Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security

Group

Innovation in Financial Services
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

An article relating to this blog post on Finextra:

Confidential carbon trading data posted online

A firm providing marketing services for LCH.Clearnet has mistakenly posted confidential carbon emission allowances information online, according to the Financial Times.

See article

Carbon Copy

February saw The Big Carbon Robbery. I explained about this unorthodox cash out method here; it’s quite simple really. Every EU country has a carbon emission quota; every polluting manufacturer within that country buys carbon emission licenses in a trading platform. These licenses are expensive, and if you just steal the user name and password for accessing these accounts, you can sell the license and get away with the money.

Now it seems like some confidential trader data was exposed online, which will give the cybercriminals an excellent target list as it provides them with the carbon allowances trade volumes. They can also learn about trade patterns so they can hide their own transactions within innocent trades.

I guess that most companies who fell for the Phishing attack in February have warned the relevant employees about the risks of responding to such Phishing emails, and reported to their senior management they have contained the situation.

They haven’t.

That’s because RSA now sees Trojans configured to be triggered whenever someone accesses any of the EU trading platforms, record the access credentials, and send them to the Trojan mothership.

Meet the Nimkey Trojan (aka Chilkat), which is believed to be authored and maintained by an East European crime ring. Nimkey targets a wide range of financial institutions, but there’s a very interesting section in the trigger list that caught our attention.

The trigger list tells the Trojan which websites are more interesting than others; when the Trojan is triggered, it will record all communications with the website.

So when we saw a bunch of non-financial targets triggered by Nimkey we checked them out, and they all turn out to be the  trading platform website of one of the EU countries. In fact we talk about EVERY country in Europe, with the exception of Lichtenstein (hey, what’s wrong with Lichtenstein carbon?)

What does this mean?

It means the Nimkey operators have a way to monetize these accounts, and plan to do so. If you get infected with Nimkey and you happen to work for one of the companies involved in the trading, you’re basically a walking pot of gold – and the Nimkey folks are very interested in your access credentials.

So it’s not just online banking, p2p payments and credit cards the Cybercriminals can monetize. Stocks are a target as well, and auction sites, and telco companies, and insurance website credentials, and carbon emission licenses, and the list will grow as time goes by.

Anyone cares to add some non trivial target they came across?

 

5744

Channels

Security

Group

Innovation in Financial Services
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (2)

Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 01 December, 2010, 15:08Be the first to give this comment the thumbs up 0 likes

Quick update: turns out Nimkey related incidents are already happening. I wasn't aware of it when writing this:

http://uk.reuters.com/article/idUKLDE6AT1XP20101201

The scale of the theft is really big: in the February phishing attack there were 250,000 permits worth 3 million euros that were stolen. Here we talk about 1.6 million carbon permits stolen from just ONE cement company in Romania.

That's 25 million dollars in a single hit. Out of that, 9.5 million were still not traced to the final destination.

Report abuse
Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 09 December, 2010, 16:42Be the first to give this comment the thumbs up 0 likes

One correction: in the original post I said Nimkey triggers every EU country but France; in fact it's every country but Lichtenstein. I've made the correction in the actual text, but wanted to draw people's attention to this as Holicim, the cement company hit by Nimkey, was able to recover 600,000 out of 1,600,000 stolen permits - and these 600,000 were moved to the Lichtenstein registry. See here.

This can't be a coincidence.

 

Report abuse
Join the discussion
Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008

Location

Tel Aviv

Blog posts

89

Comments

37

More from Uri

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all
Community
See all blogs »
Banking Strategy, Digital and Transformation 

How financial services organisations can protect valuable data in the age of ransomware

Mark Nutt

Mark Nutt

Payments strategies 2015-2020-2030 

Open-loop EMV standard Fleet and Mobility Payments – Convenience, Security and the Road Ahead

Jonathan Hancock

Jonathan Hancock

Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Now hiring

See more