Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Cybercriminal Offers a “How To” Guide for Robbing Banks; Uses Cayman National Bank as the Example

    PhineasPhisherThis latest document from notorious hacker Phineas Phisher, along with a leaked report from PwC, shows how easy it is for a bank to be hacked and defrauded.

    You might think that stealing money from a bank is tough – you need to gain access to the network, figure out how money is transferred, what security they use, what monitoring is in place, and how to insert your own transactions into the process.

    But the recently-released “how-to” manifesto from Phineas Phisher documents every step taken as he opportunistically hacked the Cayman National Bank back in 2016. Using little more than a network scan looking for VPNs with a known vulnerability, Phisher was able to gain access to the bank. He was able to maintain access without detection for months even before attempting his first transaction. According to a leaked forensics report from PwC (WARNING: the link points to a PDF that some AV solutions don’t trust… proceed with caution), Phisher was about to compromise seven systems, leverage internal credentials, and attain “unrestricted administrative access” to the bank’s network.

    According to Phisher, the only reason he picked this bank is because he got a hit on his network scan, saw it was a Cayman bank, and “thought it would be fun”. Scary stuff.

    Banks looking to protect themselves from such attacks should consider the following precautions:

    • Patch all known vulnerabilities. Vulnerability scanning and management would also be appropriate.
    • Implement least privilege. Phisher was about to laterally move; restricting what accounts can do will slow down an attacker’s movement.
    • Train users to be vigilant with Security Awareness Training. According to PwC, at least 4 user endpoints were compromised during this hack. Teaching users to watch for unusual application activity or malicious emails can help stop an attack in its tracks.

    The casual nature of this attack should make banks worried; if this is what a hacker can do “for fun”, think about what can happen when a hacker is attacking your bank on purpose.

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Phishing, Security Awareness Training

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews