Hail, Hail the Gangs are here
Greg Bangs, Global Head of Crime, XL Catlin
It was quite the disappearing act. More than USD 80 million vanished from the Bank of Bangladesh, before anyone even noticed last February. Fortunately, that’s all that went missing. Originally, the criminals set out to steal nearly $1 billion from the bank’s account at the Federal Reserve Bank of New York.
The hackers, however, did succeed in installing malware in the Bangladesh central bank’s computer systems and then they watched, probably for weeks. They observed how to go about withdrawing money from the bank’s US account using its credentials for the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system. SWIFT is used by banks around the world along with other financial institutions like brokerages, securities dealers, asset management companies, and others, for secure financial communication. The perpetrators got access to the codes the banks use to connect to the SWIFT global payments network to request fund transfers that were directed elsewhere and then quickly gone.
Bangladesh’s central bank was not alone in suffering such a cyber-attack. A month prior, an Ecuadorean lender suffered a USD 12 million loss. Another attack trying to steal about USD 1 million from a Vietnamese bank late last year was thwarted.
These are all- too-frequent occurrences. In the UK, for instance, the nation’s (NCA) recently issued its report, showing that cybercrime has emerged as the largest proportion of total crime in the U.K. According to the report, “cyber enabled fraud” represents 36 percent of all crime reported in the UK, and “computer misuse” accounting for 17 percent.
Even the US Federal Reserve itself cited that it suffered more than 50 cyber breaches between 2011 and 2015. In June, Reserve Chair Janet Yellen spoke at a Senate Banking Committee hearing acknowledging the need for the central bank to supervise financial institutions’ ability to address such cyber threats. In June, The Federal Reserve’s Office of the Inspector General announced that it will audit the board’s oversight of cybersecurity threats to financial institutions, focusing its review on how the system's cybersecurity examination process has evolved and whether it's providing adequate oversight of banks' information security controls and cyber threats. The findings are expected to be released by the end of the year.
Who is carrying out these cyber hacks? All indicators are pointing to one prime suspect – Dridex, a notorious cyber gang of criminals operating in Russia and former parts of Eastern Europe. The disciplined, highly organized gang operates very much like any other business, however, during its 9-5, Monday-to-Friday work week it sends millions of phishing emails to unsuspecting companies. Its malware, which is also known as Dridex, infects an average of 3,000 to 5,000 computers a day.
Once released onto a computer, the malware lurks in the background, watching everything the user does, waiting for some online banking activity. When that happens, that’s when they really go into action, using keystroke logging or web injections to steal user names and passwords that can be used to carry out its own transactions later on.
Dridex isn’t alone either. Others including the Carbanak and Metel cyber gangs have their own criminal schemes. These gangs look to gain control over machines inside a bank that have access to money transactions. With this access, they attempt to automate the rollback of ATM transactions. The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions made. Individual gang member drive around emptying out ATM machines to steal money. As the attackers empty ATM after ATM –– the balances on the stolen accounts used to pull off the scam remained unaltered, allowing further withdrawals.
Metel was found inside 30 institutions, primarily in Russia. Carbanak is the prime suspect in the theft of some $1 billion in two years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. Its targets were mainly Russian financial institutions, followed by banks in Denmark and the US.
And these cybercriminals are quite innovative, quickly learning new hacking techniques to infiltrate institutions of all kinds. Recently authorities have dealt with the emergence of new ransomware with names such as “Locky” and “Bart.” Ransomware is an advanced type of malware that restricts access to the computer system altogether until the infected party pays a fee to regain access.
Individual employees are every company’s first line of cyber defense."
The second verse of the song, Hail, hail, the gang’s all here, is ironically, “What the heck do we care.” The tenacity of these cyber gangs however have given a lot of people a reason to care.
In addition to conducting regular audits and building strong information security awareness protocols, businesses, no matter what industry, are wise to reinforce some simple, yet vital, messages to all colleagues. Specifically, delete any suspicious-looking emails and be wary of attachments.
Individual employees are every company’s first line of cyber defense. Raising awareness of security risks and how these risks could cause an issue with the information and/or network security is a valuable investment for any company’s cyber security program. Like many companies, mine –– XL Catlin –– conducts security awareness campaigns in various forms including videos, posters, email campaigns, blogs and online training modules.
Our Information Risk Management (IRM) team admits though that the challenge is to get colleagues to pay attention to these messages and learn what they really have to look out for to stop a cyber hack. To do so, they got a little creative, launching a campaign appealing to our charitable tendencies. They compiled helpful videos educating employees on various cybercrime tactics and avoidance. For every educational video viewed by employees, they vowed to donate one dollar to the charity Doctors without Borders. The campaign significantly increased video views and raised USD 10,000 for the charity. (Read more about it in the teams’ FFF article, “Online Learning: Raising Cyber Security Awareness by Watching and Giving.”) Its success has prompted our cybersecurity team to re-launch the campaign to help reinforce both old and new and emerging cyber security issues.
The US Federal Bureau of Investigation also offers up a number of tips for dealing with ransomware, among them:
- Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
- Disable macro scripts from office files transmitted over e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
Adopting the gang-style approach of the cyber criminals, businesses need to coordinate multi-disciplinary participation throughout the organization to fight cyber gangs’ crime games and drive online vigilance throughout their organizations.
About the Author
Gregory W. Bangs is the Global Crime Product Leader and head of US Crisis Management at XL Catlin. Over the last 30 years, he has been underwriting insurance and developing new products in the US, UK, Hong Kong and France. Greg can be reached at email@example.com.