Carbanak is one of the dreaded attacks which is reported to have been used to steal over $1 billion from the Banking systems since 2013. After a brief absence, security specialists now report that the attack is active once again.
Investigators estimated at the time that the attackers breached the networks of more than 100 banks across 30 countries, stealing up to $1 billion. JP Morgan Chase and the Agricultural Bank of China are reported to have suffered heavy damages on account of Cabanak attack.
The attackers either transferred money to their own accounts, ordered the money distributed to remote ATMs where an associate waited to receive or, in some cases, penetrated the banks’ accounts systems to change bank balances and then order transfers. The attack went undetected for periods in excess of 18 months.
Unlike other attacks that target the customers of the Bank, Carbanak is an APT (Advanced Persistent Threat) designed to attack the Banking systems directly and execute transactions without the need to impersonate the online users. It also attacks the internal financial systems of large corporations.
Carbanak is a well organized system that uses several known exploitation techniques executed as an organized industry effort.
Initial infiltration was achieved through spear phishing and exploit laden attachments that compromised employee endpoints with malware, eventually stealing the credentials and taking over control. Once inside, the security controls are weak and enable the attacker to simply execute fund transfer transactions with ease.
The latest variant of the attack indicates that this is a mix of multi channel fraud that abuses both online and physical systems from within and via the banks’ service channels.
The attackers did the following:
- Infected computers attached to ATMs so the machines dispensed cash at the same time the gang’s mules were there to pick it up;
- Compromised internal Oracle databases, created fraudulent accounts, issued cards and modified account balances to wire out more money each time;
- Abused the Society for Worldwide Interbank Financial Telecommunication system to move large amounts of money into accounts they controlled;
- Used the online banking vector for e-pay fraud and fraudulent transactions.
Experts are of the view that Carbanak attack was preventable. It was a well-orchestrated crime operation but not necessarily considered a sophisticated operation at technical level. It was the failure to protect the end point systems of the employees that enabled unsafe downloads to start with and subsequent failure to detect and stop exfiltration of data that led to the success of the operation.
In another attack involving malware known as Metal and Corkow, attackers infected the target bank’s corporate networks via spearphishing e-mails.
In one of the Russian banks hit by this attack , it was discovered that millions of rubles were withdrawn by its customers in one night from the ATMs of other financial institutions. An investigation revealed that the attackers actually gained access to the bank’s money processing systems and made some changes to automatically roll back ATM transactions.
This allowed the gang’s members to withdraw money from several ATMs and the balance on their cards remained the same.
In yet another attack named GCMAN, a time based script executed fund transfer instructions of $200 every minute to multiple e-currency services without being reported to any system within the Bank.
These developments indicate that as Banks and Large corporates migrate to the use of Digital ways of doing business, they are exposed to risks that need to be addressed with a greater resolve than they are doing at present.
The Cyber Insurance industry also has to look at how they would be able to cover such risks and how they will treat the failure of security for extended periods of time.