Security firm Kaspersky Lab revealed a massive worldwide security breach across 100 banks and electronic payment systems around the world, including those in the United States. It is estimated that as much as $1 billion has been stolen using this security exploit, which first appeared in late 2013.
An ‘Ocean’s Eleven’ style hack
A multinational network of cyber criminals from Russia, Ukraine, China and other European countries are responsible for the breach, according to Kaspersky. What’s interesting is the sophistication and patience the hackers exhibited.
Each attack took an average of two to four months. Using spear phishing, a type of phishing email that targets specific organizations, hackers were able to install malware called Carbanak onto a bank employee’s computer.
Carbanak allowed hackers to monitor the behavior of bankers over months before stealing money. “This allowed the attackers to understand the protocols and daily operational tempo of their targets,” says Kaspersky in its report.
Another method the hackers used to stay under the radar was to limit the amount of money stolen to $10 million from each bank. Kaspersky speculates this limit was dictated by the fact that $10 million is the maximum amount budgeted by banks for fraud risk, hoping banks wouldn’t launch a full scale analysis of its systems. If spread out over 100 banks, the total amount stolen could top $1 billion. Out of the affected banks, 42% are located in Russia and only 10% are in the US.
While most cyber thefts are more smash-and-grab, the methodical nature of this hack is “much more ‘Ocean’s Eleven’”, says managing director of Kaspersky North America Chris Doggett.
Hackers transferred money from banks to personal accounts and even attacked ATMs, scheduling machines to dispense money at specific locations and times where a member of the hacking group would be waiting.
An ongoing attack
No banks have come forward to acknowledge the hack as of yet. However, a representative from Bank of America responded saying it “was not impacted by Carbanak”. Other banks I’ve reached out to did not respond to my inquiries.
Kaspersky says the attack is still on-going and that it is working with law enforcement to track down the hackers. Security reporter Brian Krebs reported on this vulnerability back in December 2014, explaining how Russian and Ukrainian hackers managed to attack ATMs from inside banks.
The attacks began in December 2013 with peak infections occurring in June 2014. Kaspersky knew about the attack but didn’t release details until now because the investigation remains open. The company was asked by law enforcement not to divulge the information too early into the investigation.
Although the $1 billion figure is shocking, the methods the thieves used to access banking systems are not. Techniques like spear phishing have been around for a long time. Spear phishing targets organizations with fake emails dressed up to look like legitimate correspondences to get bank employees to download infected attachments like Word documents.
Photo credit: 401(K) 2012 via Flickr
Once an employee downloads or clicks on a malicious link, the Carbanak virus gets injected into the computer. Carbanak is what’s known as a RAT (remote access tool), which allows a hacker to see everything on a person’s computer, assume control and even log keystrokes.
After gaining access to one bank’s computers, the hackers then mounted additional spear phishing email attacks against other banks, sending the emails from legitimate bank addresses and impersonating employee behavior.
Banks failed to employ basic security practices
Banks could have avoided being hacked if they took basic security measures. RATs are nothing new and neither are the phishing techniques that plague us today.
The Carbanak virus was distributed in infected Microsoft Office attachments. Having an updated version of Microsoft Office would have stopped the attack dead since these security vulnerabilities have already been patched.
Providing basic cyber security training for employees could have also led to the detection of spear-phishing emails that housed the infection.
On the whole, cyber security is not being taken seriously by many banking institutions. American Express, Capital One and Citibank all lack basic two-factor authentication, which goes a long way in protecting its customers’ accounts. Head over to https://twofactorauth.org/ to see which banks and services still don’t use two-factor. While banks are looking at increasing security for its customers, some forget to increase security for its own employees.
Out of your hands
I’ve preached basic security practices like using a password manager and enabling two-factor authentication but in this case, there’s not much you can do. The Carbanak attack is specifically targeting banks and not individual accounts, but you should still check your accounts often for suspicious behavior.
“Consumers should check both their online and paper statements on a regular basis for unusual activity. Additionally, consumers should be cautious when downloading attachments and opening links from both from people or institutions they do not know and do know. If an email claiming to be your banking institution seems suspicious, it could be a phishing scam and you should double check with your bank to make sure the email is really from them,” says Avast COO Ondrej Vlcek.
Avast Free Antivirus 2015 checks for outdated software
To make sure you don’t fall prey to the same methods of attack as banks affected by Carbanak, make sure to keep your computer updated with the latest software and system updates. Windows users can check for updates in Windows Update and Mac users can check in the Mac App Store. If an email seems suspicious to you, visit your bank’s site directly or give them a call.
You can also use a service like Mint to monitor all of your financial accounts. Mint sends you notifications of any suspicious activity and lets you quickly glance at anything that might be off with your accounts. There are Mint mobile apps (Android | iOS) you can download to get notifications faster.
Unfortunately, corporate negligence for security is commonplace. Target’s breach last summer showed how slow the company ignored early warnings, resulting in 1 to 3 million stolen credit card numbers. Sony Pictures kept their passwords in an unencrypted plaintext file and didn’t encrypt its employees’ emails. Home Depot admitted its 2014 hack was attributed to the company’s policies of meeting security standards, rather than anticipating new threats.
All we can do is wait to hear which banks have been affected and how they’re going to patch their security holes.
Follow me on Twitter: @lewisleong