Hackers stole $1 billion in high-tech bank heists, researchers say

Over nearly two years, the so-called Carbanak hacking group attacked nearly one hundred banks, e-payment systems and other financial institutions. The hackers used phishing attacks to lure users of the banks’ computer networks into installing malware into those systems.

Gene J. Puskar/AP/File
A person inserts a debit card into an ATM in Pittsburgh. Over a two-year span, a group of hackers attacked banks, e-payment systems and other financial institutions, according to Kaspersky Labs, which has been working with law-enforcement agencies including Interpol.

An advanced hacking campaign against dozens of large banking institutions has hauled in as much as $1 billion, security researchers say.

Over nearly two years, the so-called Carbanak hacking group — named for the malware they use — attacked banks, e-payment systems and other financial institutions, according to Kaspersky Labs, which has been working with law-enforcement agencies including Interpol.

No individual users were targeted, according to the security firm, only the financial institutions themselves.

“One way or another, the criminals stripped each victim bank of $2.5 million to $10 million – the amount looks striking even when assessed individually,” Kaspersky’s Alex Drozhzhin wrote in a blog post Monday. “Considering that dozens – up to one hundred – of organizations lost their funds due to the APT (advanced persistent threat) attack, the cumulative loss might well total to a stunning $1 billion.”

Kaspersky says it was hired by one of the institutions, a Russian bank, after it had noticed the attack.

According to Drozhzhin, hackers used phishing attacks to lure users of the banks’ computer networks into installing malware into those systems. They took control over the compromised machines, then used them to infect other machines in the networks, seeking out computers that could be used to access critical information and  make financial transactions, according to the post.

They withdrew funds using methods that included withdrawing money into fake bank accounts and even sending remote messages to ATMs, making them start spewing out money.

“On average, it took from two to four months to drain each victim bank, starting from the Day 1 of infection to cash withdrawal,” Drozhzhin wrote.

Kaspersky did not identify the institutions that were attacked, but said “severe losses” have been sustained in countries including the United States, Russia, Germany, China and Ukraine, with newer operations sprouting up in Malaysia, Nepal, Kuwait and several African countries.

To avoid phishing attacks like the one used by Carbanak, Kaspersky and other security experts advise Web users to never open suspicious emails, especially those that contain attachments, and to regularly update the software they use. The Carbanak attack exploited bugs that had been fixed in the most up-to-date versions of the software that was attacked.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.