Billion-Dollar Cyberheist Used Phishing, Malicious Attachments

Cybercriminals from Eastern Europe have infiltrated at least 100 banks in 30 countries, raking in as much as $1 billion in fraudulent transfers and hijacked ATM machines over a two-year period.

The attackers struck at Russian banks first, as well as those in Germany, China and the United States, according to Kaspersky Lab, which issued the threat report (.PDF) to analysts and reporters attending the company's analyst summit in Cancun, Mexico, this week. Details about the tactics used by the organized cybercriminal ring, known as Carbanak, which operates out of Eastern Europe, Russia, Ukraine and China, suggest that the group infiltrated the bank networks, gaining access to key resources, including employee account credentials and privileges to make fraudulent transactions appear legitimate.

Solution providers said financial services firms, including smaller, regional banks and credit unions are well aware of the group and are closely monitoring systems for evidence of an attack. The group used a mixture of targeted phishing attacks and possibly drive-by attacks to infiltrate employees at the banks. Once the victim's system was infected, a remote access Trojan was installed and the cybercriminals undertook the second stage of the attack, identifying systems that enable user privileges and manage account credentials.

[Related: The 8 Steps Behind The Massive $45M Cyber Bank Heist]

Sponsored post

"I'm not surprised, but this is something that the financial industry is well aware of and is the most capable to protect against," said Kevin Wheeler, founder and managing director of Dallas-based information security services company InfoDefense. "The ever-evolving nature of the threat landscape makes it a never-ending game of whack-a-mole that is almost impossible to keep up with."

The first infections were detected in December 2013 with much of the activity taking place between February and April of last year. No costly zero-day exploits or sophisticated techniques were used because the attackers didn't need to use them, Kaspersky Lab said. The tactics were fairly simple, relying on tricking employees into opening up malicious attachments or clicking on a malicious link. The social engineering was effective in gaining an initial foothold, but attackers had the wherewithal and patience to remain stealthy on systems, the security vendor said.

"Despite increased awareness of cybercrime within the financial services sector, it appears that spearphishing attacks and old exploits were effective against larger companies," Kaspersky Lab said. "Attackers always use this minimal effort approach in order to bypass a victim's defenses."

The financially motivated attackers carried out their exploit in the style associated with an advanced persistent threat. Once inside, they took their time -- as much as two to four months -- to monitor the financial institution's network and move laterally to system administrators and other key personnel with high privileges, Kaspersky Lab said. Losses range from $2 million to more than $10 million.

"This time attackers are targeting financial entities directly in an unprecedented, determined, highly professional and coordinated attack, and using any means from the target to cash as much money out as possible, up to an apparently auto-imposed limit," Kaspersky Lab said in its report. "Once they have stolen a significant amount of money, they abandon the victim."

Next: Criminals Captured Video, Manipulated Oracle Databases

In some cases, the cybercriminals captured video of the victim's activity to get a picture of the workflow and practices. To conduct the fraudulent transfers, they used internal command utilities to create fake transactions in the bank's internal database after the verification process.

Even more serious was the criminals' ability to control computers that had access to the internal ATM network of the victim bank, Kaspersky Lab said. Gaining access enabled them to remotely withdraw cash from ATMs without the need for additional malware or direct access to the ATM, the security vendor said. Oracle databases were manipulated to open payment or debit-card accounts at the same bank or to transfer money between accounts. One bank lost $7.3 million associated with ATM fraud. The attackers also exploited an online platform at another bank to net $10 million as part of that heist, Kaspersky said.

The malware used encrypted communications -- an SSH back door -- to communicate with the attackers behind the remote command-and-control servers. It's a tactic that works, according to solution providers, because many organizations fail to enable capabilities that can inspect encrypted communication.

The group is believed to have used malware based on the Carberp banking Trojan family, one of the most dangerous banking Trojans on the black market, tied with Zeus and SpyEye, which have been notoriously wrangling the financial industry for years.

Kaspersky Lab gave advance notice about its findings to victim organizations and members of the Financial Services Information Security and Analysis Center (FS-ISAC) about its findings. Financial industry security experts told CRN that they have been tracking the organization's tactics following a global law enforcement operation in 2013 that arrested those believed to be behind a massive credit card fraud ring.

The group is believed to have used the Zeus banking Trojan to carry out its campaign targeting consumers. The ring drained more than $45 million from bank accounts, transferring funds to banks in the United Arab Emirates and Oman. The cash-out scheme involved money mules, a similar tactic used in the latest attack, which requires low-level participants in the scheme, in the U.S. and abroad, to use prepaid debit cards and other methods to divert funds into the group's global money-laundering operation.