of the enemy, the fatal blow for the Germans and stroke of luck for the Brits. It was clearly a flawed concept.

Alan Turings approach wouldn't work against todays equivalents, but I'm sure he was bright enough to think of a different approach, however it is easy to deliver messages incapable of being 'broken' in todays world in ways that even Turing could not defeat.

I have, as a hobby, been working on one a little larger, and it's a little more user friendly because you don't have to keep swapping cogs or jiggling levers. The digital world certainly provides for more possibilities. It also means that Turing's approach with the Bombe can be deployed more quickly and effectively so those Medieval style systems will no longer suffice.

I don't think October Surprise was really the best title for your blog, I certainly wasn't surprised at all - and perhaps neither should you have been. Maybe I need to start being less subtle. I notice the jump in the graph started at almost the minute I was writing More's Law. Curiously if you invert that graph it looks remarkably like the google share price for the same period.

By the way it's great to see RSA with all those antique encryption machines. It sure is a lot easier to carry your current offerings in a pocket.

Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 01 November, 2008, 09:52Be the first to give this comment the thumbs up 0 likes

As always I appreciate your comments Dean – but the title managed to confuse you. It is not the industry who got surprised. It is the fraud underground, who probably expected a quiet October as many security companies and IT security professionals in Europe get ready for RSA Conference. Well, they were wrong, and got an unpleasant October Surprise.  

A Finextra member
A Finextra member 02 November, 2008, 04:37Be the first to give this comment the thumbs up 0 likes

Pardon my misunderstanding. I lost concentration at the point about 'striking fear' into the 'fraud underground' by arresting 56 fraudsters.

I seriously doubt that this will cause any fraudsters to lose much sleep, apart from possibly those 56 individuals arrested.

Do you perhaps have any numbers on how many fear struck fraudsters there are out there?

While I, as much as anyone in the industry, appreciate the fine efforts of law enforcement, I don't imagine that this puts a dent in things, certianly in the absense of complete information about the 'bust'. In the past I have noticed that law enforcement seems to be many years behind even the average fraudster, a view supported by your comment that this network and trojan has been around for several years operating perfectly well without any interference from law enforcement. The RSA blog  even expresses surprise that they still used it for so long. The fraudsters too, are probably just as surprised.

The usual plan smart fraudsters use is to utilise an exploit and get their returns, then pass the exploit on to others, effectively obfuscating the original perpetrator's involvement and leading law enforcement off on a secondary wild goose chase. Hence my comment about not knowing the full details. The statements on the RSA blog about it previously being hosted with associates of the Russian Business Network and switching to other host arrangements could support that view.

In most cases the crux of the exploit is to gain information which may be used whenever the fraudster feels it is convenient. For example  - it's Christmas, they want to buy some gifts and have a holiday, so  out come the fruits of their previous labours and exploits. The exploit is no longer required because they already have sufficient passwords and account details to carry out the frauds. Not an exploit in sight.

What does law enforcement do in this case? Generally nothing - and it is left to the customer to prove to the bank that they did not withdraw the funds or buy the item.

We aren't the only ones who realise that law enforcement resources are insufficient to investigate every small fraud, and even the big ones seldom get investigated unless, such probably what occurred as in this case - the 'industry' no doubt assisted or simply handed the investigation to law enforcement on a platter. That is not a criticism of law enforcement - they have their limitations set by others.

Just as a reality check, do you happen to have the numbers on how many fraudsters are actually successfully prosecuted?

I have an inkling it is such a small percentage of the total that the thought of being apprehended by law enforcement is the least likely scenario to 'strilke fear into the hearts' of fraudsters.

October was not 'Shock and Awe' in the cyber fraud war and I don't believe that any amount of spin will make it so.


Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 02 November, 2008, 21:23Be the first to give this comment the thumbs up 0 likes


Let me take you back to the Enigma machine.

Cracking the Enigma code was a major breakthrough, but no one claims it was the most important factor in the success of the Allies' campaign. There are a huge number of contributors, from individuals to technological advancements to tactical improvements.

Just take one historic example: the battle of the Atlantic. For years it was completely controlled by U-boat 'Wolf Packs', which were so effective in cutting Britain from fuel and supplies that in early 1943 there was talk of ceasing the war effort.

But in mid 1943 the tide turned through a combination of smart leadership by newly appointed Admiral Horton of the Royal Navy, technological advancements such as the Active Sonar, hit-and-explode depth charges and next generation radars, as well as new tactics used by allied aircrafts and escort ships.

It took several months to reverse the economical equation of sinking more ships than what the US could replace. This made U-boats less of an ultimate weapon.  

I believe the same applies to the battle over Internet Fraud. Do 56 arrests leave a dent in the economy of online crime? Yes, at least in the immediate future, if you consider the fact fraudsters believe they are not supposed to be caught. Does this win us the war? No, and no one claims it does.

It's not a war we expect to finish anytime soon. It's not a duel that any single bullet will decide. No, my friend, this campaign against online fraud, this arms race between the industry, helped by law enforcement, anti-fraud technologies and each and every one of us as an individual consumer on one hand, and the legion of criminals on the other hand, will continue to rage – but this doesn’t mean we cannot celebrate important victories and applaud the brave lads and lasses who work hard fighting the bad guys.

A Finextra member
A Finextra member 03 November, 2008, 02:47Be the first to give this comment the thumbs up 0 likes

Hi Uri,

I agree with you in regard to the celebration of victory in a minor battle, and I did congratulate the efforts, however winning a battle in what increasingly looks like a lost war war put's a damper on the celebrations.

Back to to that other war. A great Australian and family friend - Sir Mark Oliphant and I had discussions about aspects of the war and I believe that technology ultimately provided the victory. The most important technology was radar, as it provided both early warning of incoming attack, and also the means to direct an accurate attack against an enemy target. In the Pacific, the Japanese were also defeated by technology, a rather special bomb.

I equate the current state of the war against fraudsters as akin to WW2 before radar and lacking the atomic bomb to deliver the crushing blow. In our present case, the crushing blow will not be able to be delivered in one hit, a bomb, or a silver bullet, however until we have the technology - the radar - the early warning prior to the attack hitting and providing us with the means to direct our response at our attacker, we will be in the same position as Britain was at that stage of the war - very vulnerable. being hit more every day and in grave danger of being defeated.

In this case the defeat will be loss of consumer trust in the financial instruments and institutions and the economic cost of stalled progress.

There are other parallels and one I identify with is the discouragement and tribulations faced by the British scientists who went to America to warn of the possibility of a nuclear weapon. They were turned away, ignored, and only with persistence did their message get to the US President. Fortunately he subsequently became an enthusiastic supporter of the development of such weapons and the rest is history.

Here is some information.

It was at the Cavendish, for example, that the atom was first split in 1932. Amongst other research, Oliphant worked on the artificial disintegration of the atomic nucleus and positive ions, and he designed complex particle accelerators. Oliphant's contribution to this work was his discovery of the nuclei of helium 3 (helions) and tritium (tritons). He was also the first to discover heavy hydrogen nuclei could be made to react with each other (tritons and helions being the products, along with protons and neutrons). This fusion reaction is the basis of a hydrogen bomb and fusion power reactors. Ten years later, American scientist Edward Teller would press to use Oliphant's discovery in order to build one.

Mark Oliphant was at Birmingham, in 1940, Otto Frisch and Rudolf Peierls had calculated that a uranium-235 atomic bomb was feasible. Oliphant took their findings at once to higher authority. A committee, code-named Maud, sent the report to the US "Uranium Committee" around March 1941 but the Americans took no action.

Britain was at war and felt an atomic bomb was urgent; there was less urgency in the USA. Mark Oliphant was one of the people who pushed the American programme into action. Oliphant flew to the United States in late August 1941 in an unheated bomber, ostensibly to discuss the radar programme but was actually tasked to find out why the United States was ignoring the Maud Committee's findings. Oliphant said that "the minutes and reports had been sent to Lyman Briggs, who was the Director of the Uranium Committee, and we were puzzled to receive virtually no comment. I called on Briggs in Washington, only to find out that this inarticulate and unimpressive man had put the reports in his safe and had not shown them to members of his committee. I was amazed and distressed."

Oliphant then met with the Uranium Committee. Samuel K. Allison was a new committee member, a talented experimentalist and a protege of Arthur Compton at the University of Chicago. Oliphant "came to a meeting," Allison recalls, "and said 'bomb' in no uncertain terms. He told us we must concentrate every effort on the bomb and said we had no right to work on power plants or anything but the bomb. The bomb would cost 25 million dollars, he said, and Britain did not have the money or the manpower, so it was up to us." Allison was surprised that Briggs had kept the committee in the dark.

Oliphant then visited his friends Ernest Lawrence, James Conant and Enrico Fermi to explain the urgency. Lawrence then also contacted Conant and Arthur Compton. On July 1, 1941 Vannevar Bush, chairman of the National Defense Research Committee, created the larger and more powerful Office of Scientific Research and Development (OSRD) which was empowered to engage in large engineering projects in addition to research. The Uranium Committee became the S-1 Project of the OSRD and in December 1941, following the attack on Pearl Harbor, the Manhattan Engineering District was built, and the project was dubbed the Manhattan Project.


I feel exactly like Sir Mark Oliphant did when the warnings were initially ignored. I don't have the nuclear bomb, as I belive such 'solutions' are crude and particularly inappropriate in this case, however I do have the 'radar', or it's modern equivalent.

Best regards.

A Finextra member
A Finextra member 03 November, 2008, 03:01Be the first to give this comment the thumbs up 0 likes

Apoligies for the spelling and grammar errors but I just whizzed of a quick response and don't have the benefit of an editing team.

Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

See all

Now hiring