22 February 2018
Keith Appleyard

Please Engage Brain

Keith Appleyard - available for hire

60Posts 301,205Views 107Comments


A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.

UK Financial Institution loses 675K in 30 days

03 September 2010  |  4009 views  |  2

M86 Security (www.m86security.com) have published a (13-page) white paper on a recent online banking attack which resulted in £675,000 being stolen from approx 3,000 customer accounts at an (unnamed) UK Financial Institution in the 30 day period from 5th July.

Multiple techniques were used to spread malicious code, including infecting legitimate websites with malware & creating fraudulent online advertisement websites

The cybercriminals used well-known Exploit Kits which can be purchased for a few hundred dollars which are notorious for efficiently exploiting victim’s browsers to install Trojans onto their PCs.

Once the Zeus v3 Trojan was successfully installed on victims’ PCs and after the victims logged into their online bank accounts, the Trojan transferred various pieces of data to the cybercriminals Control system. After analysing the data, the Trojan Control system determined whether the user had enough money in the account, and selected the most appropriate accomplice account to receive the money, wrapped all the data, and sent it back to the Trojan installed on the victim’s machine. This was then was used to initiate the money transfer from their accounts.  

Depending upon how blasé or relaxed you are about online banking, there is no excuse not to monitor your bank account, particularly if you’ve switched off getting paper statements, to ensure no rogue transaction have occurred. In this example, each customer lost an average of £200 – there are no details as to whether people were hit with a single one-off transaction, or whether there were smaller amounts of say £50 on a weekly basis. They might not necessarily have been sent to the same accomplice in each instance.


TagsSecurityRisk & regulation

Comments: (3)

John Dring
John Dring - Intel Network Services - Swindon | 03 September, 2010, 12:53

Just a comment on this one, and a pet peev.  It doesn't help when merchants register POS transactions from obscure head offices or with disconnected parent company names. 

For example, paying £75 for petrol (yes, £75!) on the motorway somewhere up north, comes up as a transaction from a different company name down south.  It makes it pretty difficult to recall what that transaction was and whether it is valid.

Cheque payments are worse - obviously they are just a cheque number and value, but at least they can be checked in the cheque book.

Online payments are the best, because they include my own entered reference text.

Direct debits are sometimes confusing too.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Keith Appleyard
Keith Appleyard - available for hire - Bromley | 03 September, 2010, 13:55

I agree, I can remember years ago being very confused when presented with "UB Dartford" - I'd never been to Dartford - turned out it was United Biscuits (HQ in Dartford) central bank a/c - pertaining to their subsidiary "Pizza Hut".

Brititsh Airways is another one - a central bank a/c at Harmondsworth (Heathrow) irrespective of which Airport in the world you actually bought the ticket. Other multinationals like Hertz (Tulsa Oklahoma) are the same.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 September, 2010, 06:42

With their realtime, bite-sized, anywhere-access features, I personally find SMS alerts to be most effective in keeping a track of transactions in my bank accounts. To avoid drowning under too many SMS messages, I find the ability to set a threshold useful, so that only transactions exceeding that figure will trigger an alert.



Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Keith

Barclays On-line Banking deserves better error messages

02 January 2014  |  14047 views  |  1 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

RBS does have robust procedures

01 October 2013  |  3557 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

National Savings and Investments are rather too lethargic

17 April 2013  |  13929 views  |  0 comments | recomends Recommends 1 TagsSecurityMobile & onlineGroupWhatever...

RBS Internet Banking is not for the English

28 January 2013  |  5628 views  |  0 comments | recomends Recommends 0 TagsMobile & onlineGroupWhatever...

RBS don't seem to understand basic book-keeping rules

26 June 2012  |  6402 views  |  5 comments | recomends Recommends 2 TagsPaymentsGroupWhatever...

Keith's profile

job title IT Consultant
location Bromley
member since 2008
Summary profile See full profile »
Focussing on IT Strategy and Systems Architecture issues, primarily in the Payment Card Industry - scope is Global. SME on topics such as Data Protection and Encryption.

Keith's expertise

Member since 2007
60 posts107 comments
What Keith reads

Who's commenting on Keith's posts