Editor at Large

Carbanak, a type of cybersecurity attack on banks, has been spotted in action again.

Kaspersky Lab, the Moscow-based security software company that announced the discovery this week, is calling this round "Carbanak 2.0." (The name is derived from the malware it's based on, the banking Trojan Carberp.) Last year, the so-called Carbanak Gang of hackers breached the networks of 100 banks in 30 countries and stole a reported $1 billion.

To be sure, Kaspersky Lab sells antivirus and Internet security software, and so might have a business motivation to stir up fear. However, the company's own reports show its software isn't always blocking Carbanak, and the detailed information it shares about attacks is as useful to noncustomers as it is customers. And several other security firms back up the Kaspersky Lab findings.

"It's a very real problem for the U.S. banks," said Richard Peters, managing director of Berkeley Research Group, an advisory firm in Emeryville, Calif.

"I can almost guarantee you there are compromised U.S. financial institutions today with similar types of things going on. It just hasn't been made as public as maybe we'd like it to be," he said.

Gary McAlum, chief security officer at USAA, calls Carbanak 2.0 "the flavor of the day."

"It was Zeus before, it was Trident, now it's Carbanak 2.0," McAlum said. "There's always a sophisticated form of malware out there. It typically gets into an organization through a phishing attack, maybe through a supply chain point of entry. … There will be another flavor of the day in the future once this one is under control. It's an arms race."

For Johan Gerber, executive vice president of security and decision products at MasterCard, Carbanak is high on the security priority list.

"It's definitely a big concern for us," he said. "I remember those attacks when they happened the first time. We're waiting for the next wave to hit us."

SafetyNet, MasterCard’s fraud monitoring service, is used by 80% of the brand's card issuers. It is rules-based, so it can be quickly adjusted to block suspicious transactions arising from Carbanak, Gerber said.

CSIS Security Group, a Copenhagen-based IT security advisory company, has also seen evidence of Carbanak in the U.S.

"We can confirm that Carbanak is still being used in targeted attacks and we can document it was dropped by Dridex [another bank Trojan] in a case we investigated back in September," said Peter Kruse, partner and security specialist at the firm.

When reports of Carbanak came out last year, industry groups like the Financial Services Information Sharing and Analysis Center and the American Bankers Association said the threat was overhyped and wasn't reaching U.S. banks. Kaspersky researchers countered that they had seen evidence of U.S. banks being compromised by such attacks.

This time around, a spokesman for the Washington-based FS-ISAC, which gathers security incident information from thousands of banks members, would not discuss Carbanak. "I don't think we have much to say on that vendor-driven report at this time," he said.

New Tricks

The cybercrime ring operates out of Russia and China, attacking banks by sending spearphishing emails (messages cleverly crafted to appear to be from a trusted source) to their employees and customers. By clicking on the email attachments, recipients unwittingly download malware onto their computers. The malware lurks for a long time, learning about the behavior of the user or processes at the bank, then steals money by emulating legitimate employee or customer activities, such as normal-looking online banking transactions. It thus avoids detection and fraud monitoring.

This year, the Carbanak Gang is using slightly different tactics. For one thing, it's more often targeting banks' corporate customers, making its fingerprints even harder for banks to detect.

"They're attacking the supply chain and indirectly affecting banks through their large-account customers," Peters said.  

And two more groups have joined the gang, according to Kaspersky Lab. One group, called Metel, specializes in ATM fraud. In one case, Metel attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. Then they rolled back the ATM transactions in the banks' servers, so the money was instantly returned to the accounts after the cash had been dispensed from the ATMs. "The group worked exclusively at night, emptying ATM cassettes at several locations," Kaspersky researchers said in a blog.

The other new related gang, GCMAN, sends spearphishing emails with malware attachments that look like Word documents. Once the malware breaches the bank's network, it uses legitimate penetration testing tools to move around and finds a way to transfer money from the bank to digital currency, in one case sending $200 a minute. It has been found to lurk in a victim's network for a year and a half before activating a theft.

Advanced and Persistent

Carbanak and other advanced persistent threats continue to grow more sophisticated.

The spearphishing emails have become more credible. (Sometimes the term "business email compromise" is used to describe these emails that can fool people at the highest level of organizations.)

The malware has advanced to the point where it knows what antivirus software the bank is using and can change its own signature just enough to avoid detection, Peters said. Once the malware has infiltrated the bank's network, "it's just a matter of trying to pivot within the organization, trying to find users with elevated privileges — who has access to this side of the financial transaction, who are the system and database administrators?" he said.

The perpetrators have the benefit of time, Peters noted. "There's no concept of, 'This is going to take two weeks,' " he said. "It could take months to set this up. Once you've learned all this intelligence and gained privileged credentials, then it's just a matter of using the systems against the organization."

The exploit kits for creating these attacks are readily available, although the expertise behind them is not, Peters pointed out.

"You or I could go out and run these things," he said. "We'd get caught instantly; we're not putting in that extra effort. This is organized crime. They have all the time in the world. All they need is one mistake, one hole, one vulnerability, one problem, to get in. Whereas as defenders, we're putting out fires everywhere, we're wearing multiple hats, we don't know what we don't know. It's much easier being a bad guy."

Industry Response

In cases like Carbanak, the hackers have come and gone by the time a bank perceives the cybertheft and therefore can share information about it with the FS-ISAC. Although the FS-ISAC would not discuss Carbanak, Bob Carlson, the group's chief of staff, says that in general it is working to shorten the times between break-in and reporting of a breach back out to the community.

"When you alert others to a vulnerability or exploit, that will often prompt other firms to look for evidence of that threat indicator, and if they find something they in turn will also report to others about the threat and the steps they're taking to mitigate it," he said. "As you do that faster and faster, it makes it harder for the criminal gangs trying to execute fraud."

Meanwhile, there's little a bank can do to prevent Carbanak attacks. Educating employees and customers about the dangers of phishing emails is inadequate; people click on things they shouldn't on a regular basis.

Email authentication tools can help detect when the sender's email address doesn't match his identity, but cybercriminals also know how to get around these.

Antimalware software is a given, but it misses about 50% of malware, Peters estimated.

One thing his team thinks is helpful is "egress filtering" software that monitors outbound communications. Often in an advanced persistent threat, the malware sends information out to a command and control center, which gives it further instructions.

"A lot of organizations, not just financial institutions, do a poor job blocking outbound connections," Peters said. "Inbound we put up firewalls, we block stuff. Outbound, it's almost anything goes."

Whether or not Carbanak is going after your bank's network, hackers are trolling the Internet every hour of every day, looking for prey in every possible nook and cranny. I received three spearphishing emails in the day and a half I worked on this article. Kaspersky Lab and its cohorts are well worth listening to, even if there's self-interest mixed in.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.