Carbanak 2.0: the billion-dollar bank heist is back

Kaspersky reveals new threat to banks after last year's devastating Carbanak hack

Cybercriminals are targeting banks and businesses with a new version of a damaging attack that helped them steal $1 billion last year, according to Kaspersky.

Carbanak was first noticed last year. The targeted series of attacks saw hackers net as much as a billion dollars from banks around the world by infiltrating internal networks, and in some cases, directing ATMs to spit out cash.

Now its successor, Carbanak 2.0, is targeting the budgeting and accounting departments of companies beyond banks, and in one instance even changed a firm's ownership details, according to Kaspersky.

Speaking at the security vendor's Security Annual Summit in Tenerife today, researcher Sergey Golovanov said "the aim is to do the same" as last year, with criminals targeting millions of dollars from each attack.

So far, the attack has not been seen outside of Russia, but Golovanov noted that the last version of Carbanak was limited to Ukraine before hopping country to country and spreading around the world.

The company also revealed details on both the Metel cybercrime group and GCMAN, which use similar targeted tactics to rob financial institutions.

Heavy Metel

The Metel group targets specific individuals working at banks with spear-phishing emails using malicious attachments made with the Niteris exploit pack. Once on a computer inside the network, they use legitimate penetration testing tools to jump to other computers, aiming for a payment card processing machine inside the bank.

When they understand the bank's infrastructure, they can tunnel into that machine which is connected to the internet and see details such as card numbers, passwords, and balances, as well as being able to block or cancel transactions.

Criminals can use payment cards to withdraw cash from ATMs, while their colleagues ensure the victim's balance never decreases simply by clicking "cancel" when the transaction comes up on the processing computer.

Golovanov said that meant criminals had to sit there and click "lots of times", while their colleagues drive around Russian cities at night emptying cash machines.  

Kaspersky researchers said an investigation by themselves and law enforcement into the group is still underway. So far no attacks have been seen outside Russia, but Kaspersky warned banks to check for infections proactively, as the group's activities could expand.

GCMAN

The second group, GCMAN, sometimes need not even use malware, instead using legitimate penetration testing tools such as Putty and VNC to leverage flaws. Once inside a bank's network, they jump to internal computers by hijacking local domain controllers using the same legitimate penetration testing tools until they find the machine responsible for payment card processing.

Rather than send fellow criminals to bank machines to withdraw, GCMAN makes use of online payments, sending $200 the most allowed in Russia for anonymous payments every minute.

While Golovanov said that may not sound like a lot of cash, and while he could not disclose the sorts of financial damage already wreaked, he warned that it would add up quickly.

All of the attacks are against banks and businesses with firewalls, strong encryption and other security features, but once hackers were inside the company's internal infrastructure, "they were open", Golovanov said. 

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Microsoft seizes domains used by Chinese hacking group
cyber attacks

Microsoft seizes domains used by Chinese hacking group

7 Dec 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021