Customer Records and Money Compromised By Carbanak Comments Off on Customer Records and Money Compromised By Carbanak
The number of data records that were compromised in the Carbanak malware scam are reportedly the worst so far by a single cybercrime syndicate.
The way this particular scam operated was by a spear phishing email with a CPL attachment. In other cases however, Word documents exploiting known vulnerabilities were used. The hackers then executed what's known as a shellcode, a backdoor based on Carberp is installed on the banks system. The backdoor became known as Carbanak. This type of attack was designed for data exfiltration, remote control of accounts and espionage.
Once inside the network, the cyber thieves perform manual reconnaissance on the computers of administrators. After gaining access, the hackers move through the network until a particular point of interest is reached. This will vary according to the attack. What all these attacks have in common is that from this point on it is possible to siphon money from infected accounts.
In order to understand how each banking institution operated, infected computers were used to record and monitor videos that were then sent to the command and control servers. Even if video quality was poor, it was still readable enough so that the cyber thieves were able to obtain the required data. Then, armed with that key-logged data, they then were able to understand what their particular victim was doing. This provided them with the knowledge they needed in order to cash out the money.
How The Money Was Retrieved By The Crooks
Apparently the money was cashed out in several ways:
1. ATMs were remotely instructed to dispense cash without any interaction occurring at all with the ATM itself
2. The SWIFT network was used to switch money from the infected organization and then into the criminals accounts
3. Databases with account information were altered in order to create fake accounts with a relatively high balance and then “mules” were used to collect the stolen money.
The main difference is these attackers do not see data but money as their actual attack target. The main feature though, is persistence.
The attack is named Carbanak as it is based on Carberp and the configuration name is "anak.cfg". The purpose of this attack was to infiltrate the financial institutions’ network looking for the vital system that they can then use for stealing money. Once a significant amount has been stolen the attackers then abandon their victim.
Financial institutions have always been primary targets for cyber criminals, but it was almost always through their customers. However, this time the cyber attackers targeted financial institutions directly in an unprecedented, coordinated and highly professional attack by using any means available from the targeted financial institution to cash out as much money as possible.
Each bank robbery took, on average, between two and four months from the beginning of the first computer infection at the financial institutions network until the final cash out. The cyber criminals were able to accomplish the theft of approximately $1 billion, and unfortunately they are still active.