As much as $1bn has been stolen from 100 or more financial institutions around the world by a gang of multinational cyber-criminals, according to security software company Kaspersky.
Kaspersky has dubbed the gang “Carbanak”, after the name of the malware that the hackers use in order to steal money direct from people’s bank accounts. According to Kaspersky, the gang includes individuals from the European Union, Russia, Ukraine and China, and banks in Russia, Japan, Switzerland, the US and the Netherlands – among banks in a total of 30 countries – have been affected.
“Carbanak used carefully crafted emails to trick pre-selected employees into opening malicious software files, a common technique known as spear phishing. They were then able to get into the internal network and track down administrators’ computers for video surveillance,” claims Reuters.
It continued: “In this way… the criminals learned how the bank clerks worked and could mimic their activity when transferring the money.”
In some cases, targeted accounts were inflated with extra funds before pocketing the extra cash in a fraudulent transaction. The account holder would not suspect that his account had been attacked and, indeed, might therefore fall under suspicion, rather then the bank suspecting an attack.
Kaspersky says that it is working with Interpol, Europol and other national crime agencies in order to track down the gang.
Kaspersky told Reuters that the gang has also used the Carbanak malware to remotely seized control of ATMs and ordered them to dispense cash at a predetermined time, when a gang member would be waiting to collect the money.
“These attacks again underline the fact that criminals will exploit any vulnerability in any system,” Sanjay Virmani, director of Interpol Digital Crime Center, said in a statement prepared by Kaspersky. “It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures.”
The New York Times claims that suspicions were first aroused in late 2013 when a bank’s cash machine in the Ukrainian capital Kiev started dispensing cash at random times during the day. “Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment,” reports the newspaper.
The newspaper was given an exclusive preview to a report that Kaspersky is promising to publish on Monday.
Kaspersky claims that at least $300m has been stolen in transfers of up to $10m, although the gang typically transferred amounts much less than that to avoid arousing suspicion. The total, though, it believes could be as much as $1bn or more. Banks in Russia were most heavily affected, indicating that this is where the attacks were coordinated from – quite possibly with official help at some level.
In a statement, the US Financial Services Information Sharing and Analysis Center said that “our members are aware of this activity. We have disseminated intelligence on this attack to the members”.
The New York Times concluded: “The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing.”
In some respects, the attacks are similar to recent attempts by gangs in the UK to infiltrate branches of Barclays and Santander to fit keystroke loggers to the banks’ PCs. It reflects how cyber criminals are moving from attacking and compromising individual accounts to attacking the weakest links at the banks themselves – their staff and their PCs.