In-brief: The New York Times reports on a massive online heist involving more than 100 banks worldwide and losses of between $300 million and $1 billion, according to the security firm Kaspersky Lab.
Did hackers armed with malware make off with almost a billion dollars from banks in Russia, Japan, Europe and the United States?
That’s the contention of a New York Times front page exclusive, which cites an as-yet-unreleased research report from the folks at Kaspersky Lab. If true, the campaign would be one of the largest bank heists ever – conducted at a safe remove using sophisticated and malicious software.
According to the Times, Kaspersky Lab researchers first discovered the operation after being asked by a Russian bank to investigate unusual activity on its ATM network. The antivirus software firm, which does extensive research on the cyber underground, eventually discovered a large-scale compromise of that bank’s network and links to around 100 other banks that had also been compromised.
The attacks have been attributed to a cybercriminal operation dubbed the Carbanak Gang -named after the malware used in the attack. The group is believed to have gotten a foothold on bank networks by sending e-mail containing infected file attachments to employees. The attackers then spread out on the affected banks’ network, eventually gaining control of credentials for key employees in charge of transferring funds or managing ATM networks.
[Read more Security Ledger coverage of cyber crime here.]
According to the report, the hackers maintained access on victim networks for months and slowly bled them of cash. Bank systems were used to transfer funds to shell accounts set up at JP Morgan Chase and the Agricultural Bank of China – often using transfers through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift. In other cases ATMs were ordered to disgorge cash to waiting accomplices. The hackers also used stolen credentials of bank officers to inflate the balance of targeted accounts, then siphon off the money. That attack cleverly exploited a hole in the bank’s fraud detection program, which monitored bank accounts only once every 10 hours, allowing the fraudulent deposit and transfer to be invisible to the account holder.
Losses may have totaled as much as $900 million, though Kaspersky has documented only $300 million in losses spread out across 100 banks in some 30 countries. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the Times reported, citing the Kaspersky report.
The banks involved are not named, with Kaspersky citing confidentiality. However, malware-based scams are hardly unusual. The Financial Services Information Sharing and Analysis Center (FS-ISAC) issues regular warnings about malware-based scams targeting banks and financial institutions.
Read more about the Carbanak heist here.