According to anti-malware security firm Kapersky, many of the world’s major banks have been hit by digital thieves over the past year and a half, with the attackers making off with at least $300 million, but potentially as much as a billion (£648 million), after using malware and social engineering to make fraudulent transactions to accounts all over the world.
While no specific banks have been named as part of the reveal – due to non disclosure agreements Kapersky has with those organisations – they are thought to be mostly from Russia, but also countries like China, Ukraine and the United States. However in each instance, similar tactics were used.
In most cases, simple key-stroke tracking malware was sent to thousands of banking employee emails, with the hope that at least one person with administrative access would unknowingly infect their system by clicking on a nefarious link or opening up an innocuous looking file. From there, keystrokes, video and screenshots could be recorded and banking procedures learned, so that the hackers could perform one of several key actions: make direct and suspicion free money transfers to overseas bank accounts, use e-payment systems to the same end and take control of cash machines to dispense money into the street at set times where it could be collected.
As NYTimes points out though, the most lucrative of moves saw the hackers create money from thin air. With access to an account and the bank’s administrative system, the group would alter the numbers so that accounts – for example – with $1,000, would be inflated to $10,000. They would then transfer our $9,000 and little evidence would remain of that money ever existing.
Kapersky described this sort of financial services attack as much more ‘high level’ than that of previous hacking groups, as it targets the institution itself, rather than individual account holders. While that could be considered more of a victimless crime, it does present a more worrying state of affairs for banks all over the world, as it means their systems are weak enough to allow it. That is no doubt the reason that no bank has come forward to admit the security breach.
However, President Obama has suggested that in the future banks may be required to let customers know if their systems have been hacked.
Discuss on our Facebook page, HERE.
KitGuru Says: Although it doesn’t appear that any individual accounts were in jeopardy in this instance, it does seem like banks – like any other firm – should be required to inform customers if their security is breached, as there certainly is the potential for personal account holders to be in danger with this sort of attack.
Image source: Cory Doctorow