Computer Times - Technology


		<script language="JavaScript1.1" src="http://ads.asia1.com.sg/js.ng/Params.richmedia=yes&site=ct&cat1=it&cat2=ctsec&size=468X60"></script><noscript><a href="http://ads.asia1.com.sg/click.ng/Params.richmedia=yes&site=ct&cat1=it&cat2=ctsec&size=468X60"><img src="http://ads.asia1.com.sg/image.ng/Params.richmedia=yes&site=ct&cat1=it&cat2=ctsec&size=468X60" border=0></a></noscript>

APRIL 28, 2004
One jumps over the firewall

By Chua Hian Hou

An obscure Trojan program was what the suspect, Chinese national Sun Rong, used to commit Singapore's biggest Internet banking fraud.

He had remotely implanted the virus into his victims' computers. With it, he identified his targets, captured their passwords, and transferred money from their DBS online accounts to his own. He then went to an ATM to withdraw their money - $62,000 in all - and fled town. All in two hours flat.

The police acted on the report of Mr Firdaus bin Mohamed Akber who had discovered that $5,000 from his DBS bank account had been directed to an unknown account.

Piecing the jigsaw

The Singapore Police Force's Technology Crime Investigation Branch (TCIB) investigators were led by Senior Staff Sergeant Michael Hung, 27. A veteran investigator, he had (then) five years experience in solving techno-crimes.

DBS' counter-fraud team gave them key information including Sun Rong's name, the names of 19 victims apart from Mr Firdaus, and the IP addresses of the computers hacked.

Then 30, Sun Rong was here on an employment pass. He had been sacked for 'unsatisfactory work performance'.

TCIB turned to the Singapore Immigration & Registration, now called the Immigration and Checkpoints Authority (ICA). Too late, the man had skipped town. From data logs from the bank, Singapore Cable Vision (SCV) and ICA, the TCIB team pieced together what happened.

June 19, the day of the crime:

8.30am: Sun Rong accessed and transferred money from the 20 victims' bank accounts to his own, via a SCV broadband Internet account.

9.20am: Left his Jurong West flat for a DBS branch nearby.

9.56am: Withdrew his ill-gotten gains.

10:35am: Left town via the Woodlands Checkpoint.

June 20:

4.15pm: TCIB raided Sun Rong's rented flat. They found a computer - minus the hard disk and broadband modem.

'The suspect was clever enough to remove items which could have given us clues to how he committed the crime - the hard disk, obviously, and the cable modem, which had a unique network serial number that could link him to the actual transfer,' said Senior Staff Sgt Hung.

Getting the picture

To find out how Sun Rong got hold of his victim's Internet banking IDs and passwords, TCIB asked the victims to bring their computers in for forensic checks. Only 12 of the victims cooperated. The rest declined, for reasons of confidentiality.

The investigators cloned the hard disks of the computers they had, careful to keep the originals intact in case they were needed as evidence. Suspecting that a virus or other malicious software had been used, they scanned the machines with anti-virus software. To their surprise, the scan turned up empty. They dug deeper. The computers' registries and event logs were turned inside out. Here, they discovered that all the victims had a suspicious executable file named 'dk.exe'.

Further tests, together with scientists from the Defence Science Organisation (DSO) revealed that the program was Dark Angel 2.5, an obscure Trojan program from China.

This was why it had eluded even updated commercial anti-virus programs that the TCIB team originally used. When executed, Dark Angel captures keystrokes and sends the details to a designated e-mail address. It even formats the captured information in neat reader-friendly fields to make it easy for the hacker to find the DBS bank account users, their user names and passwords.

One final question remained: How did Sun Rong manage to implant the Trojan program onto his victims' desktops? 'We know it was done remotely, since he did not have physical access to his victims' computers, but without the suspect's confession or his hard disk, we do not know the specific method used to do this,' said Senior Staff Sgt Hung.

A few months after the event, Sun Rong logged into his DBS account again. This login was traced to an Internet service provider in Shanghai. TCIB contacted the Chinese authorities, who confirmed that the suspect had returned to China. Singapore does not have extradition rights.

'We are working with the Chinese authorities to try and bring closure to this case,' said Senior Staff Sgt Hung.

LESSONS LEARNT

After the brouhaha, DBS and other local banks added fund transfer controls to prevent similar trip-ups. All new payee accounts require approval by the account holder before it can be added.

The Infocomm Development Authority tied up with major anti-virus vendors like Symantec to include the Dark Angel signature file to their databases. Updated anti-virus software will be able to pick up and remove the malicious program.

Individual online bankers also learnt their lesson. Because they had not made it tough for break-ins, the hacker found it easy. Some had not installed a firewall program. That would have warned them that a program was trying to send information out, and allow them to stop it from happening.

Neither had they installed administrative or main user passwords. This would have made it that much longer for the hacker to break in.

Said Senior Staff sergeant Michael Hung: "The victims said they didn't set the passwords because it was a hassle and didn't see the need to do this for a home PC."

So to prevent hacking:

Install anti-virus and firewall programs, and update them regularly.

Set an administrator password when installing a new computer.

Check your bank account regularly and remember your balances.

Contact your bank immediately if you notice any discrepancy.