JP Morgan hackers indicted in largest theft of customer details

100 million customer details were stolen and tens of million of dollars were made off with by a "sprawling cyber-criminal enterprise" in what is now known as the largest breach of customer details in US financial history.

The details of 76 million JPMorgan Chase's customers were stolen in 2014
The details of 76 million JPMorgan Chase's customers were stolen in 2014

American authorities have indicted four men in connection with a hacking campaign that resulted in the theft of millions of dollars and what is becoming known as the largest theft of customer data in US financial history.

These four are thought to have breached several large financial institutions, including JPMorgan Chase, one of America's ‘Big Four' banks along with the Dow Jones, various financial news sites, software companies and stockbrokers, eventually making off with $100 million, according to the US Attorney General's office. 

But this was only “a small step towards a large empire”. According to online correspondence between the conspirators, they planned to become a powerful organisation based on the business model of Merrill Lynch but bolstered by stolen customer details.

The group is thought to be linked to the JPMorgan breach last year in which the details of 76 million customers were stolen. The group is also linked to the early-2014 theft of 4.6 million customer details from Scottrade, a retail brokerage firm and Etrade, which lost 31,000 customer details in late 2013

American federal authorities have indicted  two Israelis and two Americans: Gery Shalon, Joshua Samuel Aaron, Anthony Murgio and Zic Orenstein. Those four have been taken in on 23 charges including wire fraud, identity theft and money laundering. The US state of Georgia will be piling on yet more charges for Aaron and Shalon who face 10 more charges.

As of writing, none of the named suspects  are known to currently live in the US and their extradition is currently being sought.

Authorities believe that Shalon is the head of a “sprawling cyber-criminal enterprise” that operated in a dozen countries between 2012 to 2015. The scam, prosecutors said, resulted in the theft of the data of 100 million customers. The hackers would then use that data to manipulate stocks by trying to get those customers, some big some small, to invest in stocks they would artificially inflate.

According to The Guardian, they would convince private companies to offer shares publicly before sending out dubious tips on the success of those stocks to the millions of customers whose details they had stolen. Once the stock had risen sufficiently, the group would sell their large person holdings causing that stock to go under.

The group was also aggressively involved in money laundering, processing the payments of drug traffickers, counterfeit software and malware manufacturers and illegal casinos. They would launder these profits through various organisations they had set up including Coin.mx which was shut down in July this year. The payments from these illicit organisations would be received and then paid out as transactions with pet and wedding stores.

Murgio, Aaron, Shalon and Orenstein would filter their profits through multiple shell companies and hide their identities using fake credentials like passports. The operation was truly international, operating as far afield as Egypt, Brazil, the Czech republic and South Africa as well as in the United States.

The significance of this breach can't be understated, according to Adam Kujawa, head of Malware Intelligence at Malwarebytes who told SC: “Finding out that the [alleged] criminals were not only using the information in the kind of attack we all expected, but the fact they went a step further and used it to steal money from a larger source by manipulating stocks is very surprising.”

Kujawa added that this syndicate are not the usual suspects. "We aren't just dealing with casual criminals stealing a little money from individual users, but rather intricate minds utilising both modern technology and traditional psychological attacks to create a new kind of crime.”

Banks are predictably a large, alluring bullseye for most hackers. This has not gone unrecognised in the world's great financial centres either.

The Bank of England regularly tests the City of London's cyber-security capabilities, with operations like Waking Shark and the upcoming, Resilient Shield. 

Dr Adrian Davis, the managing director for Europe at (ISC)2, a global organisations of software security professionals, told SC that getting into the vault might be easier than you think: “Hackers are able to get inside major corporations like JP Morgan just by cross-checking the programmes they run with widely-known vulnerabilities because corporations are failing to run proper penetration-tests of their systems to find all the possible trapdoors through which hackers could get in which means they often have little visibility over the state of their own defences.”

This means, Dr Davis said, “hackers can find multiple ways to break into major corporations and banks simply by finding out what apps or programmes they use, because there is now a lucrative ‘black market' in racing to identify vulnerabilities which can be ‘traded' around the world in moments, and even bought using fraudulent credit cards.”

Carrying out this kind of criminal enterprise isn't even particularly hard, says Dr Davis. “With ready-made exploit kits for known vulnerabilities now available on public bulletin boards, anyone with a basic level of competence can potentially hack into multinational corporations.”