Spear-Phishing: How hackers use everyday looking emails to steal your financial information and how they stole $10 Billion from banks in Q4 2014 By: Michael Bascom

Malware, Spyware, Ransomware. We hear these terms in the daily news background. These are seemingly vague threats that exist in the periphery of our knowledge until they are a problem. The most recent of events is one of the largest bank thefts in history. An organized and technically capable group penetrated up to one hundred banks, across thirty countries. This multi-year crime has net the villains an estimated one hundred million dollars, with some estimates placing the figure in the billion dollar mark. It all started small with just an e-mail and a word document. Network accounts in banks in the US, Russia, China and many other countries were compromised by a targeted email, a technique called spear-phishing. These emails looked like the normal memo and office document static that flood our collective email boxes every day, but these emails installed a remote access tool and viewer that called home to the thieves telling them they were installed. Once installed the criminals performed differently than the normal smash and grab, they waited.

They slowly compromised other systems until they had the keys to the kingdom. Once the administrator and system operator accounts were compromised, they recorded the screens and daily actions of bank employees then crafted transactions that looked genuine. In some cases they would increase the account balance for a few scant minutes, move an account with $1,000 to $10,000, and then transfer $9,000 to accounts they controlled. In other cases they scripted ATM's to dispense thousands of dollars without any interaction. A "mule" member of the gang would show-up at the appointed time to pick-up the ill-gotten gains. In a few cases they compromised the international wire service at the banks and transferred out millions, where only limits were the groups self-appointed ten million dollar limit. Even this limit was not a charitable measure as they determined the amounts they could abscond with before major flags were tripped.

The average time from the first infection to cash out was 3 months. These infections started in August 2013 and have been hitting targets until late 2014. This was a well-organized group with eyes on a big prize. They watched and waited and crafted attacks to meet the need. The malware used is called Carbanak; it can be a difficult threat to detect. Many vendors are updating their definitions to match the new threat, but here are the things to look out for:

  1. A Paexe file: this file will normally live in Windows\catalog giving command the system from the attackers
  2. There are files with a .bin extension at: \All Users\%AppData%\Mozilla\ or c:\ProgramData\Mozilla
  3. There is a svchost.exe file in: Windows\System32\com\ catalog
  4. Among the active Windows services there are services ending in "sys" duplicating a similar service without the "sys" extension.

Hope is not lost for businesses as the attackers get better the security posture across the land rises to the challenges. The question for businesses is not if a compromise will occur it's when. If you're in the C-Suite or the owner's box and you haven't asked the question, "How's our security looking?" you should.

View all blog posts »