Cyberthieves Steal Millions By Selling Bogus Carbon Credits
Phishing Scam Cripples European Emissions Trading
Spiegel Online, Feb. 3, 2010
Sneaky cyber-thieves have made millions by fraudulently obtaining European greenhouse gas emissions allowances and reselling them. The scam has hampered trading of the credits, which are seen as an important tool in curbing climate change, in several European countries.
Most Internet users are familiar with the e-mail scam known in the jargon as "phishing." A plausible-looking e-mail arrives in your in-box, supposedly from your bank or a Web site like Ebay, informing you that your account has been "compromised" and that you urgently need to log in to the company's Web site to rectify matters. The catch is that the Web site the e-mail directs you to is a spoof created by the hackers, meaning that anyone who falls for the trick is unwittingly handing over their all-important user names and passwords to the criminals.
Savvy e-mail users know to delete such e-mails straight away. But canny thieves have now used the technique to make money in a very 21st century fashion -- by fraudulently gaining access to companies' greenhouse gas emissions allowances and selling them on.
According to a report in the Wednesday edition of the Financial Times Deutschland, hackers sent e-mails last Thursday to several companies in Europe, Japan and New Zealand which appeared to originate from the Potsdam-based German Emissions Trading Authority (DEHSt), part of the EU's Emission Trading System (EU ETS). Ironically, the e-mail said that the recipient needed to re-register on the agency's Web site to counter the threat of hacker attacks.
The cyber-thieves then exploited the user data that was entered into their spoof Web site to transfer emissions allowances to other accounts, mainly in Denmark and Britain, from which they were quickly resold. The new owners of the allowances would have assumed that they had acquired them legally.
"The attack was highly professional," a DEHSt employee told the newspaper. Germany's Federal Criminal Police Office (BKA) is now investigating the incident.
Accounts Were Suspended
The crime has hampered the registering of trades in allowances across a wide swath of the European Union. Although allowances can still be traded on the European Energy Exchange (EEX) or via brokers, it is currently not possible to register the trades with the DEHSt, as is required by law. The Potsdam-based authority suspended the registering of transactions last Friday, and a spokesperson told the Financial Times Deutschland that the suspension would continue "at least for the rest of this week."
On Tuesday, the DEHSt's sister authorities in Belgium, Denmark, Spain, Hungary, Italy, Greece, Romania and Bulgaria were also closed in reaction to the scam. Authorities in Norway, Austria and the Netherlands had reacted more quickly last week, suspending access to accounts within hours of the scam becoming known. They were able to reopen their databases Tuesday.
The source of the attack was unclear, as was the extent of the damage caused by the crime. The newspaper analyzed a sample of several dozen transactions carried out in Germany and discovered nine cases of fraud. If the criminals are not found, the companies will have to cover the costs themselves. The newspaper wrote that one medium-sized German company alone had lost allowances worth €1.5 million ($2.1 million).
Under the EU's Emission Trading System, companies which are large emitters of greenhouse gases are required to have enough of the so-called allowances, which are issued by national authorities such as Germany's DEHSt, to cover the CO2 they release each year. Firms are free to trade their credits, which allows companies that have more of the rights than they actually need to sell them on to concerns that want to emit more CO2 than they are allocated. The idea is to use market mechanisms to reduce greenhouse gas emissions, as the scheme gives firms an economic incentive to cut their CO2 production.
Phishing scam hits carbon permits
BBCNews.com, Feb. 4, 2010
The international carbon market has been hit by a phishing attack which saw an estimated 250,000 permits worth over 3 million euros stolen this week.
The scam involves six German companies and meant emissions trading registries in a number of EU countries shut down temporarily on 2 February.
In the global carbon market, companies can buy permits from other firms, allowing them to emit greenhouse gases.
The criminals are believed to have created fake emissions registries.
They then sent e-mails to thousands of firms around the globe, including New Zealand, Norway and Australia.
"It was a world-wide action," Hans-Juergen Nantke, head of German emissions registry DEHSt told the Reuters news agency.
Seven out of 2,000 German firms targeted are known to have fallen victim to the scam, handing over registration details which allowed the thieves to steal their emissions permits.
"Of the seven, six have been subject to theft," said Mr Nantke.
The registry has submitted details of the attack to state prosecutors in Berlin.
Illegal transactions have also been reported in the Czech Republic.
Registries in nine countries, including Belgium, Denmark, Spain, Italy and Greece, closed after details of the attacks emerged. Registries in Austria, the Netherlands and Norway were temporarily suspended but reopened the same day.
Emissions trading continued via the European Emissions Exchange.
The United Nations' Framework on Climate Change (UNFCCC) said it was working closely with national registries to ensure their systems were secure.
The EU Commission may get involved in investigations.
"If they [transactions] happened at national level, they are traceable. If they happened internationally, our community registry will be involved as we can trace international transactions," a spokeswoman told Reuters.
Phishing scams, which redirect people to a fake website via an e-mail, are common in the banking industry.