Carbon registries heist: part digital con-game, part digital burglary

By Byron Acohido, USA TODAY, p.6A, 22 Feb. 2011

An Eastern European cybergang has perfected an emerging form of digital theft to steal $50 million from Europe’s carbon registries.

Elite cybergangs are gaining deep access to corporate networks and carrying out Ocean’s 11-like capers that are equal parts digital con game and digital burglary.

Another such gang, for instance, gained recent media attention for its deep access to Nasdaq’s Directors Desk, a cloud-based collaboration service for senior executives. Authorities have released few details. But that gang went undetected for at least a year, giving it plenty of time to try different ways to pilfer sensitive corporate documents from 175 organizations.

“It’s become very common for advanced groups to be in systems for a year or longer without being detected,” says Kim Peretti, forensics director at PricewaterhouseCoopers. “What’s frightening is their motives aren’t so clear as to what they’re looking for and what they’re trying to do.”


Europe’s carbon registries let companies buy and sell pollution credits. The gang that gamed them put a fresh spin on phishing, the art of tricking users into clicking on a poisoned link. They also tweaked a commonplace tool, called a banking Trojan, used to highjack online accounts, says Uri Rivner, senior researcher at RSA, the security arm of EMC.

Rivner disclosed details at the RSA conference last week. He outlined how the gang impersonated employees charged with buying and selling carbon emission permits. After gathering intelligence about the carbon registries in 25 nations, the gang began to target specific employees, most likely sending them carefully crafted e-mails enticing them to open a work document infected with the Nimkey banking Trojan.

From that foothold, the crooks methodically harvested account log-ons and closely monitored trading processes. At the proper moment, someone would log on as an authorized trader, execute a transaction and divert the proceeds into accounts controlled by accomplices.

“Creativity has never been in short supply in the criminal underground,” says Rivner.

In one sting, the gang stole $31 million from a Romanian cement company; in another, they called in a bomb threat to the Czech Republic registry. While the building was cleared, the bad guys exfiltrated $25.6 million. After several other large thefts, the European Commission shut down all the registries in mid-January. Some have been allowed to reopen, but the majority of Europe’s carbon registries remain closed.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone