The recent attacks reported by Kaspersky Lab, which originated from a new malware dubbed Carbanak, were targeted attacks that allowed the criminal group in question to exfiltrate hundreds of millions of dollars from approximately 100 banks in several countries. Malware such as Carbanak is a focused attack against banks that eliminates the need to compromise individual consumers. IBM Red Cell highlighted similar activity in an October 2014 post.

Kaspersky Lab released information about the new malware and the associated attacks on Feb. 16. Kaspersky’s Global Research and Analysis Team detailed the malware scheme here.

Carbanak: Most Advanced Malware to Date?

Carbanak is a cleverly designed malware that allows cybercriminals to remotely access a bank’s systems and cash out large sums of money. According to Kaspersky, Carbanak was delivered to bank employees through spear phishing emails. The malware granted criminals access to manually explore the bank’s network and systems until it found a point of interest. The malware also allowed the criminal groups to record videos and keystrokes, which were then sent to a command-and-control server. The criminal group was able to learn the operations of each infected bank and determine the most efficient way to cash out.

Cash-Out Methods

Kaspersky identified several ways in which funds were removed from the bank:

  • ATM Cash (Jackpotting): The malware allowed the criminals to dispense cash from specific ATMs automatically at designated times. Money mules collected the cash as it was dispensed.
  • Online Banking: The money could be transferred to fraudster-controlled or money mule accounts. From there, the funds could be withdrawn in cash or further transferred to other accounts around the globe.
  • Electronic Funds Transfers: At some institutions, the criminals were able to compromise the wire transfer system and send funds directly to accounts located in foreign countries.
  • Inflated Account Balances: While not a specific cash-out method, in some instances the criminal group was able to falsely inflate account balances and then transfer the inflated amount through one of the above methods. In doing so, they were able to disguise the fraud because the internal bank accounts reflected their true balance after the inflated funds were transferred.

Humans Are the Weak Link

The sophistication of the Carbanak malware is impressive. However, the delivery of the malicious code into the affected organizations is very basic: The criminal group used spear phishing emails targeting employees at each financial institution. Kaspersky Lab explains that spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Unlike phishing scams, which cast broad, scattershot attacks, spear phishing hones in on a specific group or organization. If an employee opened one of these emails and clicked on the infected attachment, the malware would be downloaded to the employee’s computer. This gives the criminals the opportunity to manually move about the bank’s systems.

Most, if not all, financial institutions have some level of information security compliance or awareness training, yet phishing attack campaigns continue to be successful. The fraudulent emails are typically very well designed and often appear as though they were sent from a co-worker.

Analyst Comments

We noted in October that ATM malware was the next generation of ATM attacks. While we believe this to be true, the Carbanak malware portends a potential trend toward direct attacks against financial institutions. When a customer is compromised, detection of the crime is often quick because the customer is missing money. An attack against an individual account is also limited to the amount of money that is in the deposit account. A direct attack against a bank may allow the malicious actors to extend the length of the compromise and “live” within the bank’s systems for several months while planning a large exfiltration of cash.

Carbanak has highlighted the deficiency in employee awareness. Most institutions require compliance training on this topic annually, often to meet minimum regulatory requirements. To better protect against these types of attacks, financial institutions should develop and employ ongoing training and awareness programs and implement “red team” programs. Red team programs simulate actual phishing and spear phishing attacks. The purpose of these programs is to heighten employee vigilance for fraudulent emails. Employees that are duped into opening malicious attachments under controlled situations will learn to be aware of actual phishing attempts from cybercriminals. Red teaming as part of an overall training program will help organizations build a solid anti-cybercrime culture.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today