In early 2008, while federal investigators were busy looking into disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands of customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.
According to a fraud investigator with firsthand knowledge of the break-in, the hackers responsible infiltrated a component of the Stanford Group’s network by exploiting vulnerabilities in the company’s web servers and databases. On the condition of anonymity, the investigator shared with this author files recovered from the breach, which were stored in plain text for at least several weeks on a website controlled by the attackers. This source said he forwarded the same information on to the FBI shortly after discovering it in early 2008.
Once inside Stanford’s network, the unidentified hackers appear to have swiped the credentials from an internal network administrator. They soon had downloaded the user names and password hashes for more than 1,000 employees of Stanford Financial, Stanford Group, Stanford Trust and Stanford International Bank.
Among the purloined files is a listing of what appears to be ownership and balance information for tens of thousands of customer accounts at Bank of Antigua. Each listing includes the account number, owner’s name, address, balance and accrued interest.
Mr. Stanford is set to go on trial this month for allegations that he led a $8 billion fraud scheme. In addition, federal authorities reportedly have been investigating whether Stanford was involved in laundering drug money for Mexico’s notorious Gulf Cartel.
Many of those account holders listed in the inventory of accounts gave addresses in the United States, but a large portion belong to individuals in South America and Mexico. While most of the accounts were worth between $10,000 and $50,000 USD, more than a thousand accounts had balances between $100,000 and $900,000. Nearly all of the accounts with balances in excess of $1 million apparently belong to an organization or individual named “Kadima Panamena.”
An official with the U.S. Justice Department confirmed that the agency had received a copy of the purloined files, and that the documents contained information concerning Stanford’s holdings that the government did not previously possess. But the official, speaking on condition of anonymity because he was not authorized to discuss the ongoing investigation, said it remains unclear what, if any, impact the documents may have had in the government’s case against Stanford.
It’s also unclear whether the hackers managed to steal any funds from the accounts listed in the recovered documents, or indeed whether the attackers ever had direct access to Bank of Antigua accounts. Still, a set of documents found with the account information suggest the perpetrators did a fairly thorough job mapping the internal networks connecting Stanford offices in Austin, Baton Rouge, Boca Raton, Boston, Denver, Ft. Lauderdale, Houston, Memphis, Miami, Montreal, New York, San Francisco, Sugarland and Washington, D.C.
Also listed in the network map is a location called “Newspapers” – which may be reference to The Antigua Sun, a newspaper formerly owned by Stanford – as well as “CSTAR” and “CSUN,” which probably refers to airlines once owned by Stanford – Caribbean Star Airlines and Caribbean Sun Airlines.
According to the private investigator, the perpetrators used what the government has described as a “hacking platform,” a series of web servers that were leased out to criminal gangs for the purposes of breaking into customer databases belonging to banks and retailers through so-called SQL-injection attacks. Indeed, the source said, the hacking platform used in this attack was the source of several other such attacks against financial institutions around that same time frame, including OmniAmerican Credit Union and Global Cash Card, a distributor of prepaid debit cards used mainly for payroll payments.
Global Cash Card and OmniAmerican were both named as breach victims in the U.S. government’s case (.pdf) against Israeli hacker Ehud Tenenbaum, a 29-year-old man who made headlines in the late ’90s for breaking into Pentagon computers.
The U.S. government also cites the use of hacking platforms (.pdf) in its prosecution of Albert Gonzalez, the Florida computer hacker who pleaded guilty last week to conspiracy charges for intrusions into Heartland Payment Systems.
Investigative journalist Brian Krebs is a former reporter for The Washington Post*, where he wrote the Security Fix blog. He’s currently editor of KrebsOnSecurity.com.*