Cyber bank robbery nets a billion

Cape Town - A single cyber criminal gang has stolen up to $1bn from financial institutions over a two year period.

An international investigation found that the gang, dubbed Carbanak, stole the money from over 100 financial institutions in what must rank as one of the more brazen cyber bank robberies.

Banks are generally regarded as having the best security technology and thefts usually occur through malware on customer computers or mobile devices.

"The plot marks the beginning of a new stage in the evolution of cyber criminal activity, where malicious users steal money directly from banks, and avoid targeting end users," said security firm Kaspersky Lab which participated in uncovering the gang.

The attackers which are believed to be located in Russia, Ukraine, other parts of Europe and China attacked financial institutions in Russia, the US, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria and Australia.

Attack methodology

The attack methodology has a movie-like quality: The gang target a bank employee computer with specifically designed spam - a process known as spear phishing.

Once one employee's machine was compromised, the gang carried out surveillance where they mapped the bank's routine and workflow.

This allowed them to mimic money transfer transactions to the criminals' bank accounts in the US or China.

Each raid took on average two to four months from the time the malware was inserted into the employee's computer and in a few cases, the thieves stole up to $10m in a single action.

A Kaspersky Lab official checks for mobile malware in the company's Moscow offices. (Duncan Alfreds, Fin24)

In the second method of attack, the thieves simply artificially inflated account balance and transferred the difference to their accounts.

In this way, account holders were none the wiser because their original amounts remained untouched.

The gang was also able to order bank ATMs to dispense with cash at a given time, and underlings would simply arrive at the selected cash machine and make a withdrawal.

Catch-up game

"These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent," said Sergey Golovanov, principal security researcher at Kaspersky Lab's Global Research and Analysis Team.

The attacks will no doubt prompt financial institutions to examine their cyber security procedures and in the US, President Barack Obama has called for legislation to compel companies to share information of cyber attacks, especially where customer information has been compromised.

However, cyber security is always a catch-up game and criminals exploit social engineering as well as technology to gain unauthorised access.

"These attacks again underline the fact that criminals will exploit any vulnerability in any system. It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures," said Sanjay Virmani, director of the Interpol Digital Crime Centre.

- Follow Duncan on Twitter