The Carbanak attack is considered by many to be the most sophisticated attack the world has seen in terms of the tactics and methods the cybercriminals used to remain covert. However this ‘sophisticated attack’ was initiated by a relatively low-tech phishing email. As is all too often the case, the targeted banks were lax in handling emails and in detecting a breach once it had occurred.
This attack was launched when hundreds of bank employees were sent phishing emails infected with the malware dubbed Carbanak. Sure enough, someone clicked on a link that allowed Carbanak to infect a bank’s administrative computer. Once happily ensconced in the central computer, the malware proceeded to record keystrokes and used various methods of surveillance to find weak spots in the network to further their gain. After the cyber criminals had learned passwords and procedures from the activities of their malware, they could do all kinds of profitable illegal things. Have funds sent anywhere. Have ATMs spit out money. It’s estimated these highly successful cyber thieves made off with as much as $1 billion.
While security experts disagree on whether it really was the most sophisticated attack ever, there is no doubt that Carbanak was clever enough to go undetected for months within several organizations. Unfortunately, using a phishing mail (or spear-phishing mails) to initiate an infiltration is nothing new. In fact, it’s becoming one of the oldest tricks in the book, but that doesn’t keep people from falling for it. As we’ve seen time and time again, the weakest link in an organization’s security chain is often the people who open these nefarious payloads.
Despite the sophistication of the actual malware involved in recent cyberattacks, phishing emails are still the preferred delivery method, and one-fifth of phishing scams target banks. Phishing scams are one of the best ways to trick unsuspecting email and web users into handing over personal information. Banking details, social security numbers, social media passwords: all of these are very valuable to fraudsters, allowing them freely steal both money and identities.
Scammers always have a credible excuse for needing all this valuable information, such as:
Of course, the real goal of most of the malicious programs distributed via mail is to steal confidential data. The majority of phishing attacks target email accounts. Emails are often easy pickings for fraudsters. Users are apt to be sloppy with emails, sometimes even utilizing easy-to-guess logins and passwords. No matter how often warnings are issued, there’s still always someone who thinks “123456” is a great password.
With most phishing attacks, someone has to be persuaded to open the malware or follow a link that downloads malware.
The notion of having ‘perfect security’ is ludicrous. Security is difficult. Against a sufficiently skilled, motivated and funded attacker, all networks will be vulnerable. You’ve just got to make it sufficiently difficult, so that it’s much costlier for the hacker, and the risk of being caught means it’s not worth their while. Against less skilled attackers good security may be close enough to perfect security.
The Carbanak is not the “quick fire attack” of old – the attacks have been ongoing for about 2 years. This is one of the more interesting things about the attack: that it could go undetected for so long. This is where the importance of layered security is so vital, along with continuous network monitoring. A lot of focus is put on keeping the adversaries out of your network with multiple layers of firewalls, but not enough effort is possibly put on auditing internal networks. What’s also interesting about Carbanak is that the methods used are those that are more typical with cyber terrorism.
Education for employees on the dangers of phishing emails is necessary. The best filters in the world won’t block targeted phishing emails that may have links to domains that have been infiltrated with malware that is just waiting for someone to drive by. Most of the recent high-profile breaches--Carbanak, Sony, Target--started with phishing emails.
So what can prevent a slick and professional cyber-robbery like this happening in your bank? First, it’s crucial to stay on top of patching; patch all operating systems and applications. Some of the banks infiltrated by Carbanak were hit by unpatched vulnerabilities in Microsoft Office, so the danger of unpatched software is quite real. The plethora of patches being released by various vendors can be quite overwhelming, but organizations need concise patch management practices nevertheless. Continuous security audits, layered network security, and best practice education for all employees are also essential.
If you enjoyed this article you might also be interested in this useful checklist, an excellent starting point for IT admins that want to reduce spam and related malware attacks.
Sign-up for email updates...