Billion Dollar Bank Heist Caused by Malware
New reports are emerging of banks across the world that have been targeted in a spear phishing attack that leveraged out of date software – to steal nearly a billion dollars.
In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever — and one conducted without the usual signs of robbery.
The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.
Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.
The majority of the targets were in Russia, but many were in Japan, the United States and Europe.
—Bank Hackers Steal Millions via Malware | NY Times
…employees at victim banks had their computers infected merely after opening booby-trapped emails. “The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait,” The Times’ story reads. “When the bank employees clicked on the email, they inadvertently downloaded malicious code.”
As the Kaspersky report (and my earlier reporting) notes, the attackers leveraged vulnerabilities in Microsoft Office products for which Microsoft had already produced patches many months prior — targeting organizations that had fallen behind on patching. Victims had to open booby trapped attachments within spear phishing emails.
—The Great Bank Heist, or Death by 1,000 Cuts? | Krebs on Security
And how did this gang get into the networks? The Times report said they sent spear-phishing emails to employees, some of whom clicked on the bad links and infected their workstation. Once the bad guys had access, they tunneled into the network and found the employees who were in charge of cash transfer systems or ATMs.
The next step was they installed a remote access Trojan, which gave them full access so they could study what these key employees did. At that point they were able to tell ATMs to dispense cash or transfer larger amounts to accounts all over the world. It boils down to the conclusion that well over 100 bank networks (that we know of) have been pwned for years, and the attacks are likely still be happening.—Billion Dollar Cyberheist Caused By Phish-prone Employees | KnowBeFor