The process of how cyber criminals stole millions:
First the hackers performed a phishing attack.
They got the e-mails of the banks executives that have authority to handle loans and transfers and sent an email with a banking related document attached, such as a loan or credit request. The trick was that the attachment had an attack sublayer or malware embedded. After the bank employee opened the seemingly regular document, the malware was loaded and the first stage was complete.
They now had a window into the inner workings of that bank.
With their malware loaded, the blackhats could see passwords, documents, transactions and transfers. They could even find out who had the authority to approve transfers and ATM management!The intelligence phase started.
Some examples of malware that phishers use are Anunak, ZBerp and Bredolab.
A system like ZBerp (a combination of the Zeus Trojan and the Carberp malware) has both Trojan and Botnet capabilities – it has the ability to steal data submitted in a compromised system like HTTP forms, SSL Certifcates, FTP and POP account credentials. It is usable in POS systems and banking software and is available on the Dark Web for an average of $5,000.00 per copy.
So every time the bankers processed a loan or transfer the hackers got a complete copy of the transaction - including screen shots, passwords and processes.
Then the criminals collected.
This combined Trojan and Botnet attack also allowed them to take remote control of the banks computers and process their own nefarious transactions. The result is that the attackers now can transfer money into fraudulent bank accounts created by them at will. The hackers got rich using the electronic transfer methods to send money to other banks and institutions anywhere in the world.
They can send money to internet financial institutions like BitCoin. They also directed and attacked the banks ATMs to dispense cash anytime they needed it or on a one-time basis without anyone catching them.
The recent attack on hundreds of world banks netted the hackers 100’s of millions to billions of dollars.
The Financial Services Information Sharing and Analysis Center (https://www.fsisac.com/), a nonprofit monitoring organization that alerts members and corporations like banks about hacking activity, said in a recent statement that its members received a briefing about the report in January.
The actual total of losses has been kept secret but most attacks seem to have stopped at $10M or 9.1M Euros per financial institution. The estimates have gone on to say that, potentially, billions were stolen from hundreds of banks worldwide.
It is really a simple case of low-to-no visibility, resulting in attacks and data theft.
A network security manager with total network visibility via network taps should have easily seen:
- Data/traffic load change
- New and aberrant outside IP addresses (foreign traffic)
- Large file transfers carrying the screen shots and documents from inside to outside
- Users from outside the internal secure network creating internal documents
- Off hours of usage
- ATM commands coming from the outside
Also, physical discovery methods should have played a bigger role. A regular audit of fund transfers would show unusual transfers.
Here is another real world situation where network managers needed real visibility into their network and the success of the hackers empirically shows why network visibility is not a nice to have but a need to have.
Remember – it is not “if” you will be attacked but “when” you will be attacked. Are you ready to see the aberrant network behavior brought on by an attack or are you willing to just ignore and allow an unanswered attack on your network?
