Carbanak: It’s All About the Phish

March 2, 2015
| |
3 min read


The recent attacks reported by Kaspersky Lab, which originated from a new malware dubbed Carbanak, were targeted attacks that allowed the criminal group in question to exfiltrate hundreds of millions of dollars from approximately 100 banks in several countries. Malware such as Carbanak is a focused attack against banks that eliminates the need to compromise individual consumers. IBM Red Cell highlighted similar activity in an October 2014 post.

Kaspersky Lab released information about the new malware and the associated attacks on Feb. 16. Kaspersky’s Global Research and Analysis Team detailed the malware scheme here.

Carbanak: Most Advanced Malware to Date?

Carbanak is a cleverly designed malware that allows cybercriminals to remotely access a bank’s systems and cash out large sums of money. According to Kaspersky, Carbanak was delivered to bank employees through spear phishing emails. The malware granted criminals access to manually explore the bank’s network and systems until it found a point of interest. The malware also allowed the criminal groups to record videos and keystrokes, which were then sent to a command-and-control server. The criminal group was able to learn the operations of each infected bank and determine the most efficient way to cash out.

Cash-Out Methods

Kaspersky identified several ways in which funds were removed from the bank:

  • ATM Cash (Jackpotting): The malware allowed the criminals to dispense cash from specific ATMs automatically at designated times. Money mules collected the cash as it was dispensed.
  • Online Banking: The money could be transferred to fraudster-controlled or money mule accounts. From there, the funds could be withdrawn in cash or further transferred to other accounts around the globe.
  • Electronic Funds Transfers: At some institutions, the criminals were able to compromise the wire transfer system and send funds directly to accounts located in foreign countries.
  • Inflated Account Balances: While not a specific cash-out method, in some instances the criminal group was able to falsely inflate account balances and then transfer the inflated amount through one of the above methods. In doing so, they were able to disguise the fraud because the internal bank accounts reflected their true balance after the inflated funds were transferred.

Humans Are the Weak Link

The sophistication of the Carbanak malware is impressive. However, the delivery of the malicious code into the affected organizations is very basic: The criminal group used spear phishing emails targeting employees at each financial institution. Kaspersky Lab explains that spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Unlike phishing scams, which cast broad, scattershot attacks, spear phishing hones in on a specific group or organization. If an employee opened one of these emails and clicked on the infected attachment, the malware would be downloaded to the employee’s computer. This gives the criminals the opportunity to manually move about the bank’s systems.

Most, if not all, financial institutions have some level of information security compliance or awareness training, yet phishing attack campaigns continue to be successful. The fraudulent emails are typically very well designed and often appear as though they were sent from a co-worker.

Analyst Comments

We noted in October that ATM malware was the next generation of ATM attacks. While we believe this to be true, the Carbanak malware portends a potential trend toward direct attacks against financial institutions. When a customer is compromised, detection of the crime is often quick because the customer is missing money. An attack against an individual account is also limited to the amount of money that is in the deposit account. A direct attack against a bank may allow the malicious actors to extend the length of the compromise and “live” within the bank’s systems for several months while planning a large exfiltration of cash.

Carbanak has highlighted the deficiency in employee awareness. Most institutions require compliance training on this topic annually, often to meet minimum regulatory requirements. To better protect against these types of attacks, financial institutions should develop and employ ongoing training and awareness programs and implement “red team” programs. Red team programs simulate actual phishing and spear phishing attacks. The purpose of these programs is to heighten employee vigilance for fraudulent emails. Employees that are duped into opening malicious attachments under controlled situations will learn to be aware of actual phishing attempts from cybercriminals. Red teaming as part of an overall training program will help organizations build a solid anti-cybercrime culture.

Steven D'Alfonso
Senior Financial Crimes Intelligence Specialist, IBM Red Cell

Steven D'Alfonso joined IBM in April of 2013 as an inaugural member of the Red Cell team. Red Cell is a team of highly skilled subject matter experts in the ...
read more