The financial sector is reeling from one of the most sophisticated cyberattacks ever seen. The APT-style Carbanak malware attack differs from other APT attacks, as the attackers are not after data. They want cold hard cash and they are getting it. Carbanak has been used to steal funds to the tune of around $500 million. Or up to $1 billion, depending on who you speak to!

The malware, discovered by Kaspersky Lab, uses sophisticated methods for obfuscation so it is hard to identify once it is installed. There isn’t much good news about Carbanak, but one chink in the armor is the method used to get malware installed. That is far from sophisticated. In fact, it is rather simple. Cybercriminals are getting bank employees to install it for them.

Banks that have suffered Carbanak attacks have been lax with security. They have not instructed their employees how to identify bank phishing scams, and they have not been performing scans for malware. It may be hard to detect, but it is important to actually scan a network for malware periodically! Consequently, banks have not detected breaches until a long time after they have occurred.

One of the most sophisticated bank phishing scams is easy to avoid

Carbanak malware is delivered via email. The phishing emails have been sent to large numbers of bank employees, and many have clicked on the malicious links included in the emails. By doing so they inadvertently loaded the malware onto the banks’ administrative computers. Once installed, Carbanak happily collects information and sends it to the criminals’ command and control servers.

The malware logs keystrokes and searches for security vulnerabilities in the network. The data collected is used to make bank transfers to the criminals’ accounts, although the data that is obtained could be used for a number of different crimes. Some security experts estimate that the criminals behind the campaign have managed to steal over $1 billion so far. The bad news, and there is a lot of it, is that they are still continuing to obtain funds. As bank phishing scams go, this is one of the costliest.

Bank phishing scams account for a fifth of all phishing campaigns

There is a considerable amount of disagreement within the security community about the level of sophistication of Carbanak. But that is really beside the point. The malware is installed on computers and remains there undetected for a long time. It is used to obtain huge amounts of money. It doesn’t really matter how sophisticated the malware is.

What is more important is the lack of sophistication of the initial attack. Bank phishing scams are not that difficult to prevent, and this is no different. Bank employees just need to know how to identify phishing emails. Bank phishing scams account for a fifth of all phishing campaigns so to prevent them it is vital that employees receive training to help them identify the scam emails.

It is also essential that after training has been provided that it is followed up with phishing email exercises to test employees’ knowledge. Can they actually identify a phishing email or were they not paying attention during training? Don’t leave that to chance, as it could prove costly!

Bank phishing emails are very convincing

The criminals behind bank phishing scams have spent a long time crafting very credible emails. The emails need to be realistic, as bank employees would not open an attachment in order to find out about a $1,000,000 inheritance they have got from an unknown Saudi relative (some do!). Cybercriminals are now developing very convincing emails, and are even running them through a spelling and grammar check these days.

Bank phishing emails provide a legitimate reason for taking a particular action. Typically, the reason is to:

  • Verify account details to prevent fraud
  • Upgrade security software to keep systems secure
  • Perform essential system maintenance
  • Take action to protect customers from fraud
  • Perform identity verification to allow a refund to be processed
  • Verify identity to allow packages to be delivered by couriers

The aim of most bank phishing scams is to get users to click on a link to a website that will download malware onto their computer, or to get them to open an email attachment (zip file) that contains malware, or to install malware in the belief they are opening a PDF or word file.

The Three Main Types of Bank Phishing Scams

Bank phishing scams can be highly varied, but generally fall into one of three main categories:

Opportunistic Attacks

Opportunistic attacks are the most common types of phishing attacks and they tend to be the easiest to identify. Millions of spam emails are sent containing malicious links or attachments in the hope that some individuals will install the malware they contain or link to. This type of phishing campaign is often used to deliver ransomware. Criminals often use links to websites containing common exploit kits to download malware onto machines.

Zero Day

A zero-day attack is one that exploits a known security vulnerability that has not yet been patched. Researchers are discovering new security vulnerabilities on a daily basis, but it takes time for software developers to issue patches to protect users. It takes more skill to conduct this sort of campaign as the hacker must develop a way of exploiting a vulnerability. However, the same shotgun approach is used to deliver the malware that exploits the vulnerability. The favored delivery method is mass spam email.

APT (Advanced Persistent Threat)

The third type of phishing attack is the one that was used for Carbanak. This type of phishing campaign also exploits zero-day vulnerabilities, but in contrast to ransomware that acts fast and makes the presence of the malware infection abundantly clear, APT attacks remain hidden for a long period of time. They are stealthy and their aim is to steal data. That said, in the case of Carbanak the attack was used to steal money.

These attacks tend to be targeted. Banks, financial institutions, healthcare organizations, and government departments are all targeted using this type of phishing campaign. Malware is not sent using mass spam emails, but the targets are typically researched and spear phishing emails are sent.

How to defend against these targeted bank phishing scams

Carbanak has been used for bank phishing scams for close to two years now so it is nothing new. What is peculiar about the campaign is it uses tactics that are more commonly seen in state-sponsored attacks for spying on governments and those used by cyberterrorists. The attack on Sony, for instance, started with a phishing email of this ilk.

Unfortunately, while the first two types of phishing emails are relatively easy to block with anti-spam solutions and phishing email filters, it is much harder to block APT spear phishing emails. They tend not to contain links to known malware sites, and are often sent from email accounts that have already been compromised. They also contain links to legitimate websites that have been infected with malware. They can be hard to identify and block.

There are steps that can be taken to reduce the risk of an attack being successful. It is essential to provide staff members with training to help them identify phishing emails. Employees must be aware of the common signs to look for and must be told to be extremely cautious with emails. Email attachments are a potential danger, but do employees know the danger of clicking links? Make sure they do!

Training exercises has been shown to be highly beneficial. The more times employees are tested on their phishing email identification skills, the better they become at identifying email scams.

It is also essential to ensure that patches are installed as soon as they are released. Zero-day attacks will take place until the security vulnerabilities are addressed. This applies to the likes of Adobe Flash, Microsoft products, and any software application.

Patches are issued frequently, so it can be almost overwhelming to keep on top of them all, but that is what is needed.

Perform regular training – and conduct refresher courses – and make sure regular security audits of the entire network infrastructure take place. It all takes time, effort, and involves a considerable cost. That said, the cost will be considerably lower than the cost of dealing with a Carbanak malware attack.