Billion-dollar Carbanak heist blamed on poor staff cybersecurity training

Post-mortem analysis of the high-profile Carbanak banking heist continues to suggest that the $1 billion-plus series of attacks not only represent a high-water mark in the panoply of major crimes, but has been executed by cybercriminals exploiting the same sort of human weaknesses that security experts have been warning about for decades.

The attacks – which saw over 100 financial institutions compromised in 30 countries, including Australia – were instigated through the use of widespread spear-phishing, in which criminals trick employees into opening malware-containing attachments by peppering them with emails that include relevant information to seem legitimate.

Once internal systems were compromised, the cybercriminals simply watched and waited, using keylogging and screen-scraping features to collect passwords to bank systems and – importantly – to watch everyday activities so as to learn what was considered normal.

This allowed the perpetrators to fly under the radar as they systematically looted bank accounts and covered their tracks with creative accounting. Related penetrations of banks' ATM networks would see ATMs set to dispense money into the hands of perpetrators waiting in front of their cash chutes.

The whole process, which Carbanak finder Kaspersky Labs has suggested went on for two years, “has been quite ingenious,” Gary Gardiner, ANZ director of engineering with security firm Fortinet, told CSO Australia.

“They're using remote access tools that are common and used by IT departments,” he explained, “but these have been designed to run without any input from the user. It's not as though they've attacked the banks themselves; these criminals have used the bank's own systems and transactional processes to steal the money.”

Vendors' broader participation in threat-intelligence networks like the Cyber Threat Alliance had built a broader defence that has proved highly effective in keeping up with new attacks, Gardiner said, noting that signatures for the Carbanak malware had been available for over 4 months.

However, even those efforts would struggle unless customers played along by keeping up with signature updates and adding tools that can scan outgoing traffic for command-and-control (C&C) communications.

If organisations believe they are a target, they really need to update their antivirus and scan all their systems,” Gardiner said. “There's technology to stop the C&C side of it at the gateway, so that even if your systems are infected they're not capable of calling out. It's all we really can do.”

Stu Sjouwerman, chief hacking officer with security consultancy KnowBe4, said in a statement that spear-phishing is “one of the most preventable and affordable” attack vectors to block.

“You would expect the finance industry to set the bar very high and have employees trained within an inch of their lives not to fall for such an attack,” Sjouwerman said.

“We would highly encourage financial institutions to take a look at their training methods and beef them up accordingly. Security Awareness Training allows you to put in place a more effective human firewall and protect your corporate and financial assets.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)