• $1 Billion Carbanak Heist Reminds Bankers of Continued Cybersecurity Risk 
  • March 30, 2015 | Author: Neal C. Wise
  • Law Firm: Jones Walker LLP - Jackson Office
  • Global cybersecurity firm, Kasperksy Lab, released a report this week that a hacker gang dubbed "Carbanak" has looted as much as $1 billion from more than 100 banks in 30 countries worldwide. The report revealed two startling details in addition to the eye-popping amount of stolen money: (1) the thieves lurked in the banks' system undetected for long periods of time - in some cases since 2013; and (2) the money was stolen directly from the banks, rather than from their customers.

    As cyber threats remain in the news almost daily with stories on several large retailers and a health insurer grabbing the spotlight due to their technological sophistication, this new report sheds light on how the Carbanak hackers used relatively unsophisticated techniques to carry out their attacks. The "spear fishing" attacks revolved primarily around hackers sending fake emails to bank employees that appeared to originate from other bank employees or familiar businesses. Once opened, attachments in these emails launched malware in the employees' computers that then exploited a vulnerability in Microsoft Word (Microsoft Word has since patched this vulnerability).

    Once in the banks' systems, the criminals were able to monitor employees' actions—even by taking over the computer video cameras and recording them—in order to learn the daily protocols and operations of their targets. In some cases, the hackers monitored victims for more than a year and slowly began mimicking their actions so as not to raise suspicion within the system. When the opportune time came, the criminals used online banking or international e-payment systems to transfer money from the banks' accounts to their own. In other cases, the hackers would inflate account balances in the banks' accounting system and withdraw the extra funds in fraudulent transactions or order ATMs to dispense cash at a pre-determined time.

    The relatively unsophisticated method of intrusion, fictitious emails sent to employees, should remind financial institutions of their ongoing need to train employees regarding workplace emails and the need to update software programs regularly. As the cybersecurity battle continues to grow, financial institutions should ensure their networks and protocols are up to date and evolving in order to keep up with the increasing risk. The FFIEC's "Cybersecurity Assessment General Observations," issued November 3, 2014, is a useful guide in these efforts.