Cobalt Hacking Group continues despite leader arrest

News by Mark Mayne

Banking hacking group Cobalt continues to operate despite the arrest of a leading figure recently, according to researchers.

Banking hacking group Cobalt continues to operate despite the arrest of a leading figure recently, according to researchers.

In fact the March 2018 arrest seems to have had little impact at all, with the group launching new campaigns throughout March, April and May 2018.  

Group-IB detected a new phishing attack launched by Cobalt, targeting banks in Russia, the CIS, and purportedly western countries. For the first time, phishing emails supposedly from anti-virus vendor Kaspersky Lab, contained a link claiming to detail a complaint that Kaspersky received about an alleged criminal act supposedly committed by the victim. Unsurprisingly, the link in fact took any victim that clicked it to a malicious site that infected them with the CobInt trojan.

The trojan is a malware strain that was historically used only by the Cobalt group, and one that had received considerable investment, with a likely recruitment of a team of developers in 2017, who created new tools for Cobalt group, and adjusted exploits in order to evade detection by security vendors.

The Cobalt group is infamous for silent infiltration of banking and financial institutions - usually via phished employee accounts - and culminating in a range of financial thefts, including sending illegal SWIFT transactions and orchestrating ATM cash-outs. Experts estimate the group has made more than €1 billion (£900 million) to date, with an average of €10 million (£8.7 million) per heist.

Eyal Benishti, CEO & founder of Ironscales told SC Media UK: “Phishers are sneaky, and despite the fact their ‘leader' may have been apprehended, criminals in this group are still going to want to make some money. This new campaign spoofs a brand that most will believe is there to protect them from these kinds of activities, and so the lure itself plays on an individual's fear that something bad might actually be happening - by doing this, they might be more likely to click and proceed, thus landing themselves in hot water.

"Spear phishing campaigns, like this one, are often meticulous in their execution - their increased sophistication allows loaded emails to easily bypass traditional signature-based secure email gateways, and land in a victims inbox ready to be detonated. Alongside this, employee awareness training and training programmes have limited success; workers often lack time, focus and the necessary tools at their disposal to be fully effective in fighting off phishing attacks like this.

To combat this, focus must move down the stack to the recipients inbox, that harnesses both human detection and machine intelligence, to automate and respond at scale to these types of attacks. By examining user communications and meta data to establish a baseline, anomalies in communications are easily spotted and automatically flagged as suspicious, to help people make smarter and quick decisions regarding suspicious emails within the mailbox.”

Phishing is increasingly endemic, and tricky to combat. According to the Cyber Security Breaches Survey 2018, 43 percent of businesses experienced a cyber-security attack or breach in the last 12 months, and of those, 75 percent were the result of fraudulent emails or being directed to fraudulent websites.

Javvad Malik, security advocate at AlienVault, told SC Media UK that a blended approach offers enterprises the best chance of defeating the phishers: “Social engineering forms the first step in Cobalt's attack with phishing emails. There is no easy solution to addressing phishing emails, rather it requires a blended approach of technological controls as well as user awareness. The latter being particularly important so that users can identify any fraudulent emails that may have slipped through the net, and either avoid clicking on them, or know how to notify the relevant department if they do find themselves falling victim to such an email.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews