The recent attacks reported by Kaspersky Lab, which originated from a new malware dubbed Carbanak, were targeted attacks that allowed the criminal group in question to exfiltrate hundreds of millions of dollars from approximately 100 banks in several countries. Malware such as Carbanak is a focused attack against banks that eliminates the need to compromise individual consumers. IBM Red Cell highlighted similar activity in an October 2014 post.

Kaspersky Lab released information about the new malware and the associated attacks on Feb. 16. Kaspersky’s Global Research and Analysis Team detailed the malware scheme here.

Carbanak: Most Advanced Malware to Date?

Carbanak is a cleverly designed malware that allows cybercriminals to remotely access a bank’s systems and cash out large sums of money. According to Kaspersky, Carbanak was delivered to bank employees through spear phishing emails. The malware granted criminals access to manually explore the bank’s network and systems until it found a point of interest. The malware also allowed the criminal groups to record videos and keystrokes, which were then sent to a command-and-control server. The criminal group was able to learn the operations of each infected bank and determine the most efficient way to cash out.

Cash-Out Methods

Kaspersky identified several ways in which funds were removed from the bank:

  • ATM Cash (Jackpotting): The malware allowed the criminals to dispense cash from specific ATMs automatically at designated times. Money mules collected the cash as it was dispensed.
  • Online Banking: The money could be transferred to fraudster-controlled or money mule accounts. From there, the funds could be withdrawn in cash or further transferred to other accounts around the globe.
  • Electronic Funds Transfers: At some institutions, the criminals were able to compromise the wire transfer system and send funds directly to accounts located in foreign countries.
  • Inflated Account Balances: While not a specific cash-out method, in some instances the criminal group was able to falsely inflate account balances and then transfer the inflated amount through one of the above methods. In doing so, they were able to disguise the fraud because the internal bank accounts reflected their true balance after the inflated funds were transferred.

Humans Are the Weak Link

The sophistication of the Carbanak malware is impressive. However, the delivery of the malicious code into the affected organizations is very basic: The criminal group used spear phishing emails targeting employees at each financial institution. Kaspersky Lab explains that spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Unlike phishing scams, which cast broad, scattershot attacks, spear phishing hones in on a specific group or organization. If an employee opened one of these emails and clicked on the infected attachment, the malware would be downloaded to the employee’s computer. This gives the criminals the opportunity to manually move about the bank’s systems.

Most, if not all, financial institutions have some level of information security compliance or awareness training, yet phishing attack campaigns continue to be successful. The fraudulent emails are typically very well designed and often appear as though they were sent from a co-worker.

Analyst Comments

We noted in October that ATM malware was the next generation of ATM attacks. While we believe this to be true, the Carbanak malware portends a potential trend toward direct attacks against financial institutions. When a customer is compromised, detection of the crime is often quick because the customer is missing money. An attack against an individual account is also limited to the amount of money that is in the deposit account. A direct attack against a bank may allow the malicious actors to extend the length of the compromise and “live” within the bank’s systems for several months while planning a large exfiltration of cash.

Carbanak has highlighted the deficiency in employee awareness. Most institutions require compliance training on this topic annually, often to meet minimum regulatory requirements. To better protect against these types of attacks, financial institutions should develop and employ ongoing training and awareness programs and implement “red team” programs. Red team programs simulate actual phishing and spear phishing attacks. The purpose of these programs is to heighten employee vigilance for fraudulent emails. Employees that are duped into opening malicious attachments under controlled situations will learn to be aware of actual phishing attempts from cybercriminals. Red teaming as part of an overall training program will help organizations build a solid anti-cybercrime culture.

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today