Breach, Threat Management, Data Security, Network Security, Malware, Network Security

Citibank refutes reported hack by Russian gang

Updated December 23

Citigroup representatives are refuting a published report alleging the financial services firm was the victim of tens of millions of dollars being siphoned out of customer accounts.

The Russian Business Network (RBN), a notorious gang linked to several hacking schemes, as well as various criminal activities, is cited as being behind the heist, according to a report in Tuesday's edition of The Wall Street Journal. The FBI was said to be investigating, though a representative at the agency did not return a phone call by seeking comment.

But Joe Petro, managing director of Citigroup's security and investigative services, in a release sent to on Tuesday, said: "We had no breach of the system and there were no losses, no customer losses, no bank losses. Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

According to the Journal story, the hacking activity was traced via traffic on ISPs previously used by the RBN. A hacking software program called Black Energy, credited to a Russian, enabled the attack. The program is used to command a botnet. Earlier this year, a customized iteration of the code was discovered online capable of collecting banking information, the report said.

The Storm botnet, originally identified in 2007, is believed to have linked as many as 50 million compromised computers. While its authors have yet to be identified, experts believe that portions of the system have been contracted out to various underground operations.

Two years ago, security researchers found the botnet to be behind phishing attacks against such financial institutions as Barclays and Halifax Bank.

But Citi denies an incident beyond typical probing.

"Denial-of-service attacks are directed against companies around the world," the Citi statement said. "While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi."

Andrew Storms, director of security operations at vulnerability management firm nCircle, said he wonders why the FBI hasn't commented publicly considering Citigroup already has denied that a breach occurred.

According to the Journal report, the government owns 27 percent of Citi. Shares of the firm are down more than 50 percent this year.

"You have to wonder if there isn't some other triage being done here that has more to do with Citi's battered stock price than fair disclosure," Storms said.

“My analysis of this report is that we are talking about a man-in-the-browser attack," said Imperva CTO Amichai Shulman. "That is, a trojan controlled through a botnet that operates from within the browser and inserts false transactions into a user's sessions. In view of this, it is clear why Citibank did not report or 'notice' any breach. The breach is not on Citi's side, but rather on the consumer side. It does point to the growing sophistication of attacker."

Jacob Jegher, a senior analyst at Celent, a Boston-based financial research and consulting firm, said, “Banks are being continuously victimized by cunning and ever evolving fraudsters who will stop at nothing in order to get their hands into the cookie jar. The challenge of late is that the attacks are becoming more sophisticated and the fraudsters are taking the banks and their clients to the cleaners."

Many banks are fearful to admit that they have been victims or targets of fraud, Jegher added. "They don't want to draw negative attention. Banks should use these unfortunate incidents to improve security processes and customer communication and education.”

A U.S. government agency and one other unnamed enterprise were also reported victims of similar attacks, according to the Journal story.

Regarding a particular Citibank customer mentioned in the article, the Citi statement said: "While we do not discuss customer details, the individual case described was an isolated incident of fraud. Consistent with legal requirements, our customers are not liable for any unauthorized use of their accounts."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.