Bank heists for the digital age
Kirill Slavin, Managing Director at Kaspersky Lab
As the line between the virtual and real criminal world grows ever murkier, it’s not surprising online bank robbers are using the anonymity afforded by cyberspace to infiltrate the real world and get their hands on physical cash. At the same time, within the online world, criminals are diversifying, borrowing each other’s methods and innovating on a new level to fulfil their demands.
Borrowed tactics
The trends we’ve seen emerge from the latest cyber bank heists, from last year’s Carbanak attack to the most recent high profile robberies, is that the tactics of large scale long term targeted attacks, previously only seen to infiltrate companies, steal state secrets and undermine infrastructure, are being adopted by financially motivated cyber gangs, but on a much shorter timescale.
The gangs are adapting their methods to mimic the stealth used by state sponsored attacks to carry out swift break and enter jobs that give banks no time to identify the tell-tale signs of a long term persistent attack. In one of the most recent examples, a heist by the GCMAN gang, the criminals took ever more careful measures not to be detected by taking advantage of legitimate tools to enter the systems. No alarms were triggered and the attackers avoided the additional costs of developing bespoke malware.
The heists
Since Carbanak, we have seen other gangs undertake similar attacks with similar methods. The group behind the recent Metel campaign used spear phishing and browser exploits to infiltrate the corporate network of banks and control key computers within the banks’ IT systems. Having gained this level of access, the attackers were able to automate the roll-back of ATM transactions: gang members were able to use debit cards to steal money from ATMs without affecting the balance on the card. Our investigations revealed the attackers stepped out from behind their computer screens to work under the cover of darkness, driving around several Russian cities at night, withdrawing money from different locations.
GCMAN group, who give a respectable face to their criminal activities by using legitimate penetration testing tools after finding their way into an organisation by spear fishing. They then search for any strategic computers they can use to transfer money to e-currency services. By placing a Cron script in one of the bank’s servers they can complete financial transactions at a rate of $200 per minute – none of these transactions would even have been reported on any of the bank’s systems. Fortunately, in this case, the financial institutions detected the suspicious activity and cancelled the transactions.
Carbanak went to ground following last year’s public discovery by Kaspersky Lab. However, like many others that had gone before it, the gang resurfaced five months later with a whole host of new targets in their sights. Moving on from solely targeting banks, the attackers have since been going after budgeting and accounting departments in all types of organisations in ever more innovative ways – one case saw the attackers modify shareholder information to place a money mule as a shareholder within the company.
Keeping up with the criminals
With these types of financially motivated targeted attacks expanding beyond banks and beyond malware, companies need to think ever vigilantly about security. Banks have incredibly high levels of security but have still proven to be vulnerable to social engineering and ever more ingenious cyber criminals. For other organisations whose security policies are not as robust, this is a seriously worrying trend. However, there are measures companies can take to mitigate the risks. Watching behaviours on the network and analysing any unusual patterns will help IT departments familiarise themselves with the signs of an attack and be prepared to fight anything suspicious. Ensuring the infrastructure used to operate funds has restricted functionality in terms of web, device and software usage will limit pathways to the money. Finally, sharing information between other companies and security organisations will help identify any unusual activity or signs to be aware of.
An evolving threat
What these latest attacks have really shown is that cyber criminals will only continue to try new methods and work even faster to achieve their goals. Many of these attacks are not hugely sophisticated and the growth of off-the-shelf malware that enables even the least technologically savvy criminal to infiltrate an organisation means we need to be ever wary, looking for the slightest signs that someone has breached our systems and is looking for the opportune moment to strike.