Feeds

Carbon trade phish scam disrupts exchanges

Complex fraud lies behind emissions permissions attack

The Power of One eBook: Top reasons to choose HP BladeSystem

Phishing fraudsters have extended their net beyond harvesting e-banking credentials via a scam that resulted in the theft of 250,000 carbon permits worth over €3m.

The outbreak of fraud resulted in the suspension of trading in several EU registries on 2 February. The crooks are thought to have created fake emission registries, promoted via spam emails, before using identity details submitted on these sites to trade rights to blow-off greenhouse gases on the legitimate sites.

Six unnamed German firms were among the victims of the scam, a new form of corporate identity theft. Illegal transactions have also happened in the Czech Republic. German police have begun investigating the fraud. The EU Commission may also become involved, the BBC reports.

Meanwhile the United Nations' Framework on Climate Change (UNFCCC) is working with national registries to boost the security of registries and to help develop policies to frustrate similar attacks in future. Short term measures reportedly include warning users and resetting passwords.

Emissions trading continued via the European Emissions Exchange but exchanges in Belgium, Denmark, Hungary, Italy, Greece, Romania, Bulgaria, Spain and Germany were badly affected. Registries in Austria, the Netherlands and Norway were temporarily suspended but began trading again after minimal disruption.

"We have to be careful not to blow this out of proportion," EU environment spokeswoman Barbara Helfferich told EUobserver. "This happens to banks, Visa, Mastercard about once or twice a month. And this is the same sort of thing.

"It's not something intrinsic to the ETS (Emissions Trading Scheme). This could happen to anyone," she added.

Net security firm McAfee adds that a phishing attack targeting the Danish quota-market occurred in 12 January, leading to its temporary suspension, prior to a much wider attack two weeks later around the turn of the month.

McAfee analyst Francois Paget suggested that "[the] people behind these attacks cannot be simple hackers", but are instead "likely [to be] in the pay of rogue states that reject rules-based international trade".

Crikey.

A graphic from McAfee suggests that cordon permits were raided via a network of corrupt brokers and intermediaries via a scheme akin to VAT carousel fraud, where crooks collect the tax on easy to trade goods such as mobile phones before disappearing before a tax bill becomes due.

McAfee's explanation is the best stab we've seen at explaining how fraudsters laundered stolen carbon permits which, unlike credit card details or even webmail accounts, are not the sort of thing you are likely to be able to sell in underground hacking forums. Use of carbon permit "money mules" and cash transfers via Western Union also seems a bit unlikely. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.