The recent attacks reported by Kaspersky Lab, which originated from a new malware dubbed Carbanak, were targeted attacks that allowed the criminal group in question to exfiltrate hundreds of millions of dollars from approximately 100 banks in several countries. Malware such as Carbanak is a focused attack against banks that eliminates the need to compromise individual consumers. IBM Red Cell highlighted similar activity in an October 2014 post.

Kaspersky Lab released information about the new malware and the associated attacks on Feb. 16. Kaspersky’s Global Research and Analysis Team detailed the malware scheme here.

Carbanak: Most Advanced Malware to Date?

Carbanak is a cleverly designed malware that allows cybercriminals to remotely access a bank’s systems and cash out large sums of money. According to Kaspersky, Carbanak was delivered to bank employees through spear phishing emails. The malware granted criminals access to manually explore the bank’s network and systems until it found a point of interest. The malware also allowed the criminal groups to record videos and keystrokes, which were then sent to a command-and-control server. The criminal group was able to learn the operations of each infected bank and determine the most efficient way to cash out.

Cash-Out Methods

Kaspersky identified several ways in which funds were removed from the bank:

  • ATM Cash (Jackpotting): The malware allowed the criminals to dispense cash from specific ATMs automatically at designated times. Money mules collected the cash as it was dispensed.
  • Online Banking: The money could be transferred to fraudster-controlled or money mule accounts. From there, the funds could be withdrawn in cash or further transferred to other accounts around the globe.
  • Electronic Funds Transfers: At some institutions, the criminals were able to compromise the wire transfer system and send funds directly to accounts located in foreign countries.
  • Inflated Account Balances: While not a specific cash-out method, in some instances the criminal group was able to falsely inflate account balances and then transfer the inflated amount through one of the above methods. In doing so, they were able to disguise the fraud because the internal bank accounts reflected their true balance after the inflated funds were transferred.

Humans Are the Weak Link

The sophistication of the Carbanak malware is impressive. However, the delivery of the malicious code into the affected organizations is very basic: The criminal group used spear phishing emails targeting employees at each financial institution. Kaspersky Lab explains that spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Unlike phishing scams, which cast broad, scattershot attacks, spear phishing hones in on a specific group or organization. If an employee opened one of these emails and clicked on the infected attachment, the malware would be downloaded to the employee’s computer. This gives the criminals the opportunity to manually move about the bank’s systems.

Most, if not all, financial institutions have some level of information security compliance or awareness training, yet phishing attack campaigns continue to be successful. The fraudulent emails are typically very well designed and often appear as though they were sent from a co-worker.

Analyst Comments

We noted in October that ATM malware was the next generation of ATM attacks. While we believe this to be true, the Carbanak malware portends a potential trend toward direct attacks against financial institutions. When a customer is compromised, detection of the crime is often quick because the customer is missing money. An attack against an individual account is also limited to the amount of money that is in the deposit account. A direct attack against a bank may allow the malicious actors to extend the length of the compromise and “live” within the bank’s systems for several months while planning a large exfiltration of cash.

Carbanak has highlighted the deficiency in employee awareness. Most institutions require compliance training on this topic annually, often to meet minimum regulatory requirements. To better protect against these types of attacks, financial institutions should develop and employ ongoing training and awareness programs and implement “red team” programs. Red team programs simulate actual phishing and spear phishing attacks. The purpose of these programs is to heighten employee vigilance for fraudulent emails. Employees that are duped into opening malicious attachments under controlled situations will learn to be aware of actual phishing attempts from cybercriminals. Red teaming as part of an overall training program will help organizations build a solid anti-cybercrime culture.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…