What Bankers Need to Know About the $1B Carbanak Heist

From American Banker –

“Bankers should act quickly to ensure they are not vulnerable to the same kinds of attacks that allowed a gang called Carbanak to steal $1 billion from financial institutions around the world.

The hack, which was revealed this week by Kaspersky Lab, relied on relatively unsophisticated forms of intrusion like fake e-mails, but also reflected an exceptional degree of patience and intelligence-gathering. Hackers lurked in bank networks for long periods of time — in some cases since 2013 — and secretly recorded bank employees to learn how they work and mimic their behavior.”

Read more>>

Carbanak Hackers Target Banks in $1bn Attack Campaign

From Info Security –

“Security experts have uncovered a major targeted attack campaign in which criminals infiltrated around 100 banks worldwide and made off with up to $1bn over a two-year period.

Interpol, Europol, local law enforcers and Kaspersky Lab worked together on the case.

They estimate that the hackers – who hail from Russia, Ukraine, Europe and China – stole up to $10m per raid, with each attack lasting between two and four months.

The attacks are said to begin with a classic spear phishing email sent to a bank employee, infecting them with the Carbanak malware.

Once in the bank’s internal network, the hackers searched for administrator machines which allowed them to monitor cash transfer activity. They were then able to mimic that same activity at a later stage to transfer money out to themselves, according to Kaspersky Lab.

Sometimes they used online banking or international e-payment systems to transfer the funds out to accounts in the US and China.

On other occasions they would hack a victim bank’s accounting systems, inflating customers’ account balances by adding some extra zeros and then stealing the extra funds via a fraudulent transaction.

A third method of stealing cash was apparently to program specific ATMs to dispense money at certain times and then arrange for a gang member to collect it.”

Read more>>

Cyber bank robbers steal $1bn, says Kaspersky report

From BBC Business News –

“Up to 100 banks and financial institutions worldwide have been attacked in an "unprecedented cyber robbery", claims a new report.

Computer security firm Kaspersky Lab estimates $1bn (£648m) has been stolen in the attacks, which it says started in 2013 and are still ongoing.

A cybercriminal gang with members from Russia, Ukraine and China is responsible, it said.

Kaspersky said it worked with Interpol and Europol on the investigation.

It said the attacks had taken place in 30 countries including financial firms in Russia, US, Germany, China, Ukraine and Canada.

"These attacks again underline the fact that criminals will exploit any vulnerability in any system," said Sanjay Virmani, director of Interpol's digital crime centre.”

Read more>>

Hackers breach 30,000 websites a day – and small firms bear brunt of costs

From Payments Eye –

“Last year saw a number of high-profile thefts of payment data from major companies and banks, but research shows that smaller firms are hardest hit.

A severe attack typically leaves small and mid-sized companies £65,000-£115,000 out of pocket, according to research by PwC, and the worst-hit firms report up to six security breaches a year. While a bigger business may be equipped to absorb the financial blow, for an SME, costs of this magnitude can quickly spell the end.”

Read more>>

Check-the-Box Mentality Exposes Banks to Big Cyber Risks

From American Banker –

“The year of 2014 will be remembered as the year of the data breach. Hackers struck numerous large corporations, from Target to Home Depot to JPMorgan Chase.

These breaches have led to increased regulation for financial institutions at both the federal and state level. In fact, it's safe to say that 2015 may very well be the year of the cyber rule. Among the most prominent developments is the Federal Financial Institutions Council's announcement that it will update cybersecurity guidance in 2015. State initiatives are likely to follow. New York's Department of Financial Services, for example, has given notice that it too will implement more stringent examinations of cybersecurity governance.”

Read more>>

If you doubted that information security was a business continuity issue consider a four letter word: Sony

From Continuity Central -

“The Sony hacking and subsequent threats to the company and its supply chain, has become the biggest information story of 2014; in a year of many high profile incidents. What started out as ‘yet another breach story’ a few weeks ago rapidly developed into a very real business continuity and reputation threatening incident.”

Read more>>