Cybercriminals in $1B heist are still active
Take the age-old impluse for criminals to go where the money is, mix with clever cyber strategies and the result is potentially the biggest bank heist ever.
Russian security company Kaspersky Labs, which reported on Monday that attackers stole as much as $1 billion over a period of months from financial institutions around the world, says the electronic theft represents "a new and disturbing trend in the cybercrime market." And the attacks continue, according to a report from the security company.
The campaign was started by "spear phishing emails," or emails that appear to be from people you know or legitimate businesses. The scam ended up spanning the world, stealing amounts of as much as $10 million per banking victim, with 100 financial institutions in countries afar afield as Australia, China and the U.S. so far identified as being hit by the criminals. While it's unclear how this stacks up against other hacks targeting banks, the massive attack is what Kaspersky calls "the most successful criminal cyber campaign we have ever seen."
"This was fairly unprecedented in scope," said Tim Zeilman, vice president of strategic products at HSB, a unit of Munich Re that handles specialty insurance coverage for issues including cyber crime. "Cyber criminals are trying to get their hands on things that can be easily converted into money, which is why Social Security numbers and credit card information are so valuable. In this case, the criminals were actually getting cash to come out of ATMs."
While the attack spans several continents, the criminals weren't targeting consumers, Kaspersky wrote in an email to CBS MoneyWatch. Banks and financial firms were targeted in such a way that they avoided targeting everyday consumers.
Still, the security firm warned that the criminals remain on the loose. "The group is still active, and we urge all financial organizations to carefully scan their networks for the presence of Carbanak," the program used by the criminals, the report said. "If detected, report the intrusion to law enforcement immediately."
The phishing emails included Microsoft Word and Control Panel Applet files that helped exploit vulnerabilities in Microsoft Word and Office. The files, which come as an attachment, open a "backdoor," or unauthorized entry, into a computer or system. While the backdoors are often used in espionage, the purpose in this case appears to have been pure financial gain.
Once the networks were infiltrated, the criminals targeted money processing services such as ATMs and the SWIFT network, which is used to transfer money. Oracle databases were also manipulated to gain access to payment or debit-card accounts and transfer money via online systems. In some cases, the criminals ordered ATMs to spew out money at certain times, which their associates collected.
Before the criminals stole the money, they used infected computers to make video recordings of banks' systems administrators and other employees. That helped them to monitor and observe the financial institution's processes, allowing them to cash out.
"There is evidence indicating that in most cases the network was compromised for between two to four months, and that many hundreds of computers within a single victim organization may have been infected," the report notes. "This period of time was used by the attackers to get access to the right victims and critical systems, and to learn how to operate their tools and systems to get the cash out."
The infections were first detected in December 2013, with a peak of criminal activity recorded in June. Kaspersky said it has been working with law-enforcement agencies and had waited to make details public until it was "safe to do so."
Although consumers weren't targeted by this attack, the methods used by the criminals were the types of programs and methods that are often used to attack personal computers, such as phishing emails. People should always be wary of opening unusual emails or attachments, HSB's Zeilman said.
"Keep your browser and operating system and antivirus software up to date," he advised. "This was a problem with some intrusions, with some institutions that hadn't kept their protective software up to date."