Carbanak, a type of cybersecurity attack on banks, has been spotted in action again.
Kaspersky Lab, the Moscow-based security software company that announced the discovery this week, is calling this round "Carbanak 2.0." (The name is derived from the malware it's based on, the banking Trojan Carberp.) Last year, the so-called Carbanak Gang of hackers breached the networks of 100 banks in 30 countries and stole a reported $1 billion.
To be sure, Kaspersky Lab sells antivirus and Internet security software, and so might have a business motivation to stir up fear. However, the company's own reports show its software isn't always blocking Carbanak, and the detailed information it shares about attacks is as useful to noncustomers as it is customers. And several other security firms back up the Kaspersky Lab findings.
"It's a very real problem for the U.S. banks," said Richard Peters, managing director of Berkeley Research Group, an advisory firm in Emeryville, Calif.
"I can almost guarantee you there are compromised U.S. financial institutions today with similar types of things going on. It just hasn't been made as public as maybe we'd like it to be," he said.
Gary McAlum, chief security officer at USAA, calls Carbanak 2.0 "the flavor of the day."
"It was Zeus before, it was Trident, now it's Carbanak 2.0," McAlum said. "There's always a sophisticated form of malware out there. It typically gets into an organization through a phishing attack, maybe through a supply chain point of entry. … There will be another flavor of the day in the future once this one is under control. It's an arms race."
For Johan Gerber, executive vice president of security and decision products at MasterCard, Carbanak is high on the security priority list.
"It's definitely a big concern for us," he said. "I remember those attacks when they happened the first time. We're waiting for the next wave to hit us."
SafetyNet, MasterCard’s fraud monitoring service, is used by 80% of the brand's card issuers. It is rules-based, so it can be quickly adjusted to block suspicious transactions arising from Carbanak, Gerber said.
CSIS Security Group, a Copenhagen-based IT security advisory company, has also seen evidence of Carbanak in the U.S.
"We can confirm that Carbanak is still being used in targeted attacks and we can document it was dropped by Dridex [another bank Trojan] in a case we investigated back in September," said Peter Kruse, partner and security specialist at the firm.
When reports of Carbanak came out last year, industry groups like the Financial Services Information Sharing and Analysis Center and the American Bankers Association said the threat was overhyped and wasn't reaching U.S. banks. Kaspersky researchers countered that they had seen evidence of U.S. banks being compromised by such attacks.
This time around, a spokesman for the Washington-based FS-ISAC, which gathers security incident information from thousands of banks members, would not discuss Carbanak. "I don't think we have much to say on that vendor-driven report at this time," he said.
The cybercrime ring operates out of Russia and China, attacking banks by sending spearphishing emails (messages cleverly crafted to appear to be from a trusted source) to their employees and customers. By clicking on the email attachments, recipients unwittingly download malware onto their computers. The malware lurks for a long time, learning about the behavior of the user or processes at the bank, then steals money by emulating legitimate employee or customer activities, such as normal-looking online banking transactions. It thus avoids detection and fraud monitoring.
This year, the Carbanak Gang is using slightly different tactics. For one thing, it's more often targeting banks' corporate customers, making its fingerprints even harder for banks to detect.
"They're attacking the supply chain and indirectly affecting banks through their large-account customers," Peters said.
And two more groups have joined the gang, according to Kaspersky Lab. One group, called Metel, specializes in ATM fraud. In one case, Metel attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. Then they rolled back the ATM transactions in the banks' servers, so the money was instantly returned to the accounts after the cash had been dispensed from the ATMs. "The group worked exclusively at night, emptying ATM cassettes at several locations," Kaspersky researchers said in a blog.
The other new related gang, GCMAN, sends spearphishing emails with malware attachments that look like Word documents. Once the malware breaches the bank's network, it uses legitimate penetration testing tools to move around and finds a way to transfer money from the bank to digital currency, in one case sending $200 a minute. It has been found to lurk in a victim's network for a year and a half before activating a theft.
Advanced and Persistent
Carbanak and other advanced persistent threats continue to grow more sophisticated.
The spearphishing emails have become more credible. (Sometimes the term "business email compromise" is used to describe these emails that can fool people at the highest level of organizations.)