zhu difeng - Fotolia

Cyber heist hits banks in Russia and eastern Europe

Criminals hired mules to open rogue bank accounts and manipulated risk ratings and overdraft limits, paving the way for millions of dollars to be stolen

A series of sophisticated cyber attacks involving physical and cyber elements has led to thefts of about $40m from banks across Russia and eastern Europe, a new Trustwave study has found.

The attacks are believed to have been carried out by cyber criminals who recruited “mules” to open rogue bank accounts at physical bank branches using fake documents and identities.

After the accounts were approved, the mules then requested debit cards, which were then used to withdraw cash from ATM machines located outside the victim banks’ home countries.

The withdrawals were made possible because cyber criminals had already compromised the victim banks’ networks – and the card processor network the banks were connected to via a virtual private network (VPN) – using phishing emails.

On the card processor’s network, the perpetrators used malicious payloads to capture the credentials needed to manipulate risk ratings and increase the overdraft limits of the rogue bank accounts from $0 to between $25,000 and $35,000.

The criminals also covered their tracks by making the system they had been using to perform their activities unbootable shortly after the cash-out.

Some victim banks had not even realised that a breach had occurred and that a significant amount of money had been stolen until well after the attack was completed.

In a few cases, the malicious activity was reported to the banks by third-party processors of debit and credit card transactions, Trustwave’s report said.

“It should also be noted that the attackers’ tradecraft suggests the involvement of organised cyber crime groups,” it said, noting that the attackers had also used specialised malware to thwart cyber forensics investigations.

Read more about cyber security

Thanassis Diogos, managing consultant of Trustwave’s SpiderLabs security team, told Computer Weekly that this type of attack had never been seen before.

Although the attacks were localised to Russia and eastern European countries, Diogos said they could be the “canary in the mineshaft” for future threats in other parts of the world. “All global financial institutions should take this threat seriously and take steps to mitigate it,” he said.

“Overdraft abilities, fraud controls and individual consumer risk ratings are techniques that most international banks employ, including processors that enable card transactions. All these elements were exploited in this attack.

“The only thing stopping the attack from moving internationally is the ability to recruit mules in the right places. With the internet to communicate and money to pay [the mules], this won’t be a significant problem for the criminals.”

Asked whether the current measures adopted by most financial institutions are sufficient to avert such an attack, Diogos said Trustwave’s investigations had found recurring instances of similar security issues.

He said some of these issues are general, such as opening phishing emails and the lack of network segmentation that could prevent lateral movement. “Other issues were more clearly linked to this attack, such as too much authority for a single person with regard to card risk ratings and overdraft enablement.

“The vulnerabilities that led to the successful compromise of the victims in our study are frequently found across international banking environments, so I believe most banks will be vulnerable to a similar attack.”

Read more on Hackers and cybercrime prevention