A new report released by cybersecurity firm Kaspersky Labs revealed this week that an unknown group of hackers has used sophisticated malware to steal at least $300 million from banks around the world. Researchers found evidence of attacks used on more than 100 different banks and financial institutions in 30 countries, making it one of the largest bank thefts ever executed.
At the end of 2013, Kaspersky analysts were called to investigate a strange glitch in a Ukrainian ATM that caused it to randomly dispense money without anyone swiping a card or entering a PIN number. This happened multiple times and lucky customers who happened to be walking by at the right moment were able to grab some extra cash. After looking into the problem, however, researchers realized it went much deeper than a machine defect.
Largest, most sophisticated attack ever
Internal computers for the bank had been infected with malware that enabled cybercriminals to record the daily transfers and bookkeeping conducted by employees on a daily basis. The malicious software went unnoticed for months, allowing hackers to access video feeds and images that provided insight into the daily routine of the bank. Then, impersonating bank officers, the cybercriminals transferred millions of dollars from banks in the U.S., Russia, Switzerland, Japan and the Netherlands into dummy accounts set up in various other countries. They also rigged the ATMs to dispense cash at certain times of day and then posed as ordinary citizens picking money off the ground to retrieve their loot.
According to the evidence available, researchers with Kaspersky Labs know that the criminal group was able to make off with at least $300 million, but they believe the actual total could be closer to $900 million. The inflated amount is impossible to verify, however, because the fraudulent transactions never exceeded $10 million and were often made in more modest amounts to avoid suspicion.
The thefts were carried out using the Carbanak malware which industry experts see as a sign of the growing sophistication of attacks targeting financial institutions.
"This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert," said Chris Doggett, managing director of Kaspersky North America's Boston office.
Phishing schemes become something much more serious
While the attacks were initiated using the common method of an infected email link, the lengths to which the cybercriminals went to understand their targets and remain undetected are unprecedented. Once employees clicked an infected attachment, malicious code was downloaded that allowed the cybercriminals to move around in the bank's network until they found the employees in charge of the particular processes they were interested in. Then they installed a remote access tool that enabled them to capture screenshots and videos of the employees' computers, providing access to passwords and account information. In an interview with The New York Times, Kaspersky investigator Sergey Golovanov said the hackers took these steps so they would be able to mimic normal actions and make their fraudulent transactions look like regular events.
The majority of banks affected by the hacks are located in Russia, but financial institutions in the U.S. were also targeted. While banks have understandably not wanted to come forward and admit they were involved, the Financial Services Information Sharing and Analysis Center, which alerts banks to malicious activity, said its members were aware of the attacks and had been briefed by law enforcement agencies.
Cyberattacks targeting banks and other financial institutions have increased in sophistication in recent years, making it extremely difficult to protect sensitive financial information. As cybercriminals more frequently employ attacks capable of evading detection by traditional antivirus software, businesses need to turn to a different kind of security method. A security information and event management solution provides organizations with around the clock network monitoring, ensuring any suspicious or anomalous behavior will be detected as it happens. SIEM services provide analysis of nefarious activity to enterprises and can be used to create a more robust defense procedure in the future.
Cybersecurity news and analysis brought to you by ArcticWolf, inventors of firebreak detection and response security services. Firebreak, when your firewall fails.