Toward the end of 2013, an ATM in the Ukrainian capital began to spit out money on various occasions – without any direct human input. People were seen on Kiev security footage gathering up the cash, but it appeared to be individuals who just happened to walk by at the time. That was not the case.
- The role of malware
- The role of mimicry
- Kaspersky highlights banks as criminal cash cows
- Getting the money – three scenarios
- Making sure your data is protected.
The role of malware
Experts from esteemed anti-malware company Kaspersky Lab were brought in to analyze the bank’s systems, and they revealed that the ATM was only the tip of the iceberg: “The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move,” reported the New York Times.
As with the breaches of Sony and Anthem, hackers were inside the bank’s system for months. Using the malicious application, they delivered video streams and photos to an international criminal enterprise consisting of Europeans (especially Ukrainians), Chinese, and Russians. The visual information allowed the hackers to better understand the institution’s day-to-day operations and security mechanisms.
The role of mimicry
Once the crime syndicate collected sufficient information, they began to mimic the behavior of the company’s personnel. Using these techniques repeatedly, they distributed payouts through ATMs and sent millions from banks around the world – the US, the Netherlands, Switzerland, Russia (the hardest-hit country), and Japan – to fraudulent accounts outside their borders.
As of February 14, the total take is estimated at between $300 million and $900 million, but they continue to accrue more cash every day.
Malicious software named Carbanak is standardly emailed to a target firm’s workforce. If an employee falls for the phishing scheme, the hackers are often able to access the admin server.
The malware subsequently loads additional applications onto the central machine, which expand the hackers’ surveillance methods with keyloggers and image-capturing capabilities, while making it possible to manipulate bank data via an external server.
The three methods used by the criminals to collect funds are:
- Sending cash to fake accounts
- Delivering cash to illegitimate foreign accounts through web money-transfer portals
- Directing cash machines to pour out money at preset times.
Kaspersky Lab provided information about the series of attacks to the Times before publishing an announcement and alert on its own site – explored below. Actually, the information on the Kaspersky site suggests that the thieves stole even more than originally estimated, a total of $1 billion from over 100 financial firms in almost 3 dozen countries.
NDAs prevent Kaspersky from revealing the banks that were breached by the hacker group.
A federal investigation will soon be underway in the United States. Both the President and the FBI have received detailed descriptions of the intrusions, but both offices have withheld comment until they have time to fully process the information and determine the extent of the damage.
Kaspersky highlights banks as criminal cash cows
According to a Kasperky post issued two days after the Times story, the anti-malware firm worked with Interpol, Europol, and various other agencies from around the world on its investigation. The brief noted that thefts of money have occurred over the course of the past two years. The crime syndicate, also (like the malware) referred to as Carbanak, benefited from a coordinated, integrated effort that drew on tactics from disparate breach efforts to refine its overall strategies.
“The plot marks the beginning of a new stage in the evolution of cybercriminal activity,” argues Kaspersky ominously, “where malicious users steal money directly from banks, and avoid targeting end users.”
Hackers have made away with as much as $10 million per incident. Typically the heists are stretched out over the course of 60 to 120 days, a timespan that starts with initial malware deployment and ends with the cash in criminal hands.
The hackers email bogus links to users, individually customized, to get them to provide their login credentials or download a fraudulent program – an increasingly popular, sophisticated version of phishing called spear phishing.
Getting the money – three scenarios
Once the banks complete the surveillance phase of the attacks, here is how they get the cash:
Scenario one – The hackers use web-based money transfer portals to shift the cash from the bank and into the external account they have established. Typically the funds are received by accounts located in the United States or China.
Scenario two – The hackers break directly into the bank’s bookkeeping program, bump up the dollar amounts associated with individual accounts, and then withdraw the money. For instance, they might boost an account with $20,000 to $30,000, then remove the extra $10,000. The bank customer who owns the account doesn’t sense a problem because the cash is stolen directly from the bank.
Scenario three – Cash machines are used as described above.
Making sure your data is protected
The alert from Kaspersky stated that the company “urges all financial organizations to carefully scan their networks for the presence of Carbanak and, if detected, report the intrusion to law enforcement.”
Banks are known for investing large amounts into security since protecting the funds of the institution is essential to their survival and success. This report demonstrates that they are far from immune to infiltration.
What if your own site is hacked? Safeguard your website and data now with our automatic backups that utilize military-grade encryption.
RELATED: Don’t worry. The banks aren’t sitting around twiddling their thumbs. In fact, they are counterattacking the hackers [Follow-up piece coming soon…].