Hackers have stolen around $1 billion since 2013 according to a new report by Kaspersky Labs, a Russian security company and major player in the information security industry. The methods? Malware downloaded by bank employees used to find vulnerabilities in routine procedures. Once these weaknesses were discovered by the cyber criminals, they began to use social engineering tactics (impersonating supervisory roles within the institution) to use created credentials to transfer money to their accounts. This is very similar to a corporate account takeover (CATO) scheme. The hackers also implemented an ATM cash-out method where they overrode the daily transaction limits of the machines and designed them to dispense money on a schedule.
According to Kaspersky, hackers maintained stealing under $10 million per institution hit to ensure lack of detection. Judging by the nature of these attacks, they were unlikely produced by a nation-state, hacktivist, or lone-criminal. Because these attacks are solely designed for financial gain, it’s fair to assume this was done by a criminal syndicate intending for a hefty payday. This is of significance because these attacks are usually intended to affect customers of the institutions, rather than the institutions themselves. Here, it seems the lone objective was to make money.
The Federal Financial Institutions Examination Council (FFIEC) members are doing their best to not only raise awareness regarding cybersecurity, but are also pushing the implementation of mitigating controls to minimize the impact of an attack. The National Institute of Standards and Technology (NIST) defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” The FFIEC and NIST both advise institutions to implement and test a strong incident response plan (IRP) that includes information sharing both with other corporations in the industry along with law enforcement.
Related articles
Change Healthcare Attack: Ransomware Protection Measures for Healthcare Organizations
In light of the Change Healthcare attack, we explore why hackers target healthcare and how healthcare can defend against ransomware.
GraVoc Recognized on CRN MSP 500 List for Second Year in a Row
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
PCI SAQ Types: Which SAQ is Right for Your Business?
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.