Two cyber-criminals were jailed today for their involvement in an attempt to rob a UK bank using stolen staff passwords. Hugh Rodley, 61 was sentenced to eight years while David Nash, 47 was given three years for their part in an attempt to steal over 200 million GBP from the Sumitomo Mitsui Bank in London.
The high-tech heist also involved the bank’s security supervisor, Kevin O’Donoghue, 34, from Birmingham. O’Donoghue disabled CCTV cameras and gave two computer experts, Jan Van Osselaer from Belgium and Gilles Poelvoorde from France, access to the back office which contained the bank’s staff computer terminals. The pair attached a USB device which installed keylogging software onto the computers. Over the next few days, the software recorded every key press made on the computers, collecting the usernames and passwords of bank employees.
The pair returned two weeks later and O’Donaghue again allowed them into the staff office. Armed with the harvested employee login details, the pair targeted high value account holders such as Toshiba and Nomura Holdings and attempted ten transfers to accounts in Spain, Dubai, Hong Kong, Turkey and Israel. The transfers were unsuccessful, so the pair returned again the following day and unsuccessfully attempted further transfers to accounts in Liechtenstein and Singapore. In all, the pair attempted transfers totalling 229 million GBP.
It is understood that the transfers were only unsuccessful because of a fundamental error in the way the SWIFT forms (the method used for international bank to bank transfers) were completed. Bank employees soon spotted the strange activity that had taken place under their user IDs and O’Donaghue was quickly arrested.
The money was destined for the accounts of four people, David Nash, Hugh Rodley, his business partner Bernard Davies, and Inger Britt Marie Malmros. All had created business accounts with names such as Mediatel International PLC, Investorscan and Furzefield for the purposes of receiving the funds. Osselaer, Poelvoorde, and O’Donaghue have all since pleaded guilty to conspiracy to steal and have been convicted. Nash was also charged in relation to the offence, but died before the case reached trial, while Malmros was cleared of all charges.
For companies using computers to store or access sensitive information, this case illustrates the dangers that keylogging software can present. Once installed, such software will give no indication of its presence and can quickly collect highly sensitive information that can be used in the commission of crimes such as fraud and intellectual property theft. In addition, companies should also be wary of the dangers of USB devices, which can not only introduce malicious software, but can also allow users to download massive amounts of sensitive data to a portable format. For example, a 16 gigabyte USB flash device is capable of storing over 280,000 typical ten-page MS Word documents, or three million pages, in housing the size of a packet of chewing gum.
To effectively protect against the risks illustrated in this case, systems administrators should introduce a policy which limits or prohibits the use of USB storage devices and ensures that antivirus software is kept up-to-date at all times so that malicious activity can be detected promptly. Where employee computer misuse is suspected, computer forensic analysts can be called in, who are able to analyse computer equipment in order to produce legal evidence.