Court gives multi-year prison sentences for stealing ING customers with malware

The Court of Appeal in The Hague has imposed multi-year prison sentences on two men aged 25 and 26. They stole the login details of ING customers via web injections and captured tan codes with Android malware.

The verdict shows that the men stole thousands of euros from victims. At one point, for example, an amount of 13,000 euros was converted into bitcoin. According to the evidence, the men themselves developed so-called web injections, with which they showed ING customers already infected with malware a modified version of the ING webpage. For example, they were shown a message about ‘security measures’. By clicking on it, they were presented with a modified version of the ‘My ING’ environment, where they entered their username, password and account number.

In addition, additional information was asked for ‘for verification’, including the telephone number and information about the device. Filling in this information was necessary to be able to use the website. The men could then see which phones ran on Android via a control panel. Devices with other operating systems were redirected to the regular version of the ING page. They then sent the customers with Android a text message.

This contained a so-called security certificate, which appeared to have come from ING. In reality, it was the Perkele malware, which was used to forward the tan codes that the bank sent to the device. With the previously obtained data and the tan codes, the men were then able to debit the victims’ accounts. They often did this in several transactions of a thousand euros.

The 26-year-old man has been sentenced to 54 months in prison. The other, 25-year-old man, is sentenced to 45 months in prison. This appeal results in a higher penalty than the court previously imposed. Initially, the sentence was namely 39 and 36 months respectively, both of which were additionally six months conditional. The public prosecutor had lodged an appeal and so had the 25-year-old man. “The Court of Appeal especially strongly considers the perpetrators that the danger of disruption of the online payment system, and the associated social importance of maintaining stability of and trust in that system, has been relatively great in this case,” the announcement reads. .