Offshore hackers stole 62 billion Ugandan shillings ($16.8 million) from Uganda’s central bank, the state-owned New Vision newspaper reported on Thursday.
The hackers, identifying themselves as “Waste,” reportedly accessed the Bank of Uganda’s IT systems and illicitly transferred the funds earlier this month.
The hacking group based in Southeast Asia, sent part of the stolen money to Japan, New Vision said, citing unnamed sources at the bank.
New Vision said the central bank had successfully recovered over half of the money from the hackers. In response to the cyber attack, President Yoweri Museveni has ordered an investigation, it said.
Separately Uganda’s biggest independent newspaper, Daily Monitor, reported that the theft may have involved collusion by insiders.
Cyber thefts from banks and other financial service providers, including telecom firms, have occurred many times in Uganda. However, police officials have said that some banks are hesitant to publicly acknowledge such incidents due to fears of alienating customers. ($1 = 3,685.0000 Ugandan shillings)
Cyber criminals have targeted Equity Bank and made away with Sh179 million in what is being described as the biggest heist in card fraud this year.
In a leaked letter by the bank’s insider seen by Kenya Insights, Sh179,677,736 was stolen from the bank’s MasterCard GL and transferred to 551 accounts.
How Equity Bank got hacked
In the letter signed by Gerald Munyiri, the Equity’s General Manager Security & Investigations alerting the Banking Fraud Investigations Department at the DCI seeking for help in investigating and prosecuting perpetrators, it details how the hackers moved the money from MasterCard and quickly spread it to the 551 accounts within the bank and through M-Pesa.
“Early 15/04/2024 the bank’s risk department discovered an upsurge of transactions emanating from the banks Incoming Master Card GL. Preliminary investigations revealed that between 09/04/2024 and 15/04/2024, Ksh. 179,677,736/- was paid out from the GL fraudulently to the 551 Equity Bank accounts.” Part of the letter reads.
It continues , “additionally, Ksh. 63,023,983/- was sent to Safaricom Mpesa and Ksh. 39,047,344/- to eleven commercial banks.”
From the letter, Equity has managed to block a fraction of looted cash by locking the accounts in question and in talks with Safaricom to trail help in retrieving rest of the cash that was offloaded through M-Pesa.
Equity bank’s history with hackers
The bank is not new to claims of fraud and customers losing money in unclear circumstances, in fact, a look into their social media accounts would paint the vivid picture from the complaints.
The bank’s cybersecurity systems have been faulted by experts for being vulnerable making it an easy target for hackers.
A recent case where a cybercrime gang including Kenyans were jailed in Rwanda for targeting the bank in a hacker attack, could explain how this is done.
In 2022, eight Kenyans who had hacked the bank were handed eight-year jail terms and fined Sh5.6 million.
The eight were part of a 12-man gang arrested in 2019 by the Rwandan Investigation Bureau (RIB) that included three Rwandese nationals and a Ugandan.
The gang arrested in Rwanda had successfully hacked in Kenya and Uganda and were on police watch when they were finally caught in Rwanda.
The gang were arrested while hacking into Equity Bank accounts and funnelling the cash to Rwandans to draw out funds through Eazzy banking and ATMs.
The Kenyans include Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Kinyua Erickson Macharia, Godfrey Gachiri Githinji, Eric Dickson Njagi Mutegi, Reuben Kirogothi Mwangi, Damaris Njeri Kamau and Steve Maina Wambugu.
The hackers operating with insiders to identify targets with huge deposits tried to intercept the lender’s 14 branch network and wrote computer scripts to move money to several local accounts of accomplices.
They attempted hacking using the Eazzy banking platform, which the bank and security agents intercepted since they had been alerted on their operations, including the recruitment of Rwandans they would use to take cash out of the accounts.
Cybercriminals are using ‘BIN’ attacks in card fraud
While it’s still not clear how the Equity’s heist was executed, Bank Identification Number (BIN) attack appears to be clear guess.
Cybersecurity networks may be getting stronger, but cyber-criminals always seem to outpace that progress by coming up with more sophisticated tactics. The latest troubling trend to emerge in the space is the use of “BIN attacks” by cyber-criminals to target small businesses. This involves manipulating the BIN of credit cards, allowing fraudsters to test stolen card details through trial and error on unsuspecting e-commerce sites. This sophisticated cybercrime tactic not only poses financial threats to businesses but also leaves consumers questioning the security of their online transactions.
Behind the scenes of the ‘BIN’ attacks
Kenyan banks has been losing staggering amounts of money over the past years. What initially seemed like a clerical error has turned out to be a sophisticated cybercrime technique that put both businesses and consumers on edge.
Cyber-criminals start by obtaining the first six digits of a credit card, known as the Bank Identification Number (BIN). With this information, they employ trial-and-error methods to decipher valid combinations of card numbers, expiration dates, and security codes. The stolen card details are then tested through small transactions that are hardly noticed, to determine their validity. Once confirmed, fraudsters either sell the compromised card numbers or use them for more larger fraudulent transactions.
Many find themselves victims of unauthorized transactions. Despite never using their cards online, some victims get shocked to discover transactions on their accounts, leaving them with doubts about the safety of their financial information, even though the bank reimbursed them.
Photo/ pixabay
Contrary to popular belief, credit card numbers are not as random or infinite as consumers might think. With 16 digits on a card, removing the six-digit BIN leaves just 10 digits that adhere to a specific pattern. The relatively limited possibilities make it feasible for cyber-criminals to use automated systems to rapidly guess valid combinations, posing a significant challenge for traditional security measures.
Role of financial institutions and businesses
While the affected businesses call for tighter safety protocols, the responsibility is not solely on the banks. Financial institutions, often the victims themselves, issue cards but are not always the entities processing the transactions. The attacks highlight the need for a multi-layered defense, with businesses employing robust fraud protection tools and payment processors like Stripe and Square that prioritize online store security. This is needed since the aftermath of a BIN attack can be financially crippling for businesses.
According to the Central Bank, bank card fraud occurs in several ways, including phishing, which is when fraudsters send an email or text message that appears to come from one’s bank or a reputable financial institution.
“They use various tactics to get you to share confidential information such as your PIN, account number, login details and passwords,” the CBK notes on its website.
“For instance, they may state that your account has an issue and that you need to update or verify the information through a website link or mobile phone device. Thereafter, they use the details to steal money from your account.”
Fraud may also occur when card skimmers illegally copy information from the magnetic strip of a credit or ATM card. They then create copies of the card and make charges to one’s account.
In other instances, thieves use misplaced or stolen bank cards to make unauthorised purchases before the owners report them missing, the CBK adds.
According to data from the BFID, Kenyan banks lost Sh1. 5 billion (approximately US $17.64 million) over the last year, with only a third being recovered by investigators.
Last week, the National Assembly assented to the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, giving security agencies more power to regulate cyberspace activities to curb fraud.
The regulations enhance protection measures for critical economic sectors such as telecoms, banking, transport and energy.
They stipulate how to deal with issues including scams, identity theft, hacking and internet fraud, and also address the cybercrime capacity and capability building for the public, businesses, government institutions, and private entities, to enhance their cybersecurity preparedness and prioritise cybersecurity.
Kenya’s highly digitised economy linked with mobile money through telcos and banks has made the country a target for cybercrime and online fraud.
Adapting to evolving threats
As cyberattacks become more sophisticated, businesses must adapt to protect themselves and their customers. Popular platforms like Stripe and Square can serve as valuable allies in the ongoing battle against cyber threats, providing an additional layer of defense for businesses and their customers.
In an era where convenience and speed define online transactions, the dark underbelly of cybercrime poses a persistent challenge. BIN attacks, with their focus on small businesses, remind us of the fragility of digital financial ecosystems. As businesses and financial institutions work to bolster their defenses, consumers are encouraged to remain vigilant and report any suspicious transactions promptly. The delicate balance between ease of use and security continues to be a tightrope walk in the digital age, with each innovation met by an equally cunning cyber threat.
A hacker group claimed to have breached the Israeli Defense Ministry’s computers and obtained sensitive information.
Security sources confirmed to Israel Hayom daily on Tuesday that there had been indeed a breach into the ministry’s computers.
The hacker group that made the claims on Telegram asserted that it had successfully accessed data from the Defense Ministry’s computer systems, the daily added.
Among the documents allegedly belonging to the Defense Ministry were “communications and orders,” which the hackers offered for sale for 50 bitcoins (about $3.45 million).
Moreover, the Israeli daily reported that the hackers had obtained extensive data but would only consider selling it if Israel agreed to release 500 Palestinian prisoners.
Security sources confirmed to Israel Hayom daily that the breach of the ministry’s systems had occurred, but they did not specify whether the stolen data was sensitive.
