“Do you know anything about Bitcoins, Mr Gardener?” asked Steve Winter.
“No,” said Gardener. “I’m afraid you have the edge on me there. I’ve heard the term but I’ve managed to stay away from it.”
Shona Pearson continued, “I’m not being disrespectful here when I say that we’ll try to make it as simple as we can.”
“It’s a modern bank account,” elaborated Winter. “A ‘wallet’ is basically the Bitcoin equivalent of a bank account. It allows you to receive Bitcoins, store them, and then send them to others.
“It’s digital currency. There are two types. Virtual Currency; unregulated digital money, which is usually issued and controlled by its developers, used and accepted among the members of a specific virtual community.
“And then there’s Cryptocurrency; a digital token that relies on cryptography for chaining together digital signatures of token transfers, peer-to-peer networking and decentralisation.”
Reilly stared blankly at Winter. “Jesus Christ. You’re not talking my language here, son. I have enough trouble with normal bank accounts.”
Winter smiled, and continued, “Essentially, every hacker loves dealing in Bitcoins because they think they are completely untraceable. But that’s not true. With every Bitcoin transaction, anyone with an ounce of skill can see the entire chain block.
“A Bitcoin wallet is similar to a numbered Swiss bank account in old money. We might not know who sits behind the account, but we know the account number.
“So, people with Bitcoin wallets will pay money in and out of their account for all sorts of things, some of them illegal – like buying ransomware on the dark net; some of them legitimate – like renting server space in Canada.
“What we have to do in cyber crime is something called cluster analysis. We look at what Bitcoin wallets are being used to feed scam money into, and then establish if any of the wallets have been used for legal purposes. If so, it’s very likely they used some kind of traceable identification linked to the legal transaction. That way we find the black hat hackers.”
The meeting grew very quiet with everyone glancing around the table, opening and closing files.
Finally, Gardener said, “Are you saying that you think David and Ann Marie Hunter were involved in something illegal?”
“That they were ripping the bank off?” added Reilly.
Shona Pearson leaned forward. “Actually, that’s not what we think, sir. To be perfectly honest, we think it was the Hunters who were being blackmailed.”
“Blackmailed?” questioned Reilly. “Any idea who, or why?”
“We’re not sure, yet,” replied Pearson. “This case is still in its infancy for us.”
Winter continued. “The online crooks infected computers of the Trans Global Bank with a brand-new Trojan system nicknamed Octopus, giving them direct access to the company’s network and online banking passwords–”
Gardener interrupted him. “What’s Octopus?”
“Never mind that,” added Reilly, “you might need to explain how a Trojan works, for me.”
Winter nodded. “An attacker who has compromised an account holder’s PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC. If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking Trojans.
“I find it hard to believe that there are still banks using nothing more than passwords for online authentication on commercial accounts. Then again, some of the techniques being folded into today’s banking Trojan’s can defeat many of the most advanced client-side authentication mechanisms in use today.
“Banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day’s end. But several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.
“Perhaps the most elegant fraud techniques being built into Trojans involve an approach known as ‘session riding’, where the fraudster in control of a victim’s PC simply waits until the user logs in, and then silently hijacks that session to move money out of the account.
“With the Trans Global Bank, it was a new strain of malware that we dubbed Octopus. It’s very act
ive and appears to have tentacles wandering off all over the place, looking into everything. It hijacks customers’ online banking sessions in real time using their session ID tokens. We’ve also discovered that Octopus keeps online banking sessions open after customers think they have ‘logged off’, enabling criminals to extract money and commit fraud unnoticed.”
Reilly smiled and sipped his coffee. “I think I’ll stick to standard practice from now on.”
“That makes two of us,” said Gardener, staring at his phone, wondering why youngsters today ran their entire lives on them.
“Anyway,” said Winter, “a week later, the thieves made their move by sending a series of unauthorised wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.
“The first three wires totalled more than £350,000. When David Hunter went to log in to his company’s accounts fifteen minutes prior to the first fraudulent transfers going out, he found the account was locked. The site said the account was overdue for security updates.