Billion-Dollar Cyberheist Used Phishing, Malicious Attachments

Printer-friendly version Email this CRN article

Cybercriminals from Eastern Europe have infiltrated at least 100 banks in 30 countries, raking in as much as $1 billion in fraudulent transfers and hijacked ATM machines over a two-year period.

The attackers struck at Russian banks first, as well as those in Germany, China and the United States, according to Kaspersky Lab, which issued the threat report (.PDF) to analysts and reporters attending the company's analyst summit in Cancun, Mexico, this week. Details about the tactics used by the organized cybercriminal ring, known as Carbanak, which operates out of Eastern Europe, Russia, Ukraine and China, suggest that the group infiltrated the bank networks, gaining access to key resources, including employee account credentials and privileges to make fraudulent transactions appear legitimate.

Solution providers said financial services firms, including smaller, regional banks and credit unions are well aware of the group and are closely monitoring systems for evidence of an attack. The group used a mixture of targeted phishing attacks and possibly drive-by attacks to infiltrate employees at the banks. Once the victim's system was infected, a remote access Trojan was installed and the cybercriminals undertook the second stage of the attack, identifying systems that enable user privileges and manage account credentials.

[Related: The 8 Steps Behind The Massive $45M Cyber Bank Heist]

"I'm not surprised, but this is something that the financial industry is well aware of and is the most capable to protect against," said Kevin Wheeler, founder and managing director of Dallas-based information security services company InfoDefense. "The ever-evolving nature of the threat landscape makes it a never-ending game of whack-a-mole that is almost impossible to keep up with."

The first infections were detected in December 2013 with much of the activity taking place between February and April of last year. No costly zero-day exploits or sophisticated techniques were used because the attackers didn't need to use them, Kaspersky Lab said. The tactics were fairly simple, relying on tricking employees into opening up malicious attachments or clicking on a malicious link. The social engineering was effective in gaining an initial foothold, but attackers had the wherewithal and patience to remain stealthy on systems, the security vendor said.

"Despite increased awareness of cybercrime within the financial services sector, it appears that spearphishing attacks and old exploits were effective against larger companies," Kaspersky Lab said. "Attackers always use this minimal effort approach in order to bypass a victim's defenses."

The financially motivated attackers carried out their exploit in the style associated with an advanced persistent threat. Once inside, they took their time -- as much as two to four months -- to monitor the financial institution's network and move laterally to system administrators and other key personnel with high privileges, Kaspersky Lab said. Losses range from $2 million to more than $10 million.

"This time attackers are targeting financial entities directly in an unprecedented, determined, highly professional and coordinated attack, and using any means from the target to cash as much money out as possible, up to an apparently auto-imposed limit," Kaspersky Lab said in its report. "Once they have stolen a significant amount of money, they abandon the victim."

Next: Criminals Captured Video, Manipulated Oracle Databases 

Printer-friendly version Email this CRN article