Citigroup and a federal law enforcement source on Tuesday refuted a claim that the bank’s customers lost millions of dollars in an advanced cyber heist over the summer, leaving lingering questions over details of the alleged attack.
According to a report in Tuesday’s Wall Street Journal, the Federal Bureau of Investigation (FBI) is investigating the theft of tens of millions of dollars from Citibank using malicious software created in Russia.
A source within federal law enforcement who declined to be identified said the Wall Street Journal story was inaccurate and appears to have confused a known 2007 hack of Citigroup-branded automated teller machines with a long-running criminal effort to hack online banking customers and move money out of their accounts.
“They’ve screwed up so many different things,” he said. The FBI had no comment.
A second banking fraud investigator, who also asked not to be identified because of his ongoing investigations, agreed with this assessment. The long-running effort to hack online banking by installing password-stealing Trojan horse programs known as Zeus and Clampi has affected many banks, but it has compromised customers’ PCs and not the banks themselves, he said.
Citigroup released an initial statement saying that while there have been attempts to interfere with the availability of its systems, “we had no breach of the system and there were no losses, no customer losses, no bank losses.”
“Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true,” read the statement, attributed to Joe Petro, managing director of Citigroup’s Security and Investigative services.
On Tuesday afternoon, Citigroup released a second statement alleging that the Wall Street Journal story was inaccurate and that the theft of tens of millions of dollars was “false.” Citigroup did indicate that fraud in other parts of the financial chain will cause it to shore up its defenses.
“Occasionally, as with virtually all financial institutions, there are instances of fraud or breaches of third-party systems that result in our taking actions to protect our customers and Citi,” the second statement read.
Citi repeated its denial in an internal memo, reportedly sent to branch managers Tuesday, which was published online by the Wall Street Journal.
The Wall Street Journal reported that the losses were caused by a specialized piece of malware known as Black Energy, which can conduct distributed denial-of-service attacks (DDOS) and had most recently been modified to steal banking authentication details.
That software was used in a February 2009 DDOS attack against Citigroup, the federal law enforcement source said, but it is not associated with Citigroup banking fraud or hacking.
“There’s a newer, private version of Black Energy that uses plugins to extend its capabilities beyond just DDoS,” said Joe Stewart, a security researcher with SecureWorks. “We’ve seen one plugin that steals banking credentials for a specific online banking application, but that application is not in use by Citi or any U.S. banks,” he said in an e-mail message.