$1bn cyber bank heist thwarted by spelling error

Cyber criminals seeking to raid the Bangladesh central bank’s account at the Federal Reserve Bank of New York would have netted nearly $1bn had it not been for a simple spelling or typing error.

But the unknown hackers still managed to get away with $81m using payment transfer credentials stolen from the bank a month ago, banking officials told Reuters.

The cyber thieves made more than 30 requests for the New York Federal Reserve to transfer nearly $1bn from the Bangladesh bank’s account to accounts in the Philippines and Sri Lanka.

The Bangladesh bank reportedly has billions of dollars in a current account with the Fed, which it uses for international settlements.

Four transfers totalling $81m went through, but the fifth was blocked because the hackers misspelt the word “foundation” as “fandation” when trying to transfer $20m to an account supposedly held by an organisation called the Shalika Foundation, which is not officially listed in Sri Lanka.

The Bangladesh central bank halted the transaction when the typo led to a query seeking clarification by a routing bank, Deutsche Bank.

The query, combined with an alert from the New York Federal Reserve about the unusually large number of requests, led the Bangladesh bank to halt all the other transactions initiated by the cyber criminals that would have netted a further $870m.

According to banking officials, the transfer credentials were stolen over a weekend in early February 2016. They said an investigation is under way as well as efforts to recover the money from the Philippines.

The Bangladesh government has blamed the New York Federal Reserve for not stopping the transactions earlier and has said it may sue the Fed to recover the money.

The breach is likely to send shockwaves around the world’s financial institutions, said Justin Harvey, chief security officer at Fidelis Cybersecurity.

“It shows how critical it is to protect corporate credentials,” he said. “Those with powerful access rights within an organisation are an easy target for hackers and, if compromised, this can have a devastating impact on any company – financially and in terms of reputation.”

Harvey said the financial services industry is one of the most regulated in the world, but that does not mean it cannot be attacked by cyber criminals.  

“This latest hack is a clear reminder that compliance and adhering to banking regulations is not enough,” he said. “Multi-layer security needs to be implemented, regularly updated and sophisticated monitoring solutions need to be in place to flag and – if necessary – quarantine suspicious behaviour.”

Harvey said it is worrying that Bangladesh’s central bank is passing on the blame when, as a financial institution holding vast funds, it must take responsibility for its own security posture.

“At least the Federal Reserve Bank of New York’s provisions seemed to have saved the full £1bn from being stolen,” he said.

A year ago, an estimated $1bn was siphoned out of 100 banks, e-payment systems and financial institutions in 30 countries by the multinational Carbanak gang.

The cyber criminals began by gaining entry into an employee’s computer through spear phishing to steal credentials and track down administrators’ computers for video surveillance.

This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems, according to the investigation by Kaspersky Lab, Interpol and Europol.

In this way, the fraudsters got to know every detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money out of accounts undetected for at least two years.