Internet Banking Fraud In Singapore

 
 

 

Appendix 2

Articles regarding victims falling pray to Trojan horse

Published in The Straits Times, July 9, 20023

 

ONLINE FRAUD


Hacker moved $62,000 in just an hour

China national then withdrew money, fled to Malaysia

By Sharmilpal Kaur

 

IT TOOK just one hour for the hacker who broke into the computers of 21 DBS Internet Banking account-holders to move

$62,000 of their money into his own DBS account.

And within the next hour, the 30-year-old Chinese national walked into a DBS Bank branch, withdrew the money and made his getaway by heading across the Causeway to Malaysia.

 

DBS Bank revealed this yesterday at a press conference to explain how a hacker had made off with the money on June 19 without breaching or triggering the bank's Internet defences.

 

Investigations so far show that the bank's computer security systems were not breached, nor was the hacking carried out by one of its employees.

 

The head of the bank's corporate security, Mr Ng Peng Khian, said there was a high possibility that the culprit had hacked into the victims' computers instead.

 

Using a Trojan Horse program, he could have captured the user-identification codes and passwords to access their online accounts.

About two weeks before he withdrew the money, he entered the victims' online accounts to make sure that the user IDs and passwords were still valid.

 

Describing what happened on June 19 itself, Mr Ng said: 'He started at 8.19 am, and managed to penetrate the accounts of 21 bank customers. He stopped at 9.20 am.'

 

From each account, he took between $200 and $4,999, the maximum transfer limit allowed.

'At 9.56 am, he turned up at one of our branches and made a withdrawal.'

 

He withdrew $62,000, the total he had stolen from the 21 accounts, but did not empty out his own account.

 

He then fled across the Causeway to Malaysia.

 

DBS was alerted to the missing funds that afternoon, when the first victim called the bank. The other 20 customers were alerted by the bank when it traced the movement of the funds.

 

DBS has since refunded all 21 account-holders, but future victims may not be as lucky. Said the bank's head of personal banking, Ms Elsie Foh: 'Naturally, if it is not our fault, we would like our Internet users to be aware that there are risks.

'And if they are not taking the necessary precautions, then I do not see how the liability can be put onto anyone who is actually not responsible or accountable for it.'

 

As to whether the bank would consider informing a customer before approving the online transfer of funds, Ms Foh said that, two years ago, the bank used to delay online transfers for two days to give customers enough time to stop a transaction.

But this was dropped and transfers were made immediate after customers said they wanted the transactions done speedily.

To help its 370,000 online customers tighten security, Ms Foh said the bank plans to offer anti-virus programs at a discount.

 

 

 
APRIL 28, 20044
One jumps over the firewall

By Chua Hian Hou

An obscure Trojan program was what the suspect, Chinese national Sun Rong, used to commit Singapore's biggest Internet banking fraud.

He had remotely implanted the virus into his victims' computers. With it, he identified his targets, captured their passwords, and transferred money from their DBS online accounts to his own. He then went to an ATM to withdraw their money - $62,000 in all - and fled town. All in two hours flat.

The police acted on the report of Mr Firdaus bin Mohamed Akber who had discovered that $5,000 from his DBS bank account had been directed to an unknown account.

Piecing the jigsaw

The Singapore Police Force's Technology Crime Investigation Branch (TCIB) investigators were led by Senior Staff Sergeant Michael Hung, 27. A veteran investigator, he had (then) five years experience in solving techno-crimes.

DBS' counter-fraud team gave them key information including Sun Rong's name, the names of 19 victims apart from Mr Firdaus, and the IP addresses of the computers hacked.

Then 30, Sun Rong was here on an employment pass. He had been sacked for 'unsatisfactory work performance'.

TCIB turned to the Singapore Immigration & Registration, now called the Immigration and Checkpoints Authority (ICA). Too late, the man had skipped town. From data logs from the bank, Singapore Cable Vision (SCV) and ICA, the TCIB team pieced together what happened.

June 19, the day of the crime:

  • 8.30am: Sun Rong accessed and transferred money from the 20 victims' bank accounts to his own, via a SCV broadband Internet account.

     

  • 9.20am: Left his Jurong West flat for a DBS branch nearby.

     

  • 9.56am: Withdrew his ill-gotten gains.

     

  • 10:35am: Left town via the Woodlands Checkpoint.

    June 20:

     

  • 4.15pm: TCIB raided Sun Rong's rented flat. They found a computer - minus the hard disk and broadband modem.

    'The suspect was clever enough to remove items which could have given us clues to how he committed the crime - the hard disk, obviously, and the cable modem, which had a unique network serial number that could link him to the actual transfer,' said Senior Staff Sgt Hung.

    Getting the picture

    To find out how Sun Rong got hold of his victim's Internet banking IDs and passwords, TCIB asked the victims to bring their computers in for forensic checks. Only 12 of the victims cooperated. The rest declined, for reasons of confidentiality.

    The investigators cloned the hard disks of the computers they had, careful to keep the originals intact in case they were needed as evidence. Suspecting that a virus or other malicious software had been used, they scanned the machines with anti-virus software. To their surprise, the scan turned up empty. They dug deeper. The computers' registries and event logs were turned inside out. Here, they discovered that all the victims had a suspicious executable file named 'dk.exe'.

    Further tests, together with scientists from the Defence Science Organisation (DSO) revealed that the program was Dark Angel 2.5, an obscure Trojan program from China.

    This was why it had eluded even updated commercial anti-virus programs that the TCIB team originally used. When executed, Dark Angel captures keystrokes and sends the details to a designated e-mail address. It even formats the captured information in neat reader-friendly fields to make it easy for the hacker to find the DBS bank account users, their user names and passwords.

    One final question remained: How did Sun Rong manage to implant the Trojan program onto his victims' desktops? 'We know it was done remotely, since he did not have physical access to his victims' computers, but without the suspect's confession or his hard disk, we do not know the specific method used to do this,' said Senior Staff Sgt Hung.

    A few months after the event, Sun Rong logged into his DBS account again. This login was traced to an Internet service provider in Shanghai. TCIB contacted the Chinese authorities, who confirmed that the suspect had returned to China. Singapore does not have extradition rights.

    'We are working with the Chinese authorities to try and bring closure to this case,' said Senior Staff Sgt Hung.

    •  

     

    Back to Trojan Horse