Hackers have stolen around $1 billion since 2013 according to a new report by Kaspersky Labs, a Russian security company and major player in the information security industry. The methods? Malware downloaded by bank employees used to find vulnerabilities in routine procedures. Once these weaknesses were discovered by the cyber criminals, they began to use social engineering tactics (impersonating supervisory roles within the institution) to use created credentials to transfer money to their accounts. This is very similar to a corporate account takeover (CATO) scheme. The hackers also implemented an ATM cash-out method where they overrode the daily transaction limits of the machines and designed them to dispense money on a schedule.
According to Kaspersky, hackers maintained stealing under $10 million per institution hit to ensure lack of detection. Judging by the nature of these attacks, they were unlikely produced by a nation-state, hacktivist, or lone-criminal. Because these attacks are solely designed for financial gain, it’s fair to assume this was done by a criminal syndicate intending for a hefty payday. This is of significance because these attacks are usually intended to affect customers of the institutions, rather than the institutions themselves. Here, it seems the lone objective was to make money.
The Federal Financial Institutions Examination Council (FFIEC) members are doing their best to not only raise awareness regarding cybersecurity, but are also pushing the implementation of mitigating controls to minimize the impact of an attack. The National Institute of Standards and Technology (NIST) defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” The FFIEC and NIST both advise institutions to implement and test a strong incident response plan (IRP) that includes information sharing both with other corporations in the industry along with law enforcement.
Related articles
Business Email Compromise: Top BEC Tactics & How to Protect Against Them
We take a look at Business Email Compromise, including common BEC tactics and what your business can do to protect against them.
FFIEC CAT Sunset: Why the CRI Profile is a Strong Alternative
With the FFIEC CAT sunset approaching, we explore why the CRI Profile is a strong alternative to the CAT for financial institutions!
FTC Safeguards Rule Compliance for Auto Dealerships
We’ll go over the FTC Safeguards Rule, what it requires, and how a managed service provider can help auto dealerships stay compliant.