It took Bonnie and Clyde three years to rob about a dozen banks, but the scourge of bankers today is a quiet Russian hacking group called, appropriately enough, MoneyTaker, and they don’t need nearly as much drama to abscond with cash.
Using often tailor-made hack attacks that regularly rely on near-undetectable fileless malware, the MoneyTaker gang has, in barely a year and a half, robbed millions from 20 banks so far and counting. What’s worse is that the gang has stolen data that could let it hijack Swift transactions, leading Swift for the first time to issue a report on cyber-vulnerabilities with the banks it works with.
While hackers usually don’t discriminate, they’ve got no problem attacking servers at hospitals, schools and corporations with trade secrets and valuable intellectual property, banks hold a special place in their heart as that is where the money is, as yet another famous Depression-era bank robber once said.
Once a bank’s security is compromised, hackers can pay themselves from the funds on hand, transferring sums large and small to their accounts. However, with information about the global payment systems like Swift that’s also available only at the bank, hackers can do a lot more damage.
Hackers are getting better at “data mining” all the time. According to Kaspersky, Russian hackers operating just a couple of Darknet marketplaces in 2017 were offering this year an astounding 85,000 servers for sale (meaning, the authentication information that will let a hacker take control of the server), some for as little as $6! In 2016 there were “only” 70,000 such servers for sale, meaning that whatever we are doing to keep hackers at bay, it isn’t enough.
Included in those compromised servers are apparently some containing key Swift information, and it’s just a matter of time before the MoneyTaker gang will also use that information for fun and profit.
How are gangs like MoneyTaker getting away with this, especially with servers belonging to banks which are presumably protected by the latest cybersecurity systems? According to a study by the SANS Institute, it’s the “human factor” that is at work: As many as 95% of all attacks on enterprise networks begin with a spear phishing attack in which hackers dispatch their malware hidden inside email attachments. That attack could consist of trojans that pave the way for malware that allows hackers to take over servers, or the newer fileless malware attacks (where an agent installs itself in memory, hijacking servers for the use of hackers).
Cybersecurity systems, as sophisticated as they are, are clearly not doing the job — and maybe they never will, given that in the end the effectiveness of those systems can be overridden by workers inside the organization. The best systems then are the ones that take away from users and employees any opportunity to override security by responding to the phishing messages that get them, and their organizations, into trouble.
Systems like that need to be able to analyze messages and incoming files for malware or threats, and remove them before passing the file or message on to workers.
In addition, the system has to be robust and innovative enough to arrest malware that is passed on in innovative ways with traditional cybersecurity systems, like sandboxes that are perhaps not up to date on phenomena like fileless malware. With thousands of security systems out there, organizations are understandably confused about what systems are the most effective. But in our opinion, the systems that will perform best are the ones that limit opportunities for spearphishers to have their way with employees.