A gang of hackers has, over the course of a year or more, stolen up to $1 billion from financial institutions around the world, including some in the U.S., according to a new report by cybersecurity firm Kasperksy Lab.
The Carbanak gang — named after the malware they installed on computers at financial institutions — targeted marks in the U.S., Germany and Asia and possibly elsewhere, according to Kaspersky’s Threatpost blog. Instead of relying on phishing attacks that goes after end-user passwords, they targeted bank employees themselves, sending email messages containing malware that then recorded internal interactions to learn the banks’ procedures and processes, in some cases feeding video back to their mothership.
One reason the payoff may have been so big was that the gang was patient, waiting to make their move for months and also moving on from one bank to another after making their, um withdrawals, typically grabbing up no more than $10 million per institution. In some cases, ATM just started spewing cash without anyone requesting it. The money was then picked up by cash “mules.” In others, the banks network was used to move money out of the organization into the cybercriminal’s own accounts. And in some cases, fake accounts were created with high balances which were then tapped by mules.
From the Threatpost blog:
The hackers lived on the bank networks for months after successfully gaining a network foothold, generally through a spearphishing email laced with a malicious .CPL attachment, and in some cases, Word documents. The attachments contained the backdoor named Carbanak which is capable of many of the same data stealing capabilities as notorious APT-style attacks, including remote control.
Kaspersky posted its full report on Monday, an advance copy of which it provided the New York Times. Speaking with that paper, Chris Doggett, managing director of Kaspersky’s North America office characterized this as “the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.”
As is usually the case, no institutions were named because of non-disclosure agreements. It’s not exactly good advertising to admit that your customers funds are at risk, after all.
Kaspersky told the Times it worked with Interpol and Europol to gather information. Sanjay Virmani, director of Interpol’s digital crime center told BBC News that the “attacks again underline the fact that criminals will exploit any vulnerability in any system.”