The Carbanak attack is considered by many to be the most sophisticated attack the world has seen in terms of the tactics and methods the cybercriminals used to remain covert. However this ‘sophisticated attack’ was initiated by a relatively low-tech phishing email. As is all too often the case, the targeted banks were lax in handling emails and in detecting a breach once it had occurred.
This attack was launched when hundreds of bank employees were sent phishing emails infected with the malware dubbed Carbanak. Sure enough, someone clicked on a link that allowed Carbanak to infect a bank’s administrative computer. Once happily ensconced in the central computer, the malware proceeded to record keystrokes and used various methods of surveillance to find weak spots in the network to further their gain. After the cyber criminals had learned passwords and procedures from the activities of their malware, they could do all kinds of profitable illegal things. Have funds sent anywhere. Have ATMs spit out money. It’s estimated these highly successful cyber thieves made off with as much as $1 billion.
One-fifth of phishing scams target banks.
While security experts disagree on whether it really was the most sophisticated attack ever, there is no doubt that Carbanak was clever enough to go undetected for months within several organizations. Unfortunately, using a phishing mail (or spear-phishing mails) to initiate an infiltration is nothing new. In fact, it’s becoming one of the oldest tricks in the book, but that doesn’t keep people from falling for it. As we’ve seen time and time again, the weakest link in an organization’s security chain is often the people who open these nefarious payloads.
Despite the sophistication of the actual malware involved in recent cyberattacks, phishing emails are still the preferred delivery method, and one-fifth of phishing scams target banks. Phishing scams are one of the best ways to trick unsuspecting email and web users into handing over personal information. Banking details, social security numbers, social media passwords: all of these are very valuable to fraudsters, allowing them freely steal both money and identities.
Scammers always have a credible excuse for needing all this valuable information, such as:
- The need to upgrade security levels
- Scheduled essential system maintenance
- The need to verify account details
- As part of an effort to protect customers from fraud
- The need to verify an identity before offering a refund for a bill paid or overpaid
Of course, the real goal of most of the malicious programs distributed via mail is to steal confidential data. The majority of phishing attacks target email accounts. Emails are often easy pickings for fraudsters. Users are apt to be sloppy with emails, sometimes even utilizing easy-to-guess logins and passwords. No matter how often warnings are issued, there’s still always someone who thinks “123456” is a great password.
With most phishing attacks, someone has to be persuaded to open the malware or follow a link that downloads malware.
Phishing attacks typically fall into one of three categories:
- Opportunistic attacks, the commonest type of attack. Cyber criminals use off-the-shelf jacking toolkits against thousands of networks world-wide, hoping that at least a few people will fall for their scam. A typical scammer sends out millions of spam emails with the hope that someone with follow a link and thus get infected. The ransom-ware malware of the last couple of years is an example of this type of spam.
- Day-zero attacks, which are also distributed via mass mailings. Zero-day attacks (or zero-day exploits) are attacks that target publicly known but as of yet unpatched vulnerabilities. The skill level of the day-zero hackers is much higher, though they also try to target just about anyone within reach of email.
- Finally, targeted attacks focused on specific organizations. These attacks require a high skill level and usually employ day-zero vulnerability techniques. The Carbanak attack is an example of this kind of assault, specifically in the form of an advanced persistent threat (APT).
Let's face it, security is difficult!
The notion of having ‘perfect security’ is ludicrous. Security is difficult. Against a sufficiently skilled, motivated and funded attacker, all networks will be vulnerable. You’ve just got to make it sufficiently difficult, so that it’s much costlier for the hacker, and the risk of being caught means it’s not worth their while. Against less skilled attackers good security may be close enough to perfect security.
The Carbanak is not the “quick fire attack” of old – the attacks have been ongoing for about 2 years. This is one of the more interesting things about the attack: that it could go undetected for so long. This is where the importance of layered security is so vital, along with continuous network monitoring. A lot of focus is put on keeping the adversaries out of your network with multiple layers of firewalls, but not enough effort is possibly put on auditing internal networks. What’s also interesting about Carbanak is that the methods used are those that are more typical with cyber terrorism.
Education for employees on the dangers of phishing emails is necessary. The best filters in the world won’t block targeted phishing emails that may have links to domains that have been infiltrated with malware that is just waiting for someone to drive by. Most of the recent high-profile breaches--Carbanak, Sony, Target--started with phishing emails.
If you’re an I.T. pro in a bank, how do you stop this happening?
So what can prevent a slick and professional cyber-robbery like this happening in your bank? First, it’s crucial to stay on top of patching; patch all operating systems and applications. Some of the banks infiltrated by Carbanak were hit by unpatched vulnerabilities in Microsoft Office, so the danger of unpatched software is quite real. The plethora of patches being released by various vendors can be quite overwhelming, but organizations need concise patch management practices nevertheless. Continuous security audits, layered network security, and best practice education for all employees are also essential.
If you enjoyed this article you might also be interested in this useful checklist, an excellent starting point for IT admins that want to reduce spam and related malware attacks.