Bloke cuffed, accused of polishing off £700k Polish bank cyber-heist

A 31-year-old Warsaw chap is accused of stealing more than four million Polish złoty (£700,000) by hacking into a bank in Poland.

The bloke has been named only as "Tomasz G" due to Polish privacy laws, and is charged with committing computer fraud and money laundering crimes, reports Radio Poland.

Tomasz G faces up to 10 years behind bars, and "has pleaded guilty to some of the charges," police spokesperson Katarzyna Balcer told the Polish Press Agency. The chap allegedly went by the online handle Razor4.

Balcer said an investigation into Razor4's infiltration of the bank is ongoing. Whoever Razor4 really is, he or she is believed to have collaborated with "dozens of individuals and entities. The hackers have led to losses of more than 4m PLN [Polish złoty]. We were able to prevent the theft of another 3.5m PLN."

The ransacked bank has remained unnamed.

Back in June, Polish tech security news website Zaufana Trzecia Strona was contacted by a person using the email address razor4@t.pl, who claimed he had exploited an unspecified vulnerability to access the bank's public-facing servers "for a few weeks."

During this time, Razor4 bragged he was able to snatch credit card and bank account information, make unauthorized transactions, and access the personally identifiable information belonging to the bank's customers, including account histories. He claimed he stole 1m PLN, which the bank apparently did not notice for several weeks.

Zaufana Trzecia Strona (ZTS) alerted the bank, and was rewarded with a cease-and-desist notice to silence the website. The site went ahead with its article but did not name the bank: instead, the team noted only that it was a commercial Polish bank outside of the ten largest in terms of assets.

ZTS apparently also received an anonymous threat suggesting that a "contract could be taken out on the author of the article if it were published."

Tinker, banker, journalist, thief

Razor4 claimed he accessed the bank around the "end of January" through a software vulnerability for which a patch was available but not applied.

Before slapping Zaufana Trzecia Strona with the gagging letter, the bank apparently told the website its customers' financial assets "were, and remain, safe." The bank refused to answer any more questions.

Razor4, who reportedly wished to be paid a ransom by the bank in order to not publish the data he had stolen, bragged he added, on the server side, JavaScript code to the bank's webpages that redirected customer transactions through his own systems. In doing so, he was able to modify the receiving account numbers so they would match that of accounts under his control.

It appears from the the Zaufana Trzecia Strona article that Razor4 registered a web domain name that differed by one letter from the bank's domain name, and assigned the dodgy domain name to his own servers through which transaction were redirected.

Why? It's not particularly clear. Perhaps he hoped to avoid arousing any suspicion if someone inspected their online banking traffic and saw connections to the malicious servers.

(The mention of the slightly off domain name makes us think this entire caper could be a run-of-the-mill phishing campaign, or some sort of cross-site scripting attack, but all the reports we've seen point to Razor4 infiltrating the bank's systems.)

According to Razor4, the bank continued to deny that it had been penetrated. In the face of customer complaints, it blamed the thefts on trojans installed on their own computers. In February, after Razor4 had stolen 180,000 PLN in a single transaction, the bank warned its customers to be aware of cash-stealing malware on their PCs.

Other security issues discovered by the cyber-thief include a bug in the bank's SMS-based authorization system, which allowed him to make transfers without requiring a confirmation code sent by text message. Razor4 provided a screenshot of the account of a hotel that showed that almost 200,000 PLN had been withdrawn in a single day. Zaufana Trzecia Strona noted that a number of Razor4's victims confirmed that money had been stolen from their accounts.

The bank does not appear to have warned its customers of its IT security breach.

Rik Ferguson, security research veep at Trend Micro, told The Register on Thursday that "aside from the internal system- and process-related vulnerabilities, this whole scenario would not have been possible for the attacker if the bank in question had been able to keep up to date with software patches for its internet-facing systems."

Ferguson, who lives in Warsaw and translated the ZTS article for us, added:

In the security industry and in information security, there is a tendency to bang on about 'patch management' and the risks and problems associated with it. To my mind this is to look at the problem from the wrong angle. We should not be focusing on patch management but on vulnerability management.

Patch management is in fact the easy part: gather your patches, schedule the downtime, have a back-out plan, and get on with it. The real problem is what do you do about the vulnerabilities in the meantime? How do we effectively shield those vulnerabilities from exploitation while the patch window is created?

He added that this technology exists, "but is still woefully under-deployed in production environments." ®