Reports of a new hacking attempt on a bank through the SWIFT electronic messaging system, similar to a computer hack that stole $81 million from Bangladesh’s central bank in February, have elevated concerns about the vulnerability of financial institutions to cybercrime.
On Friday, SWIFT announced that a bank, believed to be in Vietnam, had been penetrated by hackers who surreptitiously installed malware on its computers. The attack targeted a PDF reader used by the bank to check funds transfers over the SWIFT network.
The two attacks were “part of a wider and highly adaptive campaign targeting banks,” SWIFT, a Belgium-based cooperative whose communications network is used by banks around the world to transfer billions of dollars of funds, said in a statement. It did not say whether money had been stolen in the latest incident but said the hackers “have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognize the fraud.”
The theft from Bangladesh Bank, one of the largest known bank heists ever, has seized the attention of the financial industry since it was disclosed in March. The case dominated discussions among 1,100 cybersecurity experts who gathered in Miami Beach earlier this month for the annual meeting of the Financial Services Information Sharing and Analysis Center (FS-ISAC), the industry’s leading forum for collaborating against cybercrime.
Experts say the fraud began with a so-called spear phishing attack, a common scam that begins by sending an innocent-looking e-mail to a bank employee with an attachment known as a payload. If the employee clicks on the attachment, it surreptitiously downloads malware that provides criminals with a back door into the bank’s computer system. The malware enabled the hackers to exploit the central bank’s SWIFT connection, heightening fears about wider threats to international payments systems.
The hackers sent fake instructions to the Federal Reserve Bank of New York to transfer a total of $951 million from Bangladesh Bank’s account at the New York Fed. Fed employees managed to block most of the orders, but $81 million was wired to accounts in the Philippines and spirited away through casinos.
The central bank had apparently integrated the SWIFT money transfer system into its regular computer network, a serious mistake, says Douglas Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association (ABA), who is on the board of FS-ISAC. Most big banks separate their “wire room” from the rest of the bank, using both physical security and separation of IT systems, to deter the threat of fraud, he says.
“Networks have connectivity, and to the extent that there is no level of segregation between the SWIFT system and other systems in the institution, you will potentially compromise the ability of the institution to prevent those kinds of unauthorized transactions,” he says.
Fazle Kabir, who recently took over as governor of Bangladesh Bank after his predecessor resigned over the theft, met with New York Fed president William Dudley and a representatives of SWIFT in Basel, Switzerland, earlier this week to discuss possible remedial action. After the meeting, the parties issued a statement promising “to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks.” Meanwhile, the FBI has begun an investigation into the heist at Bangladesh’s request.Both SWIFT and the New York Fed have said they were not responsible for the losses. But SWIFT did acknowledge last week that it was aware of other attempts to put malware on several banks’ computer systems with the objective of making fraudulent funds transfers, and it issued a mandatory software update aimed at eliminating that vulnerability. “We have informed our customers that there are other instances in which customers’ internal vulnerabilities have been exploited, in order to stress the importance and urgency of customers’ securing their systems,” the outfit, formally called the Society for Worldwide Interbank Financial Telecommunication, said in a statement. “The key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems — in particular those used to access SWIFT.”
Hackers in Russia used spear phishing to attack 100 small banks in 2013, according to a report from Kaspersky Lab, a Moscow-headquartered cybersecurity firm. Although some U.S. and European banks were caught by the fraud by the so-called Carbanak gang, most of the money stolen, which the firm estimates could total $1 billion, came from Russian institutions. The hackers took control of the banks’ video systems, allowing them to watch daily operations and learn which employees performed which tasks at each bank.
Until two years ago, most spear phishing was aimed at government computer systems, says Joseph Opacki, a former cybersecurity expert for the FBI who now does threat research and analysis at PhishLabs, a Charleston, South Carolina, cybersecurity company. Increasingly, though, cyberthieves are targeting financial institutions. In 2014, 22 percent of reported phishing attacks had targeted banks, the largest group of victims.
“We’ve seen a natural evolution of these types of attacks,” he says. “First they went after consumers. Then they targeted point-of-sale terminals, which let them obtain consumer information during transactions. And now the final stage is that they are targeting financial institutions directly.”
In 2103 hackers stole the credit card details of 40 million customers at Target Corp. stores, using a spear phishing attack on an air conditioning contractor to get into the retailer’s computer network. J.P. Morgan Chase & Co. was targeted in a spear phishing attack in 2014. No money was stolen, but the hackers entered a rewards card database and got the names and addresses of millions of clients; they then used the pilfered names in a penny stock–selling scheme that netted more than $100 million. The U.S. government charged two Israelis and an American with being responsible for the fraud.
The ABA’s Johnson says U.S. banks stopped $11 billion in fraud attempts against customer accounts in 2014, but there were still $2 billion in losses. Opacki says that there are no statistics about frauds against the banks themselves, and he believes many don’t disclose those losses for reputational reasons.
One problem many banks face in trying to harden their computers against attack is that they use a lot of custom software that has to be rewritten and extensively tested for months before any fixes can be implemented. “Such software has a big impact on banks’ infrastructure and products and can’t be quickly updated,” he says.
Many banks now send phishing e-mails to their own employees to test whether they will respond to them. “They use it as a teachable moment,” says Johnson.
PhishLabs conducts training programs to help bank employees recognize phishing attacks, but even training has its limits, says Opacki: “These attacks are largely targeting people, and the problem is, you are never going to be able to remove human vulnerability.”
