A hacking gang is suspected of stealing vast sums from banks worldwide for two years with apparent ease. How can a repeat be averted?
Good news! A major hack you don't have to worry about! Unless, that is, you happen to be an executive or security employee at one of the hundreds of banks targeted by the group that has come to be known as Carbanak or Anunak.
If you are, then you have a problem, because these hackers – and no doubt others to come – aren't targeting banking consumers but the internal systems of banks, silently monitoring them and subtly defrauding them. Unlike most cybercrime, this wasn't a hold-up, but a bank heist – the kind that could ultimately affect both consumers and governments. And that's why we should all be paying attention.
Skill-wise, the attack is at a similar level to November's Sony Pictures hack. (So much for the FBI's claim that the Sony hack was unprecedentedly scary.) It was a long-term effort, professionally executed, and required a fair amount of organisation and coordination to pull off.
These aren't just script kiddies stealing people's credit-card numbers. The hackers managed to compromise the systems of banks, but rather than immediately grabbing information and alerting targets to their presence, they would quietly observe the inner workings and transactions for months. They were then in a position to subtly manipulate the system in order to cash out. According to a report from software-security company Kaspersky Lab, the hackers obtained up to $1 billion through dozens of attacks over the past two years.
Systems compromised
There are several things worth noticing. One is that the initial compromises of the systems were possibly the simplest and dumbest aspects of the attacks. The hackers would enter a system through the tried-and-true method of "phishing" – sending emails to employees that purport to come from a trusted sender inside the company. (Attacking a specific organisation through this approach is called "spear phishing".) The employee opens an attachment in the email, which immediately compromises the system.
These hacks used Windows and Office document files that, when opened, injected malware into the target's computer, more or less giving the hackers total control.
What they did with this control, however, was more sophisticated. The hackers monitored the keystrokes of the computer and took screenshots every 20 seconds, giving them a very clear picture of the daily internal workings of a bank. And instead of attacking customer accounts, which are more closely monitored for fraud, the hackers went after internal fund mechanisms.
First, they inserted fake transactions into the SWIFT transfer network to distribute money to other banks and credit cards. Second, and rather ingeniously, they attacked ATMs directly. Seizing central control of the banks' ATMs, they set them to spit out cash spontaneously and then had their accomplices ("money mules," as Kaspersky terms them) visit the terminals at the right time to collect the dosh.
The exact scope of the attack is still up for debate. According to Kaspersky, the group targeted banks in 30 countries, though primarily in Russia, and obtained about $1 billion. A more detailed, earlier report from December by Group-IB and Fox-IT confined the attacks to Russia and placed the damage in the hundreds of millions.
Phishing threat
Until banks can keep their employees from opening bad links and files inside phishing emails, they must simply assume that they are quite vulnerable to attack.
In terms of efficiency, these attacks are vastly more impressive than most hackers can ever hope to achieve. Though the efforts required time, each individual compromise raked in $10 million. Each hack remained undetected for its duration, and some banks were compromised multiple times.
Because almost none of the money was tied to any particular customer's account, the thefts were mostly invisible to consumers, so no individuals raised red flags.
Plus, consumers face bigger threats from the more recent Dyre and Dridex banking Trojans, which hijack browsers to obtain user credentials, even managing to defeat two-factor authentication in some cases.
For banks and other institutions, though, Carbanak's sophisticated attacks are scary for two reasons. Along with the Sony hack, these kinds of breaches entail obtaining long-term and in-depth access to targeted systems in order to cause the most damage, financial or otherwise. That means there are two facets of security that companies need to worry about.
First, there's that primitive initial compromise. It's somewhat embarrassing that a phishing attack can end up compromising more or less all of a bank's systems, but that's exactly what happened here. There was no complicated exploit of some unknown security hole or cracking of passwords; an employee just needed to open an attachment (usually a Word document) in a phishing email, which then exploited known vulnerabilities in unpatched Office software. These vulnerabilities were patched by Microsoft years ago (most recently in March 2014).
So, at a minimum, banks need to keep their software updated with security fixes, but beyond that, they also need to scan all incoming attachments and clamp down on the ease with which employees open them.
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
No comments:
Post a Comment