Russian cyber security firm Kaspersky Lab says it has discovered evidence that as many as 100 banks in 30 nations (including the US) may have lost a total of nearly a billion dollars to hackers in a massive cybertheft criminal ring.
In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever — and one conducted without the usual signs of robbery.
The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.
Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.
The majority of the targets were in Russia, but many were in Japan, the United States and Europe.
No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.
But the industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”
How'd they do it? You know all those times your company's IT department says "Don't open weird emails in your work account?" Bank employees did just that, and ended up installing a piece of malware called "Carbanak" on bank computers. It would secretly record keystrokes and screenshots of bank transfers at local branches to learn procedures and passwords, and leave the PCs vulnerable to remote access from outside the bank.
Then once they had the keys to the kingdom, they would send money to fake accounts, make wire transfers to overseas accounts, or even make ATMs dispense money at certain times. As a former bank IT employee, I can tell you the number one vulnerability of any bank network are the people who access it daily.
Think about how much of a pain in the ass it is to change your network password at work. Believe me, the higher up in a company you are, the more likely it is that you're going to ignore procedures, and the bigger the target you make for social engineering hacks like this one. Eventually a hack like this is going to get a hold of an account that has the authorization to make these multi million dollar transfers, and boom. Gone. Temporarily add some zeroes to the end of one account balance and transfer the extra away. It's the oldest bank hack trick in the book.
At best, bank protection departments have way too many accounts to manage. Finding these hit and run transfers is nearly impossible because by the time the bank figures out what happened, it's too late. No red flags or alarms get raised because the attack comes from authorized accounts.
So yes, listen to your IT guys for once.