Cyberheist Theft of Carbon Credits Shows Just How Far Cyberthieves Will Go!

We read with great interest in a recent edition of The Economist about the theft of carbon emission credits through the Emissions Trading Scheme (ETS), a market overseen by the European Commission and its member states. Entitled "Green fleeces, red faces," the story recounts how in early January thieves exploited lax security to steal more than three million carbon credits (about 0.015% of the 2B such credits issued each year). They nabbed  over a million credits from cement maker Holcim, half a million credits from the Austrian government, and others from the Czech Republic and Greece. Total value of the plunder came to an astonishing 45M Euros, or about $62M. Not bad, for a bunch of carbon dioxide!

The keys to the thefts were as follows. First, carbon credits are maintained at the ETS in electronic form in national registries. Second, thieves managed to gain access to accounts where those credits were kept, and then to transfer them to other accounts, from whence they were sold off to generate cash. These registries were consequently closed down on January 19, 2011, and will only be re-opened when better security measures can be enforced. The details of the actual exploit are unclear, probably because the ETS would prefer not to divulge too many of its inner workings even if they are about to be overhauled substantially.

But the fact that fraudulent account access and credits transfers took place strongly suggests — at least as far as we're concerned here at — that some kind of credential fiddling was involved, perhaps even a phishing attack of some kind. If security was indeed lax as
The Economist tells us, and the thieves had access to target information for people with ETS accounts, we can think of no easier way for them to have obtained account access, gobbled up various carbon credits, and moved them out of the system and into liquid form, with both ease and dispatch.

For us, the moral of the story is that there are no online assets that cannot be phished, especially if security is loose, and users haven't been trained to look out for and avoid such attacks. Hopefully, the revised trading regime will not only use improved technical measures (which should definitely include fraud detection software), but will also devote some time and effort to educating traders on how to handle their credentials and logons properly and safely.

Stu Sjouwerman

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews