Kaspersky Lab has released reports stating that bank hackers stole millions via malware. The initial reports indicated that hackers stole approximately $1 billion from over 100 banks in 25 countries — including the United States (although now FS-ISAC claims no US banks were impacted). Whether or not US banks were hit isn’t the most interesting point. What is interesting is how the cybercriminals infiltrated the banks they did breach, and what they stole.
As with many of the large breaches we’ve seen in the past year, the cybercriminals used a variety of techniques as part of their infiltration strategy. It started with phishing attacks that introduced malware (Carbanak), which exploited a vulnerability in Microsoft Office products. The cybercriminals then reportedly monitored bank employees’ activities and used the information gathered to steal upwards of a billion dollars from the banks.
That is the interesting part: they stole directly from the banks, in some cases causing ATM machines to spurt money — money the cybercriminals didn’t even collect. Cybercriminals normally attack banks, retailers, healthcare institutions, insurers and other types of companies with the intent of stealing customer data for use in identity theft. This time, they stole directly from the banks, making the banks the end victim. The fact that the cybercriminals didn’t move on to steal customer data, and that the funds ejected from ATMs were picked up by (lucky) bystanders, make me wonder what the hackers’ real goals are — but that is a totally different post and one based purely on speculation.
Typically, when large-scale breaches occur, the organization that was breached feels the repercussions in terms of negative press, as well as a general loss of confidence from consumers. However, calculating the full impact of a breach has been challenging and fraught with inaccuracies, and the enterprise is usually able to recover.
With cybercriminals now targeting the enterprise itself for theft of money, rather than just information, I wonder if this will spur enterprises to reassess their security programs and work harder to secure the attack vectors most used by cybercriminals? For example, the Verizon 2014 Data Breach Investigations Report found that web applications are now the number one attack vector for successful breaches. However, as IDG recently found, “the majority of web applications are not assessed for critical security vulnerabilities.” Will we see an increase in interest around this topic now that enterprises’ pocketbooks are directly impacted?
What do you think? Will the change in cybercriminals’ MOs change the discussion around enterprise security? Is your company already assessing the security of its web applications? What about the applications from third-party vendors?