Citigroup Attackers Used Simple, Clever Entry Point

The technique hackers used to break into Citigroup’s network last month was at once clever and simpler than security researchers expected, a report from the New York Times says.

CitigroupThe technique hackers used to break into Citigroup’s network last month was at once clever and simpler than security researchers expected, a report from the New York Times says.

According to the article, hackers were able to log onto a site used by the credit card company’s customers to gain access to their network and further their probe by inserting assorted account numbers into their browser’s URL bar. The code they used simply repeated the action thousands of times over and gathered the bank’s customers’ sensitive data.

“It would have been hard to prepare for this type of vulnerability,” said one security researcher in an interview citing the sophisticated nature of the attack. The anonymous researcher went on to question just how an attacker could’ve known that targeting the browser would be so successful.

The attack, discovered during a scheduled check in May, yet not disclosed until last Thursday, harvested the names, e-mail addresses and account numbers of 200,000 Citigroup customers.

Read more on this from the New York Times.

Suggested articles

Discussion

  • Rob on

    Why is this considered clever or sophisticated? It's one of the first things you try. I don't place it any higher than script kiddy level.

    Rule 1: Never Trust The Client.

     

  • Rob on

    Why is this considered clever or sophisticated? It's one of the first things you try. I don't place it any higher than script kiddy level.

    Rule 1: Never Trust The Client.

     

  • Anonymous on

     

    This is definitely NOT sophisitcated. Nothing important like that should ever been in the URL. This is basic security knowledge any web app developer should know. In addition this really shouldn't be stored on the user side at all. Account access should be maintained on the server side. Talk about horrible web security.

  • Anonymous on

    This has got to be the quote of the year

    “It would have been hard to prepare for this type of vulnerability,” said one security researcher in an interview citing the sophisticated nature of the attack. The anonymous researcher went on to question just how an attacker could’ve known that targeting the browser would be so successful.

    Another APT I guess

  • Anonymous on

    i've been using this technique with competitions, i should have gone for the big guys, haha

  • Anonymous on

    Apparently bruteforcing via url post method is sophisticated and clever....  so stupid.  Wake up people, that's script kiddy stuff.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.