Despite the vast sums that the finance sector spends on advanced security systems and innovations, financial crime continues to trouble many. From phishing to counterfeit cheques, there are a number of crimes that should concern information security executives, not least digital bank robberies – robberies carried out on banks using computers, rather than the explosives and drills of classic Hollywood heists. Either way, criminals make off with a lot of money that have no right to.
How do digital robberies work?
Typically, intruders choose their targets based on their technical expertise, available tools and knowledge of internal banking processes. The methodology is relatively straightforward:
- Survey and prepare:
Attacks start with an attempt to gather as much information about the target as possible. Since the use of external resources can be detected by security systems, criminals exploit passive methods to obtain information, for example, identifying domain names and addresses belonging to the bank. There is a lot of other information around that we might not necessarily recognize as useful to a digital bank robber:
- Information about network perimeter systems and software
- Names, email addresses, telephone numbers and positions of employees
- Partners and contractors, as well as their systems and employees
- Business processes
- Penetrate internal networks
After doing the ground work, attackers go on the offensive. They phish, exploit network vulnerabilities and use thirdparty resources to infect networks – all in the hope of accessing the target’s local area network (LAN).
- Attack and gain a foothold in the network
Once criminals have gained access to the bank’s intranet, they need to obtain local administrator privileges to continue their attack. Success relies on insufficient system protection against internal attackers. Common vulnerabilities include:
- Use of outdated software
- Failure to install security updates
- Configuration errors (including excessive user and software privileges, as well as setting local administrator passwords through group policies)
- Use of dictionary passwords by privileged users
- Absence of two-factor authentication for access to critical systems
Once a criminal has user privileges in a local host, they can intercept credentials transmitted through the network, extract credentials from the operating system’s memory, exert brute force and exploit LAN vulnerabilities.
He (or she) can access group policies and extract credentials, giving full access to LAN hosts. Working carefully and without arousing suspicion, the criminal will attempt to extract more credentials from the operating system’s memory, connect to other network hosts and extract more credentials – and establish full access to the domain controller.
- Compromise banking systems and steal funds
After gaining a foothold in the network, criminals need to understand where the target banking systems are and find the most convenient ways to access them. Criminals examine users’ workstations in search of files indicating that a particular workstation has worked with bank applications. Specialised software is usually used to store passwords for critical systems on corporate networks.
An intruder with local administrator privileges can copy the memory dump, extract passwords to access application or encrypted databases, and obtain clear text passwords to critical bank applications, including core banking systems, SWIFT and ATM management workstations.
Theft methods include:
- Transferring funds to fictitious accounts through interbank payment systems
- Transferring funds to cryptocurrency wallets
- Controlling bank cards and accounts
- Controlling ATMs
- Conceal traces
To impede investigations, criminals try to conceal their traces. Although many attackers use RAM-resident malware, signs of their presence still remain: entries in event logs, changes in registries, and other hooks. Some intruders prefer to take a less surgical approach, erasing boot records and hard disk partition tables on network hosts and disabling them entirely.
Financial crime continues to pose a major threat to the region’s financial services industry. While the industry remains committed to tackling all of its many different forms, eradicating the threat – including digital bank robberies – requires the combined efforts of not just the banks themselves but also industry bodies, regulators and professional services companies like Keypoint.
Our seasoned team of industries experts have the expertise and skills sets organisations need to fight against a range of cyber-crimes, including digital bank robberies.
For more details on Keypoint’s services, please visit keypoint.com