Carbanak 2.0: the billion-dollar bank heist is back

Kaspersky reveals new threat to banks after last year's devastating Carbanak hack

Cybercriminals are targeting banks and businesses with a new version of a damaging attack that helped them steal $1 billion last year, according to Kaspersky.

Carbanak was first noticed last year. The targeted series of attacks saw hackers net as much as a billion dollars from banks around the world by infiltrating internal networks, and in some cases, directing ATMs to spit out cash.

Now its successor, Carbanak 2.0, is targeting the budgeting and accounting departments of companies beyond banks, and in one instance even changed a firm's ownership details, according to Kaspersky.

Speaking at the security vendor's Security Annual Summit in Tenerife today, researcher Sergey Golovanov said "the aim is to do the same" as last year, with criminals targeting millions of dollars from each attack.

So far, the attack has not been seen outside of Russia, but Golovanov noted that the last version of Carbanak was limited to Ukraine before hopping country to country and spreading around the world.

The company also revealed details on both the Metel cybercrime group and GCMAN, which use similar targeted tactics to rob financial institutions.

Heavy Metel

The Metel group targets specific individuals working at banks with spear-phishing emails using malicious attachments made with the Niteris exploit pack. Once on a computer inside the network, they use legitimate penetration testing tools to jump to other computers, aiming for a payment card processing machine inside the bank.

When they understand the bank's infrastructure, they can tunnel into that machine which is connected to the internet and see details such as card numbers, passwords, and balances, as well as being able to block or cancel transactions.

Criminals can use payment cards to withdraw cash from ATMs, while their colleagues ensure the victim's balance never decreases simply by clicking "cancel" when the transaction comes up on the processing computer.

Golovanov said that meant criminals had to sit there and click "lots of times", while their colleagues drive around Russian cities at night emptying cash machines.  

Kaspersky researchers said an investigation by themselves and law enforcement into the group is still underway. So far no attacks have been seen outside Russia, but Kaspersky warned banks to check for infections proactively, as the group's activities could expand.

GCMAN

The second group, GCMAN, sometimes need not even use malware, instead using legitimate penetration testing tools such as Putty and VNC to leverage flaws. Once inside a bank's network, they jump to internal computers by hijacking local domain controllers using the same legitimate penetration testing tools until they find the machine responsible for payment card processing.

Rather than send fellow criminals to bank machines to withdraw, GCMAN makes use of online payments, sending $200 the most allowed in Russia for anonymous payments every minute.

While Golovanov said that may not sound like a lot of cash, and while he could not disclose the sorts of financial damage already wreaked, he warned that it would add up quickly.

All of the attacks are against banks and businesses with firewalls, strong encryption and other security features, but once hackers were inside the company's internal infrastructure, "they were open", Golovanov said. 

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
FedEx and DHL phishing emails target Microsoft users
phishing

FedEx and DHL phishing emails target Microsoft users

24 Feb 2021
Hackers are using Google Alerts to help spread malware
hacking

Hackers are using Google Alerts to help spread malware

22 Feb 2021
North Korea expected to increase cyber attacks due to COVID struggles
hacking

North Korea expected to increase cyber attacks due to COVID struggles

22 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021
New monitors for an agile new normal
Sponsored

New monitors for an agile new normal

19 Feb 2021