Hackers stole $1 billion in high-tech bank heists, researchers say

Over nearly two years, the so-called Carbanak hacking group attacked nearly one hundred banks, e-payment systems and other financial institutions. The hackers used phishing attacks to lure users of the banks’ computer networks into installing malware into those systems.

An advanced hacking campaign against dozens of large banking institutions has hauled in as much as $1 billion, security researchers say.

Over nearly two years, the so-called Carbanak hacking group — named for the malware they use — attacked banks, e-payment systems and other financial institutions, according to Kaspersky Labs, which has been working with law-enforcement agencies including Interpol.

No individual users were targeted, according to the security firm, only the financial institutions themselves.

“One way or another, the criminals stripped each victim bank of $2.5 million to $10 million – the amount looks striking even when assessed individually,” Kaspersky’s Alex Drozhzhin wrote in a blog post Monday. “Considering that dozens – up to one hundred – of organizations lost their funds due to the APT (advanced persistent threat) attack, the cumulative loss might well total to a stunning $1 billion.”

Kaspersky says it was hired by one of the institutions, a Russian bank, after it had noticed the attack.

According to Drozhzhin, hackers used phishing attacks to lure users of the banks’ computer networks into installing malware into those systems. They took control over the compromised machines, then used them to infect other machines in the networks, seeking out computers that could be used to access critical information and  make financial transactions, according to the post.

They withdrew funds using methods that included withdrawing money into fake bank accounts and even sending remote messages to ATMs, making them start spewing out money.

“On average, it took from two to four months to drain each victim bank, starting from the Day 1 of infection to cash withdrawal,” Drozhzhin wrote.

Kaspersky did not identify the institutions that were attacked, but said “severe losses” have been sustained in countries including the United States, Russia, Germany, China and Ukraine, with newer operations sprouting up in Malaysia, Nepal, Kuwait and several African countries.

To avoid phishing attacks like the one used by Carbanak, Kaspersky and other security experts advise Web users to never open suspicious emails, especially those that contain attachments, and to regularly update the software they use. The Carbanak attack exploited bugs that had been fixed in the most up-to-date versions of the software that was attacked.