Kaspersky Labs reported a large scale, long duration "unprecedented cyberrobbery" this week. This attack lasted years, involved multiple approaches (including hijacking actual ATMs), and resulted in the loss of up to a billion dollars worldwide.
Instead of targeting the banks customers, who likely have several measures in place from the bank to protect their accounts from fraud, this attack likely began with a phishing attack on the bank employees. "The cybercriminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to jump into the internal network and track down administrators’ computers for video surveillance. This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems. In this way the fraudsters got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out" says Kaspersky in it's post. From there:
- "When the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case the stolen money was deposited with banks in China or America. The experts do not rule out the possibility that other banks in other countries were used as receivers.
- In other cases cybercriminals penetrated right into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: if an account has 1,000 dollars, the criminals change its value so it has 10,000 dollars and then transfer 9,000 to themselves. The account holder doesn’t suspect a problem because the original 1,000 dollars are still there.
- In addition, the cyberthieves seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s henchmen was waiting beside the machine to collect the ‘voluntary’ payment."
This incident highlights how important it is to provide the tools, training and education to employees needed to lessen the impact of this kind of attack. In addition, sophisticated monitoring tools should alert organizations when seemingly legitimate employee transactions look wrong. See the link above for additional detail.