Hackers threaten to leak bank customers' account info unless they pay up

This isn’t your ordinary bank account compromise…

Hackers threaten to leak bank customers' account info unless they pay up

Extortionists are threatening to publish the account information of a hacked banks' customers unless they hand over cash.

According to Reuters, the group of unidentified hackers are targeting customers' accounts at Valartis Bank Liechtenstein.

Located in the Alpine principality between Switzerland and Austria, the financial organization switched hands from the Swiss-listed Valartis Group to a Hong Kong-based holding company known as Citychamp Watch & Jewellery Group Ltd earlier this year.

As of this writing, the bank has yet to issue a comment publicly. It also didn't respond to Reuters's request for a private comment via phone or email on 27 November.

Extortionists are threatening to publish the account information of a hacked banks' customers unless they hand over cash.

Now, in a typical bank heist, the attackers either raid affected customers' accounts outright or they abuse something like the SWIFT platform to fraudulently transfer money to an account under their control.

But that's not what's going on here. Reuters explains:

"Unknown hackers found their way into the Liechtenstein bank's system and obtained customer account information, including that of many Germans..., ... politicians, actors and high net worth individuals...

"The hackers are demanding 10 percent of the account balances, to be paid in Internet cryptocurrency Bitcoin to help preserve anonymity..."

In other words, the hackers want money from the bank's customers, or else they'll leak their account information online.

Is that a bad thing?

Potentially, yes.

Different countries have different ways of allowing people to withdraw money from their bank accounts. To process that kind of transaction, a criminal needs to have a valid bank account number and the routing number for the financial institution at which that account is held. But depending on how they attempt to withdraw money, they might need a physical card or photo identification.

The potential for fraud ultimately rests online, where an actor can abuse someone's bank account number and routing number to submit an Automated Clearing House (ACH) transaction.

A bank can technically detect suspicious transactions through the use of anti-fraud measures. It could alert the user, for example, if they detect a money withdrawal from another country, but as we all know, bad actors can circumvent that obstacle through the use of the VPN.

Responsibility for detecting and reporting the fraud might therefore fall onto the user. If that's the case, they might not have any choice but to close down their old bank accounts and open up a new one.

While Valartis Bank Liechtenstein figures out the best way to protect its users, it should disable online transactions. That will in the very least help prevent remote actors from stealing account holders' money.

Under no circumstance should any of the affected customers meet the criminals' demands.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Bob

    November 28, 2016 at 5:49 pm #

    A lot of banks prohibit the use of VPNs and they won't work when authorising payments.

  2. Gordon Hay

    November 28, 2016 at 11:51 pm #

    I strongly suspect that the potential theft of funds from their accounts might not be the risk that is uppermost in the minds of at least some of the customers, rather it will be the prospect of just how much money they have salted away becoming public knowledge.

  3. Mordac

    November 29, 2016 at 10:33 am #

    As Gordon Hay said — pretty sure the monetisation model here is to blackmail account holders with the threat of exposing tax avoidance or evasion, or dodgy / corrupt transactions, or just to breach their privacy by revealing how much they're worth or were paid for a particular job (or part, in the case of the alleged actors.)

Leave a Reply