bank of montreal and simplii breach timeline & summary...

1

Bank of Montreal and SiMplii BreachtiMeline & SuMMary report

Threat Intel l igence Real ized.


2Threat Intel l igence Real ized.

On May 28, 2018, news reports started to surface about a data breach affecting two CIBC (Canadian Imperial Bank of Commerce) subsidiaries – BMO (Bank of Montreal) and Simplii Financial. The reports stated that a data breach had occurred and that 90,000 customer records had been leaked. Hackers demanded a ransom of 1,000,000 Ripple XRP cryptocurrency (roughly about $750,000) or they would release the data into dark web black markets and sites.

This report comes to describe the known details of the breach, including data that was obtained through IntSights systems. We will follow the known timeline of the breach and will describe the technical details of the breach as described by the hacker himself in an email he sent to BMO and Simplii banks.

As far as we know, the breach began around, or prior to, January 2018. In the hacker’s email, he claimed that he breached the BMO site around January 2018, and after BMO half-patched the issue, he hacked the site again sometime after January 2018. As for Simplii, he doesn’t state any specific date, but judging from his email, he seems to have succeeded in hacking their site early-to-mid May. (He states May 7 as the date, he checked the BMO site again, and that Simplii showed email and SMS spam alerts in their site “in the last few weeks,” signaling that the bank saw his intrusions in those past weeks.)

From our data, we saw some unusual phishing domains directed to both BMO and Simplii websites around February and May 2018 (Figures 1, 2 and 3). We suspect that these sites were setup with the intent to acquire customer data to be used as testing accounts for the later, larger breach. We saw more phishing attacks aimed at Canadian banks from this domain (Figure 4).

Bank of Montreal and Simplii Breach – Timeline & Summary Report2


SuMMary report

(Figure 1: CIBC, Simplii, and BMO phishing sites found in IntSights’ system)



SuMMary report

(Figure 3 - hxxp://woelrkhelkprf[.]info/revenuecanada.secure.interac.online.ca/banks/BMO/indexx.php – BMO phishing site)

(Figure 2: hxxp://woelrkhelkprf[.]info/revenuecanada.secure.interac.online.ca/banks/Simplii/ - Simplii phishing site)





SuMMary report

(Figure 4: hxxp://woelrkhelkprf[.]info/testing123/ - Test phishing site from the same domain aimed at Canadian bank brands)


The woelrkhelkprf[.]info domain was active around May 14, 2018 for a short period of time, and then went offline.

On Sunday, May 27, 2018, at 4:36 the hacker sent an email to the bank, informing them of the breach. The email came from the address: [email protected] suggesting a Russian origin, but this could have been intentionally misleading. The email itself was written in good English, but with some notable mistakes. We believe that the purpose of these mistakes was to blur the true origin of the hacker.

The email describes the method of attack on BMO and Simplii. The attacker took advantage of weaknesses in the session cookie used to authenticate users to the site. Abuse of the “Forgot Your Password” page helped him exfiltrate the data. Here are the steps he took to breach the sites:

1. Generating Card Numbers – The hacker wrote that he used the Luhn algorithm to generate card numbers. The Luhn algorithm (also known as “modulus 10” or “mod 10”) is a well-known algorithm to verify credit cards, IMEIs, NPIs, Canadian SINs, and Israeli and Greek ID numbers. The algorithm is used to distinguish between randomly generated numbers and valid numbers. The hacker’s claim that he used the algorithm to generate numbers randomly is a bit misleading, as even randomly generated numbers that are verified with the algorithm, won’t necessarily be valid account numbers. This strengthens our assumption that the hacker probably had multiple account numbers that he obtained from other sources, such as phishing sites, to test and play with in order to understand and analyze BMO’s and Simplii’s sites. With the acquired card and account numbers, he could analyze and deduce the numbering system of the bank’s account system, and then use the algorithm to keep generating numbers and test them against the bank’s site.

2. Password Reset Page – With the card numbers he obtained, he challenged the password reset page of the BMO and Simplii websites. The sites had weak security that enabled clients to start a reset password procedure just by entering the card number (Figures 5 and 6). After the card numbers were entered, clients needed to answer three security questions, and verify their email, before they could create a new password. This weak procedure was documented in the dark web even before the current breach (Figure 7).


3. Half-Authenticated Users – The hacker noticed that after he entered a card number, the site generated an authentication cookie. This cookie was too permissive and gave the attacker access to pages that belong to a fully authenticated user. It seems the hacker knew (after very probable research) the URL for the security question replacement page of a fully authenticated user. From there, the way to a full breach was short.

4. Security Questions Page – After the hacker was half-authenticated, he accessed the URL for changing the security questions. He changed the answers to the questions to whatever he wanted, logged out, and started the reset password process again. This time, the answers to the questions were known to him and allowed him to continue the reset process without interference, enabling him to access clients’ full account data and information.The woelrkhelkprf[.]info domain was active around May 14, 2018 for a short period of time, and then went offline.



SuMMary report

(Figure 5: BMO online password reset page)

(Figure 6: Simplii’s Forgotten Password page)


Bank of Montreal and Simplii Breach – Timeline & Summary Report`6


SuMMary report

(Figure 7: BMO login, documented in the dark web, dating back to February 13, 2016)

(Figure 8: Leaked account data from the paste site) (Figure 9: Ripple Wallet number)


The hacker automated the process mentioned above. When BMO limited his many attempts at resetting the password, he throttled down the number of requests to two per server and split the attack to 500 different IP’s (according to his statement), to overcome the speed limit enforced on him. It seems that the email was sent because the hacker felt that BMO and Simplii were hiding the issue, and he wanted to expose the hack for his fame – apart from extorting them.

On May 28, one day after the email was sent, an unknown person (probably the hacker, but not necessarily), posted a link on Simplii Financial’s Facebook page. The link led to a paste site containing 100 accounts from the breach. The link was deleted on the same day, and the paste site data was deleted, but our system kept the data from that paste site (Figure 8).

As the Ripple Wallet number for the required payment was published as well (Figure 9), this allowed us to track the payment made to this address at, and around, the payment deadline of May 28, 12 p.m. There were no payments for the amount of 1,000,000 coins before or after May 28. It is not certain that a transaction hadn’t been made, and there could have been more correspondence between the hacker and the banks that we are unaware of. But if a transaction had been made to that address, we potentially could have tracked it. Furthermore, it also would have been obvious that the banks succumbed to the hacker’s extortion, as a transfer of that magnitude would surely have drawn a lot of attention.




SuMMary report


Before we conclude, there is one more interesting issue to address: Simplii Financial is a new brand under CIBC. It was called PC Financial beforehand, which stands for President’s Choice Financial – a banking arm of the Canadian supermarket chain, Loblaw Companies. PC Financial and CIBC had a 20-year record of cooperation, until in August 2017, PC had decided to sell its banking arm to CIBC and keep its credit card business.

This is important, as the Simplii Financial website is relativity new (it has existed for less than a year), and the site has suffered the same vulnerability as the BMO site. This raises the suspicion that the Simplii site was built on the same web infrastructure as the BMO site. Whether it was for economic reasons, simplicity and uniformity of design, or sheer laziness, the Simplii site was flawed because it was based on a flawed design, one that runs many years back. This could have been avoided had there been any involvement of cybersecurity tools and tests in the process of building the new site.


recoMMendationS There are a few lessons to be learned from this incident:

1. Constant and Thorough Monitoring – The Internet is an ever-changing environment. Even if you think you have strong and rugged security measures in place, without constant testing and monitoring, you can never be sure your systems are safe. The software infrastructure is never bug-free and needs constant updating and patching, and threat actors always challenge the existing defenses, and always find new ways to attack. The signs that something was faulty with the bank systems could have been identified on the dark web in 2016 (see Figure 7) and probably even before. Constant monitoring could have revealed the problems years before the breach.

2. Add Multi-Layered and Thoughtful Authentication – The following actions would have stopped this attack dead in its tracks:

3. Be Active and Look for Signs of Compromise – Even without access to dark web resources, and according to the hacker himself, the bank didn’t take the matter seriously enough. They saw the repeated attempts to penetrate the bank’s systems, but instead of actively researching this, they just limited the number of intrusion attempts, which didn’t solve the problem, it just slowed it down (and hardly at all in the end). Although a bank deals with hundreds and thousands of intrusion attempts per day, if someone from bank security had observed which URLs the attempts were made, and what character they took (resetting passwords attempts), they could have detected the incident while it was happening, and not just in hindsight from the hacker’s email. Furthermore, from the patch they put in place in January 2018, it is obvious that the bank was aware of the issue, but just didn’t deem it dangerous enough, or didn’t looked deep enough, to understand the vulnerability at its core.

4. Build from Scratch with Security in Mind – As it is always tempting to reuse code to cut costs, migrating old systems, or combining old back-end systems with newer front-end systems can have a severe impact on security. M&A (Merger and Acquisition) activity always brings a lot of challenges to combine two IT systems and make them work smoothly. But when it comes to security, there is no replacement for using the newest security standards and infrastructure. Constraints don’t always give the opportunity to do that, but sometimes you don’t have to be the most secure, just more secure than the bank next to you.

5. Gather Your Own Intelligence – As it is almost a certainty that there were previous successful attempts in hacking into customers’ accounts, the bank could have received an early warning, if it had listened to its customers. Correlating customer complaints regarding breached accounts with reset password attempts could have revealed the pattern that a lot of these breaches happened right after password resets. All it takes is combining forces internally, between the bank’s departments.


• Strengthening the login process to include multi-factor authentication. • Adding a freeze period for transactions involving newly acquired passwords. • Adding more detailed and specific security questions that are not for the costumer’s choosing

and only the bank will know (such as “What was your last credit card charge?”, “What is your average salary?”, “Do you have a loan? If yes, for which amount?”).


SuMMary report



About IntSights

IntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that transforms tailored threat intelligence into automated security operations. Our ground-breaking data-mining algorithms and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’ one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Blackstone and Wipro Ventures. To learn more, visit www.intsights.com.

bank of montreal and simplii breach timeline & summary...

Documents