Online Bank Robbers Steal Up to $1b, Kaspersky Says


FEBRUARY 16, 2015

An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow July 29, 2013. (Reuters Photo/Sergei Karpukhin)

A hacker group has stolen as much as $1 billion from banks and other financial firms worldwide since 2013 in an “unprecedented cyber-robbery,” according to computer security firm Kaspersky Lab.

The gang targeted as many as 100 banks, e-payment systems and other financial institutions in 30 countries including the United States, China and European nations, stealing as much as $10 million in each raid, Kaspersky Lab, Russia’s largest maker of antivirus software, said in a report.

The Carbanak gang members came from Russia, China, the Ukraine and other parts of Europe, and they are still active, it said.

“These bank heists were surprising because it made no difference to the criminals what software the banks were using,” said Sergey Golovanov, principal security researcher at Kaspersky Lab’s global research and analysis team. “It was a very slick and professional cyber-robbery.”

The details of the hacking follows news of other attacks on high-profile companies in recent months, including JPMorgan Chase, the biggest US bank; Anthem, the second-biggest US health insurer by market value, and Home Depot, the largest home-improvement chain. In those cases, data rather than money was stolen.

The criminals detected by Kaspersky infected bank employees’ computers with Carbanak malware, which then spread to internal networks and enabled video surveillance of staff. That let fraudsters mimic employee activity to transfer and steal money, according to Kaspersky, which said it has been working with Interpol, Europol and other authorities to uncover the plot.

Paul Bresson, a spokesman for the US Federal Bureau of Investigation in Washington, declined to comment on the report.

The Carbanak gang also used access to banks’ networks to seize control of ATMs and order them to dispense cash at certain times to henchmen, Kaspersky said. In some cases the gang inflated the balance of certain accounts and pocketed the extra funds without arousing immediate suspicion, according to the report.

Kaspersky was alerted to the hacking of cash dispensers when the security service of an Eastern European bank showed a video of its ATM dispensing cash to a thief “who wasn’t pushing any button and didn’t even have a banking card,” said Sergey Lozhkin, a senior security researcher at the company.

The antivirus company at first thought the ATM was infected, but then found that hackers controlled it using the bank’s internal network. Several other global and regional banks addressed Kaspersky Lab on the matter, which helped it to unearth the entire criminal scheme, according to Lozhkin.

Kaspersky won’t disclose the identity of financial institutions hurt by the attack because of a confidentiality agreement, Lozhkin said.

The main conclusion is that large banks should know that they are now targets for hackers, and tighten their information-security policies, update software and increase antivirus protection, he said.

“Cybercriminals have got the infection-to-cash cycle down to a fine art, proving crime does pay when the victim’s perimeter can be bypassed and systems manipulated at will,” said Mark Bower, vice president of product management at Voltage Security, a Cupertino, California-based security services company.

‘Unrelenting wave’

Details of the Carbanak gang come as many companies are switching focus from keeping hackers out to minimizing the effect of attacks, the most sophisticated of which are increasingly seen as inevitable.

British police made arrests last year after more than 50 cash machines in the country were infected with malware that allowed crooks to steal £1.6 million ($2.5 million). Online theft from accounts of Japanese savers increased to a total $16 million in the first six months of 2014. And in 2013, eight New Yorkers were charged with stealing $45 million from banks based in the United Arab Emirates and Oman by electronically stealing card data and eliminating withdrawal limits.

US President Barack Obama convened a national summit on Friday to encourage cooperation between federal and private security specialists to combat hackers and data breaches. The event included executives and security officials from companies such as Microsoft, Google, Yahoo and Facebook.

“The level of collaboration between public and private sectors has to be at a much deeper level to put even a slight dent in this unrelenting wave of successful cyberattacks,” said Igor Baikalov, chief scientist at threat-detection service Securonix.