The legendary bank robber Willie Sutton was once asked why he robbed the banks to which he replied “because that is where the money is”. Although this famous answer was disputed by the Willie subsequently yet it has become Sutton’s law that is relied upon by many people and institutions while giving examples and explaining various principles. This is so because the legendary answer may be of 1934 period but its core principle still applies to banks and financial institutions of present era.
Banks and financial institutions of India and other jurisdictions are still struggling to secure their financial assets and infrastructure. Sophisticated malware are targeting banks and financial institutions and with good success rate as well. For instance, the Vskimmer Trojan capable of stealing credit card information from Windows systems is already in circulation. Similarly, the Malware Dump Memory Grabber is also targeting POS systems and ATMs of major U.S. banks. These malware are creating havoc in India and international levels.
Now it has been reported that a multi-national gang of cyber-criminals known as Carbanak has stolen about a billion US dollars from financial institutions worldwide over the past two years. The gang is alleged to have operatives from Russia, Ukraine, Europe and China who are using various techniques to steal the money. The gang’s activities have been uncovered by the combined efforts of INTERPOL and Europol working with Kaspersky lab as well as authorities from several other countries.
Kaspersky reports that since 2013, the criminals sought to attack 100 banks, e-payment systems and other financial institutions in some 30 countries and that attacks remain active. Targets included financial organisations in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.
The gang used the commonly prevalent technique of compromising the systems of banks and financial institutions through installing malware using spear phishing mails. The attackers stole money directly from banks, rather than targeting end users, signifying use of spear phishing instead of simple phishing. The attackers must have studied the banking system of concerned bank or financial institution before siphoning the money.
The attackers used online banking or international e-payment systems to transfer money from the victim banks’ accounts to their own. For transfers, the stolen money was deposited with banks in China or America – and others may have also been used. In some cases the attackers compromised the key accounting systems and inflated account balances before taking the extra funds via a fraudulent transaction. By changing an account with 1,000 pounds to 10,000 pounds, the criminals then transfer 9,000 to themselves. And the account holder doesn’t suspect a problem because the original 1,000 pounds is still there.
The cyber-thieves also seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang was waiting beside the machine to collect the ‘voluntary’ payment.