An unprecedented cyber bank robbery plot has been uncovered which saw more than a billion dollars stolen from banks around the world over the past two years.
A report released by Interpol and security firm Kaspersky Lab has revealed that since 2013, more than 100 banks, financial institutions and e-payment systems in over 30 countries including the UK, Ireland, USA, Canada, Germany, France, Spain, Switzerland, Russia, Australia, Brazil, Hong Kong and India were targeted as part of the heist.
Crooks took between two and four months on each robbery from infecting the first computer in the bank's corporate network to making off with the money, stealing up to ten million dollars in each raid.
Kaspersky Lab says they mark a dangerous new stage in the evolution of cybercriminal activity because of the scope of the attacks and targeted techiques used.
> See also: How to hack a bank (theoretically)
The experts pin responsibility for the robbery on a multinational gang of cybercriminals from Russia, Ukraine, China and other parts of Europe. The hackers, dubbed the 'Carbanak gang,' used phishing to infect bank employees' computers with malware, then were able to jump into internal networks, sometimes penetrating right into the heart of accounting systems to inflate account balances before pocketing the extra funds.
They hijacked video surveillance cameras in order to carefully watch and mimic the way staff serving cash transfer systems work, and even took hold of ATMs and ordered them to dispense cash at a pre-determined time, when henchmen would be waiting beside the machine.
Sergey Golovanov, prinicipal security researcher at Kaspersky Lab's Global Research and Analysis team described the cyber robbery as 'very slick and professional.' As he explained, these heists were particularly surprising because it made no difference to the criminals what software the banks were using.
'Even if its software is unique, a bank cannot get complacent,' he said. 'The attackers didn't even need to hack into their banks' services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions.'
The attacks underline the fact that criminals will exploit any vulnerability in any system, warns Golovanov, highlighting the fact that no sector can consider itself immune to attack and must constantly address their security procedures. Kaspersky Lab urges all financial organisations to carefully scan their networks for the prescence of Carbanak, and if detected, report the intrusion to law enforcement.
But how could these attacks have been allowed to happen? Alarmingly, phishing is becoming endemic in the finance industry – last year Kaspersky Lab found that nearly 30% of all phishing attacks targeted financial institutions, with schemes around payment systems or online stores, or using fake websites, on the rise.
According to the Carbanak report, these hackers were able to gain access by sending out phishing emails to banking employes, that included a malware-laced Word attachment. When opened, it secuted a backdoor for the attackers.
'The problem with these attacks is that because they are targeted to only a small number of individuals, the malware can get past anti-virus engines,' said Mike Spykerman, VP of product management at security software development specialists OPSWAT. 'However it seems that not many companies are aware that there is an effective method to protect against unknown, advanced threats in email attachments.'
'Data sanitisation is where files are converted to a different format in order to remove any embedded threats. If the affected banks had made use of this technology, the Word files could have been converted to for instance pdf files, removing the exploit that the attackers had placed in the Word file.'
Banks could have also missed a trick when it comes to awareness and monitoring, as Dwayne Melancon, CTO of cyber security firm Tripware explains.
'This is a clear example of how most enterprises fall short in detecting damaging changes to their cyber infrastructure, says Melancon. 'Malware leaves a trace when it compromises a system – even custom malware. Unfortunately, most of the times, that mark goes unnoticed because enterprises haven’t established a baseline, or known good state, and aren’t continuously monitoring for changes to that baseline.'
Not only does this lack of awareness make it easier for criminals to gain a foothold, it makes it difficult, time-consuming, and very expensive to determine which systems can be trusted after-the-fact, and to determine how to remove the contaminated systems from the network.
'This should be a wakeup call for enterprises to take a step back and make sure they nail the fundamentals,' Melancon adds: 'maintain an accurate inventory of all the devices and applications on your network; reduce your attack surface by ensuring that all your systems and applications are configured securely according to a well-vetted security standard; scan for and patch any known vulnerabilities; and continuously monitor for changes and unusual behavior within your network.'