Once upon a time, when computing and the internet were young, worms, viruses, Trojans, spyware and malware were nonexistent. As computing and the internet matured, all of these agents of theft and destruction appeared. At first, they were attacks engineered by brilliant geeks who just wanted to see if they could actually do it. Then came brilliant geeks with low moral fiber who decided to see what they could steal or destroy with these new weapons. Then organized crime, hostile governments and hacktivists got into the act, all with their own agendas. Computing and the internet lost their innocence and whole industries and disciplines of study came into being to combat the bad guys. It’s been seventy years since computing concepts were introduced, and thirty years or so since the advent of Arpanet and its morphing into the Internet as we know it. Hacking has been around those same thirty or so years, and as computing has gotten more sophisticated, so has hacking.

Let’s Go Phishing

No, not with a rod and reel; a specific type of hack known as phishing has been around since the advent of email. Users of email are generally not computer geeks, and they tend to be trusting; phishing is a cyber-attack launched against the unknowing and trusting end-user.

Phishing attacks through email and the web are attempts to get personal and financial information from the target. The email will purport to come from a bank, for instance, and say there is a problem with the user’s account. They are then directed to reply to the email with their personal information such as a Social Security number and bank account, so the trouble may be resolved. Or, since the advent of online banking, they may be directed to a website to enter the information. The website is fake, but designed to appear real. The hacker then gets access to the target’s identity and money.

APT Hacking

Advanced Persistent Threats are sustained cyber-attacks against a specific target, usually a bank or financial institution. These attacks are generally launched via an email to an employee at the institution, purporting to come from a trusted source. When the targeted employee replies, code is loaded to the machine; this code provides the hacker with a backdoor into the targeted institution’s network, computer, and software. If the infected machine has a webcam, the hacker is able to video the workspace; this lets them see how information and money are handled. Along with keylogging software embedded when the hack took place, the hacker is able to gain enough information to steal without the target being aware of the theft.

APT threats are generally run by groups, such as organized crime or state-sponsored hackers. Hacktivists backed by an organization with an agenda also launch APTs. It requires time and resources to launch a sustained hack, so individuals generally are not responsible for an APT.

Carbanak

One recent APT is the Carbanak attack. Carbanak originated in Russia, but it went global quickly. Estimates of losses have reached the one billion dollar mark. The attack was launched against 100 organizations in Russia, Ukraine, the US, Germany and China. While these attacks were found and neutralized, the gang behind the APT is still operating.

The Dangers of Carbanak

Carbanak is a sophisticated APT; the people behind it are still at large and still operating. An unprotected and unsuspecting bank or financial institution is at risk of significant financial loss. Also, while the main thrust has been money, this hack can potentially give the hackers the personal information on account holders, should they choose to take it. This opens up the customer for identity theft as well as money loss.

Banks and financial institutions should defend against potential Carbanak attacks. Simple steps include removal of webcams from machines, scanning all machines for the threat with current software and definitions when each machine is first booted up, then periodically during the day and just before machines are shut down. Another step is to have the bank’s security system on a completely separate network from the computers. This prevents the hack from using the security cameras to obtain video. There are other, more complicated measures as well.

Until the gang behind the Carbanak APT is apprehended, the world’s banks and financial institutions will have to defend themselves and their customers from this organized hack.