US$ 1bn stolen from 100 finance Cos in global cyber-heist

A multi-national gang of cyber-criminals from Russia, Ukraine and other parts of Europe, as well as China, dubbed Carbanak, has stolen about a billion US dollars (£650 million) from financial institutions worldwide via cyber-hacks over the past two years. The group's activities have been uncovered by the combined efforts of INTERPOL and Europol working Kaspersky lab as well as authorities from several other countries.

Kaspersky reports that since 2013, the criminals sought to attack 100 banks, e-payment systems and other financial institutions in some 30 countries and that  attacks remain active. Targets included financial organisations in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia. 

A range of hacking techniques are described as having been used, particularly phishing, but one of the most interesting aspects is that the attackers stole money directly from banks, rather than targeting end users.  

Undertaking a bank robbery every two to four months, up to ten million dollars was stolen each time, after first infecting a computer on the bank's corporate network. Spear-phishing was used to infect the computer of an employee at the victim bank with the Carbanak malware. Administrators' video surveillance was then found and tracked, allowing the attackers to see and record everything that happened on the screens of staff who serviced the cash transfer systems. By discovering in detail how the bank clerks' work they were able to mimic staff activity to transfer money and cash out.

The fraudsters used online banking or international e-payment systems to transfer money from the banks' accounts to their own. For transfers, the stolen money was deposited with banks in China or America – and others may have also been used..

In some cases the cybercriminals penetrated into the key accounting systems, inflating account balances before taking the extra funds via a fraudulent transaction. By changing an account with 1,000 pounds to 10,000 pounds, the criminals then transfer 9,000 to themselves. And the account holder doesn't suspect a problem because the original 1,000 pounds is still there.

The cyber-thieves also seized control of banks' ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang was waiting beside the machine to collect the ‘voluntary' payment.

Sanjay Virmani, director of the INTERPOL Digital Crime Centre commented to press:"These attacks again underline the fact that criminals will exploit any vulnerability in any system. It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures. Identifying new trends in cybercrime is one of the key areas where INTERPOL works with Kaspersky Lab in order to help both the public and private sectors better protect themselves from these evolving threats."

 Sergey Golovanov, principal security researcher at Kaspersky Lab's Global Research and Analysis Team adds:  “These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn't even need to hack into the banks' services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.”

More detail and comment here.

Sign up to our newsletters