RegulationSecurityWorkspace

Dutch Developer Backdoor Scam ‘Affects 20,000 Users’

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

A developer installed back-doors in online shops and used the details he collected for sophisticated financial fraud, Dutch police say

A Dutch website developer stole login details from more than 20,000 users by implanting back-doors in e-commerce sites he built for clients, using the information to defraud at least hundreds of people, police in the Netherlands have said.

Police said they were emailing those known to be affected this week and warning them to change their login credentials, according to local reports.

police handcuff security crime keyboard © Oleksiy Mark Shutterstock

Web scam

The warning follows months of forensic analysis after the July arrest of an unnamed Leeuwarden-based suspect, whose prosecution began shortly after police first disclosed the case to the public in October.

A laptop was seized from the suspect upon his arrest in a hotel in Zwolle, and more equipment was taken from homes in Leeuwarden and Sneek, police said at the time.

They said at the time that there at least several hundred individuals had been targeted for fraud, with more than 80 targets initially identified in the northern Netherlands and about 60 from the rest of the country.

This week’s notification results from police’s subsequent research, which uncovered thousands more login credentials on the suspect’s systems.

Police said, however, that while the investigation isn’t yet complete it is unlikely all those affected will be identified.

Social engineering

The investigation began in November 2014 with a report to local police from an individual whose account with an online retailer had been misused to order goods for someone else.

It gradually expanded as police recognised links to a number of other such incidents, and in the spring of last year specialist investigators were brought in, finally making the arrest that summer.

The suspect allegedly built e-commerce sites for hundreds of clients, installing a script that would send him their login details.

He then used the information to break into those individuals’ other acounts, ordering goods from online shops and gambling in online casinos using their payment details, police say.

He also listened in on users’ online conversations, for instance reading their email, allowing him to carry out sophisticated financial scams.

In one anonymous account released by police, for instance, a target said a friend asked him via Facebook to make a payment on his behalf, which wasn’t unusual because he had borrowed money from that friend recently.

He made the payment and, while he was surprised when the friend asked him to send the confirmation to a different email address than usual, he had no serious suspicions until the friend informed him his Facebook account had been hacked into.

“I am a businessman and travel all over the world,” the individual stated. “I am always alert to payments… and yet I too become a victim.”

Police advised businesses to be careful of whom they choose to build their websites and to have the sites double-checked by a third party for security risks.

They also warned users to beware of malicious emails that appear to originate from police. Scammers immediately began sending such messages, which falsely claim to come from Drachten investigators and include a malicious link, following the initial warning, police said.

How much do you know about privacy? Try our quiz!