How anyone can be a bank-robbing hacker

How anyone can be a bank-robbing hacker

Summary: Hackers have claimed to have broken into the Commonwealth Bank of Australia's UK site, but with the bank denying any attack, is this just another case of putting one and one together and getting three?

SHARE:

There's an old adage that on the internet, nobody knows you're a dog. It's been previously used to demonstrate that it's hard, if not impossible at times, to determine whether someone really is who they say they are — be it man, woman, or dog — but it equally applies to hackers.

Although offline, it's easy enough to connect with someone's day-to-day personality, it doesn't offer any insight into who they are and how they act online. Let's face it, as much as Hollywood might lead us to believe that hackers gain their street cred from hacking via sophisticated 3D-modelled file systems, or that two people typing on one keyboard doubles a computer's hacking abilities, the more boring reality is that it's mostly done by typing commands into a terminal shell (and I don't mean "access security").

Just as image is everything for some people offline, so too is it online. It's why sites like Zone-H exist, showcasing what websites online attackers have defaced. And just like in the offline world, many will take credit for others' work, make up successful attacks, or twist simple attacks into what seem like more nobler causes.

Which is what may have happened with the Commonwealth Bank of Australia (CBA) recently. A hacking group going by the name LatinHackTeamReborn, presumably trading off the name of the former LatinHackTeam group, claimed to have breached CBA's UK site.

It posted the alleged email addresses, hashed passwords, and names of users on the site, stating that it made its attack by "rerouting after attacking the firewall", and that it was "striking back after what you did to us".

The only problem is, it's not CBA's data.

"We have done a thorough investigation, and we can confirm that no Commonwealth Bank systems have been hacked and no customer data has been compromised. The CBA customer information is safe and secure," a spokesperson for the bank told us.

It's clear from the leaked data that it's not banking information. CBA uses numerical codes for it online banking system, not email addresses, and the passwords, while hashed, were done using MD5 with no salt. If such a method of securing passwords was used on a live banking system, it would certainly raise eyebrows, but CBA denies that it belongs to it.

But the email addresses do appear to be valid, and, worryingly, of a UK and Australian nature.

It's not unheard of for a hacked organisation to lie to the media, and for the information to actually be from a lesser-known and not mission-critical system (we might as well throw "developed by a third party" in here as well). But, digging deeper, I'd be more inclined to trust CBA's word. That's not just because of the damage to its reputation should it be proved that it lied, but because it would really mean trusting a hacker group that only created its Twitter account a few hours prior to the attack, which for some reason decided to include the #stopglobalwarning (yes, warning) hashtag in its attack, and opted for the cryptic, Hollywood-esque method of "rerouting" after attacking a firewall.

Wherever this data came from, it didn't happen by picking different routes. It most likely resulted from improper access to a database, probably by using SQL injection.

And what has CBA got to do with whatever happened to LatinHackTeam anyway? Nothing, as far as I can tell. It's a bank — and hackers breaking into banks is a sure-fire way to improve your image and gain credibility.

Which is probably why the hacking group also claimed to have attacked the Bank of Israel. That would be a significant feat itself; only the email addresses, hashed passwords, and organisations named have nothing to do with the Bank of Israel. They are actually from leaks posted by others, on previously compromised websites; in this case, the Ontario Imported Wine-Spirit-Beer Association. It runs its site off WordPress, which, if not maintained to the current version, is an easy target for even the most novice attackers, thanks to the wealth of information freely available online.

Most of the time, impersonators are going to get away with it because there are few consequences for being named and shamed, and fewer who have the time or inclination to do it ("Bank not hacked" is not a headline, after all). Even when it does happen, this is the internet, where creating a new alter ego is as simple as a few clicks, and a teenager, or an industry veteran, can be born again as a political greenie against global warning, a freedom fighter, a North Korean official, or perhaps all of them at once.

It's true that on the internet, nobody knows if you're a dog, but also, most times nobody knows you're really a dog pretending to be some sort of bank-robbing hacker.

Topics: Security, Banking, United Kingdom, Australia

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion