More on the Bank heist – Kaspersky report pulled
It appears from reporting today from KrebsOnSecurity that these activities referenced in the report are part of an ongoing attack over several years. There is no apparent newness here other than the Kaspersky Report, and they are not doing a very good job today of following up the hype they created yesterday. The politics of security reporting aside, there are some real lessons here for banks to be concious of.
The game changing aspect I indicated yesterday of amending the banks sub ledgers appears to be real. The information I could glean today validate that they are able to observe business processes using screen shots and video gathered using malware deployed within the banks’ systems on users desktops.
The attack is ongoing against multiple banks. Once they are inside a bank the target is generally compromised for two to four months. This period is used to gain intelligence on the actual processes within the target bank on the desktops of individual employees.
The original and primary attack method is using malware infected attachments using Microsoft Word 1997-2003 and sent by email. Apparently the patches released for those MS Word versions were not installed.
Once the malware is deployed within the target bank, the bad guys can observe bank officers work protocols and processes over time, observe their daily routines and discern the best time window for attacks that would provide them most time to perpetrate and successfully complete the money theft.
The actual thefts seem to have been centred on SWIFT and ATM cash.