'Hackers' take over bank's IT network with info found online

'Hackers' take over bank's IT network with info found online

Tapping information found online at sites such as Facebook and LinkedIn, an anti-hacking specialist has successfully taken over the entire IT infrastructure of a client bank.

SNOsoft - a research team at cyber-security specialists Netragard - was hired by a "mid-sized" bank to carry out an advanced stealth penetration test to see how far it could worm its way into the client's IT infrastructure without being detected.

In a blog, the firm's boss, Adriel Desautels, says his firm gathered valuable information from Facebook, mapping relationships between employees, vendors, friends and family. The social networking site also helped identify key people in accounts receivable/accounts payable (AR/AP) at the bank.

In addition, LinkedIn and job sites such as Monster and Dice, where IT positions at the bank were advertised, provided "interesting and useful technical information" on things such as intrusion detection technologies and operating systems for desktops and servers.

To gather extra information, the SNOsoft team applied for an IT security job and used the subsequent screening call to pump the bank for details on its anti-virus technologies and policies on controlling outbound network traffic.

Based on the intelligence gathered, SNOsoft moved to penetrate the bank's systems by embedding an exploit into a PDF document and sending it to the victim's AR/AP department from its trusted IT services provider.

The PDF was sent, undetected by anti-virus software, and was opened by a bank employee, compromising their computer. Once it had control of the computer, SNOsoft installed its own back-door technology and deployed a suite of tools before scoping out the internal network. Eventually the team cracked the bank's passwords and gained access to desktops, servers and Cisco devices used by the bank.

Says Desautels: "In summary, we were able to penetrate into our customers IT Infrastructure and effectively take control of the entire infrastructure without being detected."

Comments: (1)

A Finextra member
A Finextra member 30 April, 2010, 22:22Be the first to give this comment the thumbs up 0 likes

Congratulations to "mid sized" bank for having the guts to be tested like that. The results alone should be enough to bring priority investment straight to where it is needed.

I was involved in a similar exercise recently. We sniffed out personal details for some of the most lowliest staff, and showed the individuals just how they could have their personal safety compromised. I suspect they now realise that there is no such thing as the most lowliest member of staff in a financial organisation. Everyone counts in the game of trust.