WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On November 6, 2016 multiple UK media outlets reported that the UK-based Tesco Bank had informed approximately 40,000 customers that fraudulent activity had been detected on their accounts between November 5 and 6, 2016. It was initially reported that approximately 20,000 of these accounts had been the victim of successful fraudulent transactions. However, it was later reported that actual number of affected accounts was only approximately 9,000, from which an estimated £2.5 million GBP (approximately $3.1 million USD) had been stolen through fraudulent online transactions. On November 7, 2016 the UK National Cyber Security Centre (NCSC) issued a statement that announced that an investigation was underway, but that the organization was “unaware” of any threat to the wider UK banking sector as a result of this incident.
In addition to this media reporting, we have identified multiple instances of Tesco Bank customers claiming that fraudulent online transactions had been made from their accounts over the weekend. We identified multiple independent reports stating that a small transaction of around £20 GBP (approximately $25 USD) were initially made, followed by a larger transaction of between £500 and £800 GBP ($621-994 USD). We also identified one user claiming that cash had been fraudulently withdrawn from his account from an ATM located in Rio de Janeiro.
An examination of online criminal activity assessed to be potentially related to this incident indicated that in 2016, Tesco Bank login pages were included as a target in the config files of three major banking trojans: Vawtrak, Dridex and Retefe. In addition to this, we identified a user on the forum associated with the criminal marketplace AlphaBay claiming to be able to cash-out Tesco Bank accounts with the assistance of an insider at the bank. This post was dated September 2016.
Figure 1 – Screenshot of AlphaBay forum post referring to an insider at Tesco Bank.
At the time of writing, very little information had been released regarding how these thefts were conducted, though several sources have publically expressed theories regarding how the attack may have been achieved. In response to this ambiguous situation, Digital Shadows (now ReliaQuest) has applied the technique of the Analysis of Competing Hypothesis (ACH) to the available data. ACH is a structured analytical technique designed to enable analysts to establish the consistency and inconsistency of all available data points with a selection of possible hypotheses. ACH uses a weighted inconsistency algorithm to assign numeric values, weighted by the assessed reliability and relevance of each data point, which represent the degree of inconsistency of the available evidence with a given hypothesis. The following hypotheses relating to how the attack may have been accomplished were examined:
Figure 2 – ACH diagram
Although it was not possible to definitively rule out any of the four hypotheses examined, we assess that the available information indicate that H2 (banking trojan) and H4 (cash-out using aggregated card information) are less consistent with the available information than H1 (payment system compromise) and H3 (cash-out of cloned cards). A number of data points were assessed to be inconsistent with these hypotheses, most notably the NCSC statement that the Tesco Bank incident did not represent a threat to the wider UK banking sector, the short timeframe of the attack and the reported focus on current accounts as opposed to credit accounts.
At the time of writing none of the available data points were assessed to be significantly inconsistent with either H1 (payment system compromise) or H3 (cash-out of cloned cards) so it was not possible to determine which of these hypotheses was more likely to be accurate. However, it was assessed that H3 (cash-out of cloned cards) would likely have been a simpler to execute than H1 (payment system compromise) and, in operational terms, would have involved fewer moving parts. While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario. Although reporting from Tesco Bank has indicated that money was successfully stolen from only 9.000 accounts, the actors responsible reportedly targeted 40,000 within a 48 hour period. This would likely have required substantial resources and a well-organized logistics network to support the process of cashing out the targeted accounts and laundering the money obtained within such a short timeframe. Irrespective of the method employed, it was therefore assessed to be highly likely that these thefts were conducted by an organized criminal group.
Statements made by Tesco have indicated that the company is collaborating with the NCSC and the UK National Crime Agency (NCA) in investigating this incident. However, all three organizations have declined to provide substantive details regarding the incident, citing the need to preserve the integrity of the investigation. However, it was assessed to be likely that further information will be made available as the investigation continues.
It is a realistic possibility that the actors responsible for these thefts will attempt to further monetize any Tesco Bank account information in their possession by attempting to sell it within the criminal ecosystem.
In the immediate future, it’s likely Tesco Bank customers will be targeted with phishing emails imitating law enforcement or Tesco Bank customer support. Tesco Bank customers are advised to exercise caution when receiving calls or opening emails or SMS messages purporting to relate to this incident and to report any suspected phishing attempts to Tesco Bank via [email protected].