Spam Campaigns Target Banks, $1 Billion Losses Projected

carbanak
There was a time when keeping your money in a bank was the safe thing to do. We learned it from childhood: get a check from grandma, deposit it directly in the bank. Even though no child in her right mind really wanted to put the money somewhere it couldn’t be used for anything tangibly wonderful, that’s how we were conditioned.It was safe in the bank, and that’s what we grew to believe. Unfortunately, the landscape has changed. Consumer confidence in banks has taken a beating around the world, due in part to global economic woes and the economic mismanagement that led to a worldwide recession in 2008; and due in part to the tech-based woes experienced by the banking industry.

We’re seeing examples of banks spamming their customers because they can’t seem to get their Trojan problems under control; and they’re not just isolated problems. In 2013, studies in the UK revealed a dire state of affairs in the banking world, with infections and security incidents going off like a fireworks display in the British Isles. In one instance, five of eight infected banks were hosting the Conficker botnet, seven were churning out spam, and all of them were infected with malicious software of some sort.

We don’t want to dump all over the banking industry, unless where it’s justified. It’s not entirely their fault that they’re being targeted, because crooks are hammers and banks look like nails. Banks are where the money’s kept, so of course cyber criminals are going to be placing the banking industry squarely in their sights. But the bank is where we keep our money, and maybe we’d be better off stuffing it in a mattress or burying it in the back yard. Modern day Bonnies and Clydes don’t need machine guns to make illegal withdrawals, and any sense of confidence and safety that we have for banks is taking a beating these days.

The situation’s not getting any better. Kaspersky Labs recently published a report on a threat called Carbanak, a backdoor delivered to target systems through email attachments. Criminals use spear phishing methods to deliver the emails and the malicious attachment comes in the form of Microsoft Word 97-2003 (.doc) and Windows Control Panel (.cpl) files and they “exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak.”

Once the remote code executes, Carbanak is installed on the victim’s system, but Kaspersky has identified other exploits in the attack, noting that “an additional infection vector that we believe was used by the criminals is a classical drive-by-download attack. We have found traces of the Null and the RedKit exploits kits.”

What’s even more disturbing is the knowledge that these threats are nothing new. The banking industry has been dealing with them for awhile, Kaspersky points out. “From late 2013 onwards, several banks and financial institutions have been attacked by an unknown group of cybercriminals. In all these attacks, a similar modus operandi was used.” Victims of the attacks as well as law enforcement have estimated that these attacks are ongoing, meaning that two years later, the banks are still dealing with them; and combined losses could reach US $1 Billion. That’s a lot of scratch, and if anyone wonders why cyber crooks are in it, clearly they’re in it for the money.

According to The Globe and Mail in Canada, the crooks are based in Russia and the Ukraine (hey, at least they can agree on something). Kaspersky does, however, point out that the exploits used are possibly of Chinese origin. Previously, the attackers had only been targeting Russian financial institutions, but it’s a big world out there and now they’re branching out. Canadian banks are being targeted, according to the article, and Kaspersky reports that institutions in other countries are under attack. “Of the 100 banking entities impacted at the time of writing this report, at least half have suffered financial losses, with most of the victims located in Russia, USA, Germany, China and Ukraine.”

The attack itself is pernicious, spying on the infected user and collecting data that can be sent back to the C&C (command and control) server. “Using the intelligence gained from video and other monitoring techniques, the attackers developed an operational picture of the victim’s workflow, tooling and practices. This picture helps the attackers to deploy their malicious operations.” If Carbanak detects banking application BLIZKO (funds transfer software) on the infected computer, it reports back to the C&C server. In addition, it recognizes IFOBS banking applications, and “can, on command, substitute the details of payment documents in the IFOBS system.”