Willie Sutton’s rationale for robbing banks — ‘Because that’s where the money is’ – holds as true today as 80 years ago. Instead of machine guns and fast getaway cars, cyber-age bank robbers rely on cleverly adopting common hacking routines to find and extract the cash.
Banks have poured billions into hack-proofing their websites and networks. Yet breach attempts persist and robbers continue to strike it rich. Security services vendor NTT Security reports that finance was the most heavily attacked sector in Q3 2016 followed by retail, manufacturing, tech and healthcare.
NTT Security analysts Jon Heimerl and Terrance DeJesus generously shared these observations, which are instructive and cautionary to banking officials, and consumers, alike:
Brute-force hacking, or the use of thousands of logon combinations to access the backend of a website, jumped dramatically in Q3. This reflects cyber criminals methodically executing the initial phases of a typical attack cycle. Brute-force success in late summer and early fall sets them up nicely to begin draining accounts under cover of the inevitable spike in year-end Internet traffic.
“By establishing an early presence inside the targeted bank, the attacker gains the opportunity to capitalize on the busy holiday season and capture more transactions of higher dollar values,” says Heimerl, NTT Security’s threat intelligence communications team manager. “With so much data moving about, it becomes more difficult for organizations to identify nefarious activities.”
NTT Security found that 43 percent of the Q3 attacks were against web applications. Often this took the form of a ‘SQL injection’ hack that involves querying the databases underlying a web page–until the database hiccups and accepts an injection of malicious code. The intruder then gains a foothold to move laterally inside of the bank’s network.
Sutton wasn’t green and neither are modern day cyber robbers. They know full well that banks continue to rely on external developers to supply customized web server scripts and web applications. And in the developer community, security is not always a top priority.
“Poor coding practices often leave security flaws in web applications which are then recognized by threat actors,” observes DeJesus, an NTT Security cyber threat intelligence analyst. Skilled hackers use a variety of techniques to pinpoint and exploit these defects, he says.
Sutton is said to have pilfered $2 million in a 40-year career. One theft ring tracked by IBM Security, dubbed the Dyre Wolf gang, got inside the networks of banks serving small and mid-size businesses to pull off numerous fraudulent wire transfers of $500,000 to $1 million.
IMB did not estimate the Dyre Wolf gang’s total take, nor how many banks and businesses were hit. But their take paled next to handiwork of the Carbanak gang observed by Kaspersky Lab and European law enforcement. This ring reprogrammed bank servers to boost account balances and remotely trigger ATM machines to spit out cash to awaiting accomplices. The Carbanak gang absconded with estimated $1 billion from more than 100 banks globally.
The Society for Worldwide Interbank Financial Telecommunication, or SWIFT, is a global alliance of 11,000 financial institutions that use “SWIFT codes” to authenticate fund transfers. Hackers have discovered flaws in the way member banks have implemented SWIFT’s messaging system. And not too long ago one hacking ring figured out how to manipulate SWIFT’s messaging platform to light-finger $81 million from the Bank of Bangladesh’s account at the New York Federal Reserve Bank.
Though tricky to execute, this type of attack can be repeated, says Heimerl. The attacker just needs to secure networked access to SWIFT systems using valid credentials. “If the attacker conducted a wire transfer late on a Friday, with no one available to validate or investigate until the following week, by all appearances, the attacker could appear to be conducting valid business, while actually sending funds to their own accounts,” he says.
Clearly, small banks and credit unions using SWIFT in a networked access environment, face an acute risk. Heimerl says this exposure can be reduced by “removing networked access” to SWIFT and “enforcing two-factor authentication for all SWIFT systems.”
Heading into 2017, the targeting of financial sector employees is intensifying. Cyber robbers are pouring resources into crafting phishing campaigns designed to crawl into a staffer’s workstation.
The financial sector needs to do a better job of securing web applications and segregating and controlling access to key systems, like SWIFT. Consumers and business customers can help speed this process by becoming informed and demanding that these steps be taken.