Hackers have stolen around $1 billion since 2013 according to a new report by Kaspersky Labs, a Russian security company and major player in the information security industry. The methods? Malware downloaded by bank employees used to find vulnerabilities in routine procedures. Once these weaknesses were discovered by the cyber criminals, they began to use social engineering tactics (impersonating supervisory roles within the institution) to use created credentials to transfer money to their accounts. This is very similar to a corporate account takeover (CATO) scheme. The hackers also implemented an ATM cash-out method where they overrode the daily transaction limits of the machines and designed them to dispense money on a schedule.

Malware

According to Kaspersky, hackers maintained stealing under $10 million per institution hit to ensure lack of detection. Judging by the nature of these attacks, they were unlikely produced by a nation-state, hacktivist, or lone-criminal. Because these attacks are solely designed for financial gain, it’s fair to assume this was done by a criminal syndicate intending for a hefty payday. This is of significance because these attacks are usually intended to affect customers of the institutions, rather than the institutions themselves. Here, it seems the lone objective was to make money.

The Federal Financial Institutions Examination Council (FFIEC) members are doing their best to not only raise awareness regarding cybersecurity, but are also pushing the implementation of mitigating controls to minimize the impact of an attack. The National Institute of Standards and Technology (NIST) defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” The FFIEC and NIST both advise institutions to implement and test a strong incident response plan (IRP) that includes information sharing both with other corporations in the industry along with law enforcement.

Related articles

 

Need-to-Know Privilege Explained

Need-to-Know Privilege Explained

In this blog post and video, we explore need-to-know privilege in cybersecurity and why it’s important for organizations to assign user permissions on a need-to-know basis.

read more

Pin It on Pinterest

Share This