Errors, threats and extortion – history of a bank hack part two

In this episode of the Polish bank heist we describe the actions taken by criminals after the bank they hacked refused to pay the ransom they requested.

The ultimatum presented to Plus Bank, robbed by criminals, has elapsed. The burglar, who apparently has not received the ransom, has published data of hundreds of business accounts of Plus Bank customers.

This is a three-part story. You are reading part number two. Here are the links for part one and part three

Second week of June 2016 in the history of Polish banking will be remembered for a long time. First, in Monday we revealed that a Polish bank was a victim of a serious intrusion, as a result of which the criminals were able to steal one million zlotys and customer data. On Tuesday, the criminal hiding under the pseudonym Polsilver announced that Plus Bank was the victim, and presented his ultimatum – he would receive an offer from the bank (he proposed 200 thousand for silence), or he would publish customer data. The bank announced that it would not pay the ransom. Another entry of Polsilver appeared on Tor network, containing modified claims, fragments of stolen data, and the promise of future leaks.

A small hint of hope

A small hint of hope for Plus Bank and its clients was the message from law enforcement agencies. Europol and the Central Bureau of Investigation bragged about great successes in the fight against thieves who steal from bank accounts. 49 criminals were arrested, of which 18 in Poland. Thieves’ speciality was phishing. After gaining access to an e-mail account, they would monitor it to capture information on expected payments. Then they would pretend to be one of the parties to the transaction and mislead the sender to transfer funds to their account. They managed to gain and launder at least 7.7 million zlotys. The brain of the group lived in Lesser Poland Voivodship, and the police secured, among other things, 160.000 zlotys in cash.

Still from the movie showing the arrest of the suspect
Still from the movie showing the arrest of the suspect

There was a certain probability that the perpetrator of the attack on Plus Bank was among the detainees – but apparently Polsilver was not one of the arrested.

He posted a long entry on Tor network a few minutes ago. He asks Plus Bank to pay 200.000 zlotys for charity. Otherwise he will publish successive packets of data each week. In his entry there are also links to two files. The first file contains data and fragments of the history of transaction on accounts belonging to 500 business customers of the bank. The 10-megabyte file contains data such as:

  • name and surname of the owner or the name of the company
  • residential address
  • e-mail address
  • phone numbers
  • held accounts with balances
  • owned banking products
  • payment cards data (numbers and expiry dates)
  • data of 50 last transactions.
Polsilver’s entry
Polsilver’s entry

According to Polsilver, the second file contains a copy of the bank server from the beginning of the burglary. Polsilver claims that he had access to the server and databases for almost three months. He also presents data from two bank transfers he made for a total of more than 200.000 zlotys, indicating the data of both victims and bogus beneficiaries, and he asks for verification whether the victims have received the stolen funds.

Bank’s reaction

This probably is not the last act of the drama associated with Plus Bank. KNF takes the matter more seriously, and Polsilver does not preclude the publication of more stolen information. Plus Bank is trying to convince the world that no security breach occurred by removing all comments referring the events from their Facebook profile, and the answers given by the spokesman are even more laconic than the answer that we received. As a result, bizarre articles occur, like the one written by the Polish Radio, where we read:

The bank calms everyone down and claims that the money on their accounts is safe. This view is shared by Przemysław Barbich from the Polish Bank Association. – When fighting with hackers, banks are the winners – says the expert. […] Customers can be assured that their personal data are completely safe. And the hacker who allegedly got into the bank system may be sure that he will be caught by the law enforcement agencies.

We will not assess the accuracy of this statement. Especially in the light of recent publications of Polsilver.

Without a doubt, the scandal associated with Stonoga and accompanying cabinet reshuffle favour the communication strategy of the Polish Bank Association. Therefore, we do not expect that the latest leak and potential new leaks will change the approach of Plus Bank, trying to silence the confusion at all costs. The strategy appears to be effective – but is it the best for the customers?

Read third part of this story here.

1 thought on “Errors, threats and extortion – history of a bank hack part two”

Leave a Reply

Your email address will not be published. Required fields are marked *