In what’s being called the biggest bank heist in history, hackers have stolen $300 million – and possibly as much as $1 billion – from banks around the world since 2013.
The majority of the targets were in Russia, but many were in Japan, the U.S. and Europe.
More than 100 banks and other financial institutions in 30 nations have been affected, making it one of the largest bank thefts ever and one conducted without the usual signs of robbery.
Kaspersky Lab, Interpol, Europol and authorities from different countries joined forces to uncover the plot, which is being called an “unprecedented cyber robbery.” The cybercriminals come from Russia, Ukraine, China and Europe.
Kaspersky researchers described a Hollywood-style scheme in which attackers used an arsenal of attack tools and techniques to siphon massive amounts of money directly from banks rather than targeting end-user banking customers.
Through its investigations to date, the security company said it has evidence of roughly $300 million being stolen by the cybercriminals but believes the total could be upward of $1 billion.
The attacks, which are still active, focus mainly on banks in Russia. But many have been successful in Japan, the Netherlands, Switzerland and the United States. They all use roughly the same modus operandi. The bank’s internal computers, used by employees who conduct bookkeeping and process daily transfers, was penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group how the bank conducted its daily routines.
“In most cases,” reported SecurityWeek, “networks were compromised for between two to four months before the attackers made off with stolen funds … adding that during that period of time, attackers were able to get access to the right victims and critical systems and learn how to operate their tools and systems to execute the cyber heists.
“The security firm estimated that the largest sums were grabbed by hacking into banks and stealing up to ten million dollars in each raid. According to the report, one victim lost roughly $7.3 million due to ATM fraud, and another lost $10 million as a result of attackers exploiting its online banking platform.”
Then the group impersonated bank officers by turning on various cash machines as well as transferring millions of dollars from banks in Russia, Japan, Switzerland, the U.S. and the Netherlands into dummy accounts set up in other countries.
Bank security was penetrated when hackers sent emails containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank’s administrative computer. The malware install programs that record keystrokes and take screen shots of the bank’s computers, so hackers can learn bank procedures. The programs also enable hackers to control the bank’s computers remotely.
Moscow-based Kaspersky Lab says it has seen evidence of $300 million in theft through clients and believes the total could be triple that amount. But the projection is impossible to verify, because the thefts were limited to $10 million per transaction, though some banks were hit several times. In many cases, the hauls were more modest, presumably to avoid setting off alarms.
Kaspersky summarized how the money was stolen:
- When the time came to cash in on their activities, the criminals used online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case, the stolen money was deposited with banks in China or in the U.S. The experts do not rule out the possibility that other banks in other countries were used as receivers.
- In other cases, cybercriminals penetrated into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: If an account has $1,000, the criminals change its value so it has $10,000 and then transfer $9,000 to themselves. The account holder doesn’t suspect a problem because the original $1,000 is still there.
- In addition, the cyber thieves seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s henchmen was waiting beside the machine to collect the “voluntary” payment.
No bank has come forward to acknowledge the theft. The American Bankers Association declined to comment. Douglas Johnson, an executive with the ABA, said the group would let the financial services center’s statement serve as the only comment.
The industry consortium, the Financial Services Information Sharing and Analysis Center, issued a statement that “our members are aware of this activity.”
“We have disseminated intelligence on this attack to the members,” and “some briefings were also provided by law enforcement entities.”
“With the automation of banking, this is something that will continue to happen,” Mark Thornton, senior fellow economist at the Mises Institute, told WND in an interview.
“It’s baked into the cake. Banking will become more and more automated, so cyber-security is something they’ll have to deal with. Criminals will get the upper hand, then banks will incorporate more secure systems, and there will be a back-and-forth between criminals and banks with security. It’s a fact of life.”
Cyber-security affects customer confidence, which is why banks require security firms not to disclose which banks have been hacked, or for how much, so they can fix the problem without undermining consumer confidence.
“There have been many of these heists,” said Thornton. “Not just stealing from banks, but also hacking into retailer’s credit card systems, as happened with Target in late 2013. Most, if not all of the time, the customer isn’t harmed; it’s the company that’s harmed. As a result, banks and retailers seek out enhanced security so criminals are less likely to be able to detect patterns.”
Thornton said a common form of security breach is for criminals to scrutinize bank or retailers’ emails for patterns and templates to get weekly or monthly events or procedures. They then send a very similar email to employees so it appears the employee is receiving a standard, dependable email message.
But the fake email contains malware which is downloaded into the computer system to give the criminals remote access to the bank or credit card system.
“The bank must constantly improve their security procedures,” concluded Thornton. “They’re upgrading all the time.”