SAS: Intricate Attacks on Banks

Monday, February 16, 2015 @ 08:02 PM gHale

By Gregory Hale
The video showed all you needed to know: A person walks up to an ATM and waits, then it starts to dispense money with the person not doing a thing. That person then calls or texts someone, apparently saying it worked, and next thing you know more money comes out of the machine.

Malware at its best. This is a real life usage of the Carbanak malware bad guys used to rip off an estimated $1 billion from a global set of financial institutions over a two-year period. This set of cyber thieves focused on the financial industry, but there are lessons the manufacturing automation sector can learn from this ongoing incident.

DDoS Attack Costs on Rise
Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15

“We found out ATMs were just one attack vector,” said Sergey Golovanov, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team during Monday’s opening day of Kaspersky’s Security Analyst Summit 2015 in Cancun, Mexico. “Criminals were able to multiply accounts and take money out. They transferred money to other banks and they withdrew it.”

Golovanov said when he talked to the first bank in the ATM attack, he asked officials how many ATMs were hit? The bank official said, “all of them.”

Kaspersky Lab, INTERPOL, Europol and authorities from different countries worked together to uncover the cyber robbery. Researchers said responsibility for the robbery rests with a multinational gang of cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China.

This attack marks the beginning of a new era in cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users, said Peter Zinn, senior advisor to the Dutch National High Tech Crime Unit.

“We chase a criminal in a car and he crosses over the German border we can continue to chase him under certain circumstances,” Zinn said. “We need to do the same thing in these situations. We need to work together with our partners and share real information that really helps.”

For the past two years the bad guys attacked over 100 banks in 30 different countries and they remain active.

Golovanov said the targets included financial organizations in Russia, U.S., Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.

The largest sums came from hacking into banks and stealing up to $10 million in each raid. On average, each bank robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the stolen money.

The cybercriminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to jump into the internal network and track down administrators’ computers for video surveillance. This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems. In this way the cyber criminals got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out.

Some of the ways the bad buys stole the money centered on using online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case the stolen money ended up deposited with banks in China or the United States.

The bad guys also penetrated into the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: If an account has $1,000, the criminals change its value so it has $10,000 and then transfer $9,000 to themselves. The account holder doesn’t suspect a problem because the original $1,000 is still there.

They also took control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s members was waiting beside the machine to collect the cash out.

Apparently, after investigating the attacks, Golovanov said the attack was going on for two months without any detection. There were 300 infected PCs, three spear phishing emails, 22 malicious executables in the Carbanak malware.

This case ended up being a perfect example of law enforcement working with the private sector to root out an illegal act.

As always in any kind of attack, there were lessons learned. Zinn pointed out just a few examples:
• We learned to understand each other
• Law enforcement needed to hurry up and work faster
• Private sector, in this case Kaspersky, needed to understand law enforcement needed to work slow and follow the laws
• Obstacles are judicial and we need to upgrade laws to have them fall in line with the real world

Leave a Reply

You must be logged in to post a comment.