Dubbed “Carbanak”, the criminal gang responsible for the cyber robbery used an arsenal of attack tools and techniques. The plot marks the beginning of a new stage in the evolution of cyber criminal activity, where malicious users steal money directly from banks, and avoid targeting end users.
“These bank heists were surprising because it made no difference to the criminals what software the banks were using,” said Sergey Golovanov, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team. “So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.”
For example: if an account has £1,000, the criminals change its value so it has £10,000 and then transfer £9,000 to themselves. The account holder doesn’t suspect a problem because the original £1,000 is still there.
Since 2013, the criminals have attempted to attack up to 100 banks, e-payment systems and other financial institutions in around 30 countries. The attacks remain active. According to Kaspersky Lab data, the Carbanak targets included financial organisations in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.
So far 300 IP addresses around the world have been observed.
It appears that when the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case the stolen money was deposited with banks in China or America. The experts do not rule out the possibility that other banks in other countries were used as receivers.
Read more about cybercrime:
- The seven biggest cybercrimes in history
- Are SMEs cannon fodder for cyber criminals
- UK firms turn to ex-hackers to “skill-up” against cybercrime
In addition, the cyber thieves seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s henchmen was waiting beside the machine to collect the ‘voluntary’ payment. In fact, the report states that one unfortunate victim lost around $7.3m due to ATM fraud.
According to the report, the gang navigated internal networks and tracked down administrators’ computers for video surveillance. This gave them the ability to see and record everything that happened on the screens of staff.
Kaspersky explained: “In this way the cyber criminals got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out.”
It is estimated that the largest sums were grabbed by hacking into banks and stealing up to $10m in each raid. On average, each bank robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the stolen money.
The cyber criminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to jump into the internal network and track down administrators’ computers for video surveillance. This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems. In this way, the fraudsters got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out.
The company suggests that the best way to detect the malware is to look for “.bin” files in the folder. For example: ..All users%AppData%Mozilla
“These attacks again underline the fact that criminals will exploit any vulnerability in any system,” said Sanjay Virmani, director of the INTERPOL Digital Crime Centre. “It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures. Identifying new trends in cybercrime is one of the key areas where INTERPOL works with Kaspersky Lab in order to help both the public and private sectors better protect themselves from these evolving threats.”