Cybercriminal Offers a “How To” Guide for Robbing Banks; Uses Cayman National Bank as the Example

PhineasPhisherThis latest document from notorious hacker Phineas Phisher, along with a leaked report from PwC, shows how easy it is for a bank to be hacked and defrauded.

You might think that stealing money from a bank is tough – you need to gain access to the network, figure out how money is transferred, what security they use, what monitoring is in place, and how to insert your own transactions into the process.

But the recently-released “how-to” manifesto from Phineas Phisher documents every step taken as he opportunistically hacked the Cayman National Bank back in 2016. Using little more than a network scan looking for VPNs with a known vulnerability, Phisher was able to gain access to the bank. He was able to maintain access without detection for months even before attempting his first transaction. According to a leaked forensics report from PwC (WARNING: the link points to a PDF that some AV solutions don’t trust… proceed with caution), Phisher was about to compromise seven systems, leverage internal credentials, and attain “unrestricted administrative access” to the bank’s network.

According to Phisher, the only reason he picked this bank is because he got a hit on his network scan, saw it was a Cayman bank, and “thought it would be fun”. Scary stuff.

Banks looking to protect themselves from such attacks should consider the following precautions:

  • Patch all known vulnerabilities. Vulnerability scanning and management would also be appropriate.
  • Implement least privilege. Phisher was about to laterally move; restricting what accounts can do will slow down an attacker’s movement.
  • Train users to be vigilant with Security Awareness Training. According to PwC, at least 4 user endpoints were compromised during this hack. Teaching users to watch for unusual application activity or malicious emails can help stop an attack in its tracks.

The casual nature of this attack should make banks worried; if this is what a hacker can do “for fun”, think about what can happen when a hacker is attacking your bank on purpose.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews