While we don't know what happened in the chat room, the result was that we began to see posts on PasteBin listing the email addresses and internet-facing IP addresses and hostnames of Portuguese banks.
An English translation of the Portuguese video reads:
Published on Apr 14, 2013
Greetings. We are Anonymous Portugal and this is the # banksters operation, a protest action against banks around the world, who have created a corrupt financial system based on debt-interest, speculation large sums with large multinationals and made the money a lucrative business that benefits a minority, but enslaves the rest of the population.
Banks extend credit to slashing with money created out of thin air, causing a snowball effect on the shortcomings of the banking system relative to the overall debt. With this system, banks enrich immeasurably, pay low interest on that deposit and charge high interest loans they make.
With this system of interest, speculation of the value of money and inflated product, it is easy to see where they come from debt, not only of companies and governments, but also emerge as the personal debt of each family. For years, banks eased lending by attracting people with the illusion of being able to have great purchasing power by easy access to money, and creating a debt trap from which many now can not get out. The social stratification, poverty, hunger and unemployment are therefore a consequence of the existing financial system, fatalities that may not disappear while this persists.
Banks in Portugal receive 8 billion state budget since 1999, are recapitalized with $ 12 billion in 2012 and are still saying that the people are having to endure? Portuguese people must know the true and the real gangsters responsible for the crisis, beyond the state. # OpBanksters: Portuguese and international banks, your time has come!
We are Anonymous!
We are Legion!
We do not forgive!
We do not forget!
While the original Twitter posts this week WERE from Anonymous Portugal, and the original PasteBin posts were also about Portuguese bank Credito Agricola, the Op quickly grew beyond its original intention of punishing Portuguese banks for being poor custodians of public funds.
The first three banks posted to the Operation's PasteBin page were:
Banco dos Espiritos Santos (BES) Portugal (110 emails / 62 hosts)
CreditoAgricola Portugal (136 emails)
and BBVA Portugal/Spain
On August 10th, with the exception of the European banking Authority (europa.eu) only Portuguese banks had their employee email addresses and hosts listed, including:
Cetelem PT Credibom PT Cofidis PT Montepio PT Banif PT Bancobic PT Banco BPI PT Millennium BCP PT Banco Popular PT/ES
On August 11th the information disclosure activity spread beyond the borders of Portugal.
Bank of America Barclays Lincoln State Bank Deutsche Bank AG US Dun & Bradstreet FDIC Federal Mortage Association Federal Reserve Banks of Atlanta, New York, Richmond, and San Francisco Fitch Rating Goldman Sachs Hartford Financial Huntington Bank Imperial Bank of Canada London Stock Exchange
On August 12th (so far) we have seen added:
Moody's Nasdaq National Australian Bank PNC Royal Bank of Canada Standard & Poors SunTrust M&T Bank Royal Bank of Scotland TD (Toronto Dominion) Union Bank Wall Street Insurance Wall Street Journal Citibank JP Morgan Chase Zurich Financialwere all added to the list. In the case of Bank of America, as one extreme example, more than 3700 named employees, with titles and emails, were listed.
At that point, we thought there may be a major problem with email-based security about to be unleashed!
As I discussed on Hacker HotShots this week, the Verizon Data Breach Investigations Report quotes "ThreatSim.com" as saying that when a hostile email is sent to three employees of an organization, there is a 50% chance that someone will click on it, but when an email is sent to TEN employees, there is nearly a "Guarantee" that someone will click on it! I couldn't imagine how bad things could go if 3700 employees were being targeted by hand-crafted malicious emails!
That seemed to be the what was happening already in Portugal, as we began to see defacements appear, such as this one hosted on the website "www.cie.com.pt" which is the "Centro de Intervenção Empresarial" showing "#opBankster" branded defacements:
The Anonymous Portugal Blog is here:
Their Facebook page is here:
They claim to have successfullly DDOSed:
and have confirmed that they are behind the PasteBin handle "#opBanksters"
The Too Many Nancy's ProblemAs I started looking through the list of so many leaked addresses for all of these North American banks, I realized there might be a problem. The naming convention for each of the banks was "First Name, Last Initial" @ domain.com, so if I were on the lists, Gary Warner, my email would be given as "email@example.com" or "firstname.lastname@example.org" or "email@example.com". Obviously there would be collisions if that were the case, but I didn't see any attempt to avoid them. I also correspond regularly with many of the brands attacked, and realized that in many cases the domain listed is NOT the domain name where individuals who work for that organization receive their emails.
I decided to do a frequency distribution on the first names and look for "over-represented" names that seemed unlikely to me. I won't go into all the details here, but I looked at female first names from the 1990 US Census and compared them to distributions here. (A 1990 census person would be at least 23, so may be well represented in the work force. Anyone older than 23 would also be listed in the 1990 census, so it seemed as good a source as any.
MARY 2.629 2.629 1 PATRICIA 1.073 3.702 2 LINDA 1.035 4.736 3 BARBARA 0.980 5.716 4 ELIZABETH 0.937 6.653 5 JENNIFER 0.932 7.586 6 MARIA 0.828 8.414 7 SUSAN 0.794 9.209 8 MARGARET 0.768 9.976 9 DOROTHY 0.727 10.703 10 LISA 0.704 11.407 11 NANCY 0.669 12.075 12On the first file I reviewed, I had, instead of the distribution above:
6 Mary's 1 Patricia 10 Linda's 7 Barbara's 9 Elizabeth's 14 Jennifer's 5 Maria's 7 Susan's 3 Margaret's 2 Dorothy's 6 Lisa's 14 Nancy'sNow that may not be the most scientific of comparisons, but as a genealogist, I was confident I was dealing with TOO MANY NANCY'S!
Focusing in on the Nancy's the problem really started showing up. In each of the bank email lists I reviewed, the distribution of names was wildly out of line, and for popular names included many duplicate email addresses that would further confirm these were fakes. For example, just at Toronto Dominion, we had people with the email address "firstname.lastname@example.org" in the following positions and locations:
email@example.com == A Financial Planner in Richmand Hill, Ontario
firstname.lastname@example.org == A Merchant Risk Analyst II in Lewiston, Maine
email@example.com == A Recruitment manager in Toronto, Ontario
firstname.lastname@example.org == A Senior Compliance Officer in Hagersville, Ontario
Malcovery Security specializes in dealing with Email-based threat intelligence. We've got some great ideas for dealing with this current situation. Please reach out to us if you'd like to discuss.