According to multiple estimations Carbanak has generated around 1 billion dollars by hitting banks worldwide. It was mainly attacking companies in Europe, the United States, and China between 2013 and 2014.
Modus Operandi
Each attack started with a well-crafted spear phishing email. It contained a malicious attachment that installed a backdoor on the victim system. After the installation it provided access to the entire target bank network. Through a series of lateral movements, the attackers could search and obtain access to the “point of interest” of the network. Simply speaking, it was a computer which they could use to make money transfers.
The criminals then installed remote access tools in the infected terminals. They were capable of capturing videos, screenshots and everything people typed on the keyboards. Their goal was to learn each employee’s daily activities and collect data necessary to impersonate employee behaviour. They could then camouflage money transfers by the “rutines”.
The monitoring phase then began. Each bank had different internal mechanisms and procedures. Therefore, this phase was different for each bank and lasted from 2 to 4 months. Once properly trained, the thefts started the attacks. They used 2 main methods:
Transfer of virtual money from “inflated” accounts
One of the Carbanak criminals, the database officer, “inflated” accounts of the bank’s underactive customers by overwriting the balance. Immediately afterwards another criminal, assigned for that specific purpose, transferred the created funds to malefactors’ accounts.
Checking the ATM
The criminals agreed with local bank staff, called “mules”, and conducted a series of ATM thefts. The first set up the system, so that ATMs would issue money on specific days and times, while the “mules” would go to the place and withdraw the money. You can watch an ATM theft video.
The complex organizational network behind these attacks belonged to the organized crime. At the top there probably were Russian speaking cybercriminals, who conceived and designed the attack method. There were numerous technical and banking staff below, already experienced and capable to quickly learn the specific banking procedures. Finally, even further below, there was the actual workforce or workers. They were involved in the cash collection, opened the accounts for the money transit, or acted as baits.
How to defend yourself
Even today Carbanak remains one of the most profitable cyber theft in history. So how would you stay cyber safe?
- One of the important things is to be aware of cyber security threats anyone can face at his workplace. A can upskill employees to recognize and properly communicate security incidents
- An anti-spam and an anti-phishing solution would prevent infected email from getting into a corporate network, solving the root problem
- Finally, regular security monitoring and in-depth analysis of data on the internal network would help. They will reveal lateral movements and abnormal traffic inevitably generated by attackers, allowing a ready response to any intrusion, and minimizing the damage