The infamous case of Tesco – hacked by Cyber fraudsters

Hackers finally got to Tesco Bank.

Cyber attacks, especially ransomware attacks, are not uncommon anymore.

But is there a way to make sure that one never gets hurt by one of these attacks?
Well, if there is then Tesco Bank has not figured it out yet.

Recent reports in the media have revealed that the hackers got to Tesco Bank and compromised its systems in a very big way.

How big exactly?
About £2.5 million big.


That is the exact amount of money Tesco Bank has lost over the weekend because of an unprecedented cyber-attack on the company’s online accounts.

The situation regarding the cyberattack is certainly far from clear.

Because the number of hacked accounts keeps changing.

At least according to Tesco Bank, they do.

First, media reports put the number at around 20,000.

Later that number came down to about 9000.

Even with the lower number, that is surely a lot of bank accounts that hackers got to get their way with.

Tesco Bank also announced that the company had recovered from the cyber attack and restored account access of all its customers.

Perhaps Andrew Bailey, the current chief executive of the Financial Conduct Authority, had to do something with it.

Why do we say that?
We say that because Tesco only issued its account’s update after Andrew communicated to the Treasury select committee that the country (the UK) had never gone through such a serious cyber attack.

Hours later, Tesco issued its official statement on how it had restored everything back in order.

Andrew also pointed out to the Treasury select committee that some elements of the cyber attacks looked unprecedented in their nature.

He also said that everyone involved with the issue should take it seriously.

The current chief executive of Tesco Bank, Benny Higgins, also came out and apologized to the company’s customers.

He said that the company regarded its customers as its first priority and it took utmost care of their information throughout the incident.

He also said that the company protected and looked out for its customers with great care.

Benny reiterated that the company apologized to all its affected customers and the worry along with convenience the cyber attack may have caused them.

Talking to the media, Benny also said that the company had now moved forward to refund all affected customers accounts because of the fraud.

Tesco Bank has also lifted the suspension of online debit transactions.

This will allow the customers to use their online accounts as normal.

In the end, the chief executive of Tesco Bank reassured the bank’s customers that all of their personal data was safe and none was compromised.

Representatives from Tesco Bank also communicated to the media that the bank continued to cooperate with the law enforcement authorities closely and sought the help of regulators in the ensuing criminal investigations.

One of the organizations which will scrutinize the cyber attack at Tesco Bank is the National Crime Agency.

Of course, it won’t be the only organization interested in investigating such a huge incident.

But that’s good considering the fact that more than seven million Tesco customers were affected by the supermarket chain’s banking institute hack.

The National Cyber Security Centre will also look into the matter.

For those who don’t know, the National Cyber Security Centre is the new division of GCHQ.

Tesco has said it will compensate for all losses.

It is the latest division of UK’s surveillance agency and only came into existence last month.

Media reports also confirmed that the division and the NCA had worked with each other in the past as well.

Both organizations have now launched a due criminal inquiry.

The National Cyber Security Centre representatives said that the division provided directed assistance to the affected company at its own request and that included on-site assistance.

The National Cyber Security Centre also revealed that in the case of cyber-related incidents, the division could take a considerable amount of time to comprehend the cyber incident.

But on regular incidents, the division could work considerably quickly.

Representatives of the new division said that the technicalities involved with this cyber attack were complex.

They also said that the whole story will only emerge when some time is allowed to pass and the situation has quieted down.

Moreover, they said, that the initial period after the attack was extremely important.

Because anything said publicly during this period could severely interfere with the ongoing criminal investigations.

Additionally, the National Cyber Security Centre told reporters that with the current state of the criminal investigation and the evidence the organization had managed to collect, the National Cyber Security Centre did not think that hackers presented a wider threat to the United Kingdom’s banking sector.

The division also said it took this cyber attack incident as an isolated one and not connected to any other financial institutions.

Andrew Bailey of the Financial Conduct Authority told members of the parliament that his organization had established close contact with Tesco and its banking arm.

He said that the company had already assured regulators that it would reimburse all its affected customers with their due money.

The process will reach its completion stage at the latest by the end of the coming Tuesday.

Bailey did point out that the company didn’t know the exact cause of the cyber attack because of the short time that had passed since the attack.

He also said that the cyber attack made use of vulnerabilities related to the bank’s debit cards.

Moreover, he said, it looked like computer hackers also searched for possible weaknesses in the bank’s overall system especially the different points of entry.

Bailey told members of parliament that it looked like the cyber attack took place via the online banking setup and furthermore, hackers abused the debit card side of Tesco’s online banking.

That is what the situation is according to Bailey.

Of course, the affected customers would want to listen more from some other high-ranking officials involved in the matter as well.

Bailey completed his comment by saying that the matter definitely required more immediate and professional analysis.

He also said that Tesco had solid information on which customers hackers targeted in their latest cyberattack.

The cyber attack itself began to take root sometime on Saturday night.

Media reports reveal that Tesco bank customers started to receive text messages that informed them of some unusual activities in their online accounts.

What About Some Possible Theories?

Tesco has suspended some of its banking facilities

As always, there are a couple of theories making rounds in the media.

The theories mostly address how hackers caused the cyber attack of this magnitude.

Some theories hypothesize that the cyber attack took place because of an internal security breach.

Chris Phillips, who is a Conservative member of the Parliament and also a member of the Treasury select committee, said that he liked the idea that some other foreign country could have hired these hackers to attack UK institutions.

He told BBC earlier in the week that the UK parliament could not rule out the possibility that a foreign state sponsored the cyber attack.

The cyber attack crisis had still not unfolded completely when Higgins said that Tesco halted some baking activities only to protect customers from another attempt from hackers to cause more online criminal activity.

Moreover, he described the latest cyber attack as a sophisticated and systematic cyber attack.

The National Cyber Security Centre representatives also told the media that the organization provided support to the criminal investigation.

Representatives from the organization also said that the division’s role was to,

  • Work with the affected company
  • Allay its concerns
  • Try to manage the incident
  • Investigate the possible root cause of the cyber attack
  • Utilize any and all lessons learned from the attack
  • Use those lessons for future guidance on how to handle cyber attacks of this magnitude
  • Provide cyber security related policy guidelines

One of the other organizations which are investigating the situation is the Information Commissioner’s Office.

Now, if there is one thing that Information Commissioner’s Office isn’t then that is lenient.

Back in October, the Office fined TalkTalk, a telecommunications company a country record £400,000.


Because TalkTalk failed to prevent hackers from stealing the personal data of more than 157000 TalkTalk customers.

The Conservative member of parliament and chairman of the Treasury select committee, Andrew Tyrie, told reporters after the hearing that the cyber attack on Tesco bank’s retail online accounts troubled everybody.

He also said that banks must bear the responsibility and protect their customers.

Andrew pointed out that banks still did not have sufficient technology nor training to improve their resiliency and security of the information technology systems involved.

Steve Backer, another member of the select committee, said that the Tesco Bank’s vulnerability only highlighted the vital significance of technical security for all financial systems.

Are There Risks To Other Banks As Well?

Mobile users along with desktop users need to be more careful.


Indeed there are.

Hackers aren’t going to just stop at Tesco Bank.

In fact, some security experts believe that hackers used the infamous Retefe trojan to attack Tesco Bank and rob it off  £2.5 million.

They have also warned other banks that they are not safe either because the opportunities for cyber attacks are limitless.

Security experts have always warned out about possible cyber attacks on financial systems all over the world but a few pay heed to their warnings.

As mentioned before, by the end of the attack, more than 9000 Tesco Bank customers lost money from their accounts.

Regulators then forced the British lender to pay out the necessary amount of money to fully compensate its affected customers and that too within a week.

For what it’s worth, Tesco Bank did not shut down all banking services after it discovered the cyber attack.

The bank only suspended online transactions from the customer’s debit accounts and that too temporarily.

Besides, customers could still use other banking services like cash withdrawals and the rest.

What does it indicate?

It indicates that hackers did not affect the bank’s core and critical IT systems.

This is what Peter Stancik, an Eset security evangelist, claims in a recent blog post.

He argued in his blog post that his company’s active malware monitoring along with Eset Threat Intelligence services accurately exhibited that hackers had Tesco Bank as a target on Retefe Trojan horse target list.

He further continued that Eset’s analysis also showed, rather disturbingly, that the hackers had a long list of potential banks to hack.

The list consisted of banks located all over the globe in several different countries.

Needless to say, if given the chance, the hackers will strike these banks with malware attacks as well.

Peter also revealed via his blog post that the current campaign of cyber attacks against financial institutions actually started in February 2016.

Hackers have tried to destroy key internet infrastructure ever since.

How Does The Retefe Malware Work?

Retefe, like everything else bad in life, infects the computer first by taking the form of an email.

This email, of course, is malicious.

It also comes in the form of email attachments.

Sometimes hackers masquerade these malicious email attachments as important invoice documents or something similar.

Hackers then inject these email attachments with several different malware components.

These components are not only sophisticated but are also designed in such a way to guarantee hacking success.

How do they GUARANTEE success?
Well, first, these type of email attachments use Tor to for their proxy server configuration.

These proxy servers are designed to imitate the victim bank’s official website.

After that, hackers carry out the run-of-the-mill man in the middle attack on the bank’s customers.

By specifically targeting the traffic that flows out and into the bank’s official website.

Customers usually use their banking website via their online banking accounts.

Hackers can get in the “middle” of this information exchange and then cause damage.

How Do These Hackers Disguise Their Operations?

Of course, hackers have to make sure that customers don’t suspect anything.

To achieve this objective, hackers install the fake root certificate on the user’s machine.

These “certificates” prevent any and all warning messages that the user may get that the banking site they are interacting with is not really a banking site.

It is a phishing site at the least.

Hackers are smart people nowadays.

They take extra precautions.

One of those extra precautions is the mobile component of the attack.

This component helps hackers bypass security measures such as two-factor authentication and others.

How do hackers bypass two-factor authentication?

It’s simple (for them).

They simply intercept one-time passcodes.

Why Are These Hackers So Dangerous?

Jonathan Sander, who is the vice-president of product strategy at Lieberman Software, recently explained what makes malware and Retefe so dangerous.

He said that if a hacker gained access to a user’s machine then the user could just put all the online/offline security tools in the world on the server and it will matter very little.

If a user tries to change the user password then the hacker would get a notification of that.

And if the security team switches the whole website process, the hacker would see that too.

The hacker can then come up with a new website that emulates the changed bank website.

So what’s the solution then?
The solution is the user itself.

Users need to be more aware and diligent.

That’s the only way security teams and software can thwart cyber attacks.

The general user has to know what to watch out for while accessing critical websites.

What can banks do about it?
They can give users hints and tips on how to make sure their connections are safe.

Banks can also help users by guiding them on how to recognize fake websites and how they collect user data.

Of course, banks will have to find a way to make terms like malware and trojans sound more relatable to the average user visiting their site.

Users have to know that malware can create websites that steal their data.

If the users are themselves motivated and learn more about how hackers target them, then they can easily spot signs when hackers try to hack them at work/home.

Retefe Is International

Retefe trojan isn’t just interested in the UK.

It has infected computer systems in a dozen countries.

Palo Alto flagged Retefe after it struck in Japan, Switzerland, and Sweden.

As indicated earlier, the Retefe hit list is long.

Which other banks make the list then?
Well, here is the answer according to Eset,

  • Sainsbury’s Bank
  • Barclays
  • Halifax
  • Natwest
  • HSBC

Robert Lipovsky, an Eset researcher, told Infosecurity that Eset monitored the banking Trojan botnet configuration files.

This action lead the Eset team to come to the conclusion that the malware actively searched for users of the above-mentioned banks.

What Can The Tesco Users Do Right Now?

The users who suspect they are infected with the Trojan should monitor their online bank accounts with great care.

They should also change their login credentials and remove the fake online Comodo certificate from their machines.

Along with that, users should also use reputed anti-malware software applications on their desktop computers and mobile devices.




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.