Six corrupt bank insiders arrested in Moldova
November 9, 2010
No less than six corrupt bank workers that became ZeuS money-stealing suspects have all been arrested in Moldova. The six bank insiders worked in local bank branches in the east European country.
Police say the suspects specialized in laundering Western Union and MoneyGram payments received from co-conspirators in the West that can ultimately be traced back to compromised corporate and personal bank accounts.
Moldova’s Specialized Services Center for Combating Economic Crimes and Corruption (CCECC), which is investigating the case, announced the arrests on Oct. 28. A few days later, two 21-year-old Moldovan money mule suspects were arrested in Green Bay, Wisconsin.
Lilian Adam and Dorin Codreanu were named by the FBI as strong suspects in the same case back in late September.
The arrests in Moldova follow similar charges against alleged members of a massive cybercrime ring estimated to have raked in up to $70 million by using the ZeuS banking Trojan to steal online banking login credentials and loot accounts for the past three to four months.
Further arrests may follow in Moldova and elsewhere, Washington Post staffer turned security blogger Brian Krebs reports.
"All told, Moldovan prosecutors are looking at no less than twelve suspects in total, including a government official who is alleged to have provided the criminal group with copies of ID cards needed to open bank accounts," said Krebs.
However, 11 of the 37 money mules charged by the FBI in September still remain at large.
Closely related investigations have led to other charges against a further eleven suspects in the U.K. and then five in the Ukraine.
The Ukrainian suspects are all alleged to have been the mastermind behind the crimes and the main driving force behind the massive cybercrime operation.
In other banking-related security news, just Friday, Internet security company viaForensics has discovered many security flaws in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the banks to fix and patch their mobile banking applications.
"Since November 1st, we have been communicating and coordinating with the financial institutions to fix these critical security holes," research firm viaForensics wrote in a post on its site. "The findings we published reflect testing completed on Nov. 3. Since that time, several of the institutions have released new versions and we will post updated findings shortly."
Yesterday, the security firm went public with problems in PayPal's iPhone app, spurring the online payment provider to action.
Specifically, viaForensics concluded that: the USAA's Android app stores copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report.
viaForensics says these are security issues that could have been easily prevented from the start and that repairing them won't be complicated and shouldn't take the banks more than an hour or two.
Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.
Wells Fargo did release an update to its Android app yesterday, USAA updated its Android app today, TD Ameritrade's apps will be fixed in the next version, and Bank of America is addressing the issue in its apps in the next few days, as a direct result of viaForensics' findings.
A Chase spokesman declined to provide us with any comment, however.
Spokespeople from several of the financial institutions said that the supposed security flaws, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.
ViaForensics did not immediately return a call and e-mails seeking comment late yesterday.
Critical security holes found in banking apps, ATMs and online banking services used with a computer or laptop isn't anything new. As long as there is thieves there will always be security issues. It's up to the banks themselves to ensure that all banking transactions are performed in a very secure fashion and at all times.
The way in which the above banking apps were released in the wild is unacceptable and further creates doubt in the minds of consumers.
Source: The Washington Post.
You can link to the Internet Security web site as much as you like.