More than 100 financial institutions in 30 countries have been the victim of a cyberheist that lasted in some cases almost 2 years. This was not a smash-and-grab but a highly sophisticated operation that managed to stay under the radar and inside bank networks for a very long time.
And how did this gang get into the networks? The Times report said they sent spear-phishing emails to employees, some of whom clicked on the bad links and infected their workstation. Once the bad guys had access, they tunneled into the network and found the employees who were in charge of cash transfer systems or ATMs.
The next step was they installed a remote access Trojan, which gave them full access so they could study what these key employees did. At that point they were able to tell ATMs to dispense cash or transfer larger amounts to accounts all over the world. It boils down to the conclusion that well over 100 bank networks (that we know of) have been pwned for years, and the attacks are likely still be happening.
Chris Doggett, who manages Kaspersky North America, told the Times: "This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert."
Kaspersky called them the "Carbanak cybergang" because of the name of the malware they used. Most of the banks that were hit are in Russia, but also on the list are ones in Japan, Europe and the United States. Kaspersky could not release the names of the banks because of nondisclosure agreements. The Times said that The White House and FBI have been briefed on Kaspersky Lab's findings, and Interpol is coordinating an investigation. Here is the full article.
Kevin Mitnick, KnowBe4's Chief Hacking Officer tweeted: "Even after 20 years, social engineering is still the easiest way into a target's network and systems, and it's still the hardest attack to prevent."
You would expect that especially in the financial industry, employees would be trained within an inch of their lives to not fall for tricks like that. Apparently some of these organizations still need new school security awareness training to make sure they don't. And it's really needed for every employee in any organization, not just banks. Find out now how affordable this is for your employees.