Kaspersky disclosed recently that starting late 2013, many banks and financial institutions spread across the world have been the target of a very customized Advanced Persistent Attack. Kaspersky estimates that the combined losses could touch USD 1 Billion.
Carbanak was the malware used.
The report can be found here.
Spear-phishing has been reported as being the primary initial attack vector that was used to gain a foothold into the organizations targeted. Following this initial breach, the highly skilled and persistent attackers were able to scan the networks from within, identify high value targets (like those who deal with and operate ATMs & administrators), infect the systems of those targeted and siphon money out.
You may wonder how banks which have such stringent controls in place could have fallen prey to such tactics. Why did their fraud detection services not detect such blatent invasions into their networks. This is a question that needs to be given due importance. While the Kaspersky report mentions that attackers were able to come in and manipulate transactions after the verification process which helped them avoid discovery, this remains a point to ponder for the banking and financial services industry.
There seems to be an increase in the attacks that depend on spear-phishing as the initial attack vector. Organizations would do well to take reconnaisance of this and include simulated spear phishing attacks in their security awareness programs. Those who fall for the bait could immediately be enrolled for further awareness programs. Organizations should also recognise that such programs and simulations should be done on a regular basis to get the best result.
Kaspersky’s advice to Bank
Some interesting facts about ‘The Great Bank Robbery’
– Attackers used video recordings of user activity to gain an intimate understanding of the inner workings of the institution under attack
– Attackers worked 3-4 months on each institution
– 10 million USD was the maximum amount siphoned from each bank/ financial institution. This was done in order to remain ‘under the radar’ and not start a detailed investigation in the bank.
– ATMs spewed cash at pre-determined times
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN