Are Two Bank Breaches Related?Experts See Common Elements, Vulnerabilities
Within the span of just a few days, customers of two public sector banks lost several lakhs of rupees from their accounts to hackers. Security experts say the modus operandi used by the hackers were strikingly similar, with likely ties to one of the world's biggest banking malware variants.
The first instance of fraud came to light when The Hindu daily newspaper reported that several hundred customers of State Bank of Mysore throughout Karnataka lost their money through illegal transactions. Customers received text messages of their money being withdrawn through multiple transactions of Rs 49 on a Sunday, when the bank was closed. Media reports suggest that the total loss however ran into lakhs of rupees, but the bank officials have not issued to ISMG a formal statement about the scope of the incident.
Soon after that incident, a similar breach, which targeted the customers of a bank in Lucknow, was brought to light by a national daily. The hackers followed similar modus operandi, and customers were lost their money through multiple transactions of Rs 5,058.68. Although the number of affected customers were fewer as compared to the SBM case, the total loss was over $1500, according to the Times of India, which did not disclose the bank's name.
Dr.Triveni Singh, additional superintendent of Uttar Pradesh STF and nodal officer of cyber wing, confirmed to ISMG that the victims are customers of Bank of Baroda. Bank officials could not be reached for a response.
In both the cases, the customers who lost money had not shared their banking credentials with anyone, knowingly or unknowingly. While the SBM customers lost their money through transactions made at "MOBIKWIK Gurgaon", the Chinese payment gateway Tenpay Tencent was used in the case of BoB.
"We did not receive any response from Tenpay in China, when contacted over email," Singh says. "We are waiting to receive insights from CERT-In for further investigation. It's most likely a case of hackers snooping into the bank's datacenter, however, we can't draw a conclusion without getting some information from the payment gateways and the bank's datacenter."
Attack Modus Operandi
Bangalore-based Nitin Bhatnagar, Cyber Security Researcher and Head- Business Development, SISA Information Security, has been analyzing both the cases and believes they could be victims of the notorious Carbanak malware ( See: Sophisticated Carbanak Banking Malware Returns, With Upgrades ) ).
"Hackers would have sent an email containing a malware program to un-disclosed number of bank employees, hoping to infect a bank's administrative computer," he says. "Programs installed by the malware would have recorded the keystrokes, and chances are the malware would have even taken screen shots of the bank computers screen, so that hackesr can learn bank procedures. It would have enabled hackers to control the banks' computers remotely as well."
It is pretty evident that cybercriminals are leveraging newer tools to launch APT attacks on Indian banks, says Bangalore-based J Prasanna, director and founder of Cyber Security and Privacy Foundation, who confirms that there have been many more cases that have gone unreported. "APT attacks are not always launched on the data center directly," he says. "Banks typically focus on securing the data center alone. As we have seen, they can come through a distant computer in a distant branch, emails of employees or through unanticipated channels. Most of such attacks can circumvent authentication methods like OTP," he adds. He warns that most ATP attacks focus on exploiting technical vulnerabilities and have been lingering on the networks undetected for many months.
According to experts, some of the modes of channels used by the hackers include:
- Online Banking -Money transferred to fraudster accounts;
- E-payment system -Money transferred to banks in China and the U.S.;
- Inflating account balance -The extra funds were pocketed via fraudulent transaction;
- Controlling ATM's -Orders to dispense cash at pre-determined times.
Prasanna says that while most of such attackers target banks for financial gains, it's hard to analyze a breach in terms of the motivation of the hackers. "Some of these hackers simply want to damage the reputation of the firm for various reasons. It's alarming to note that some of them are even sponsored attacks by the targeted company's competitors. In other cases, a hacker could simply be brushing up his skills," he adds.
Responding to Future Threats
Given that cyber incidents targeting banks in India have witnessed an unprecedented growth, most often banks are reluctant to come out and share the information on the breach incident and its modus operandi. Though threat intelligence sharing is gaining importance, banks need to be doing a lot more to combat online fraud, experts say. They share a few recommendations on how banks need to respond to future threats:
- Report the incident to the authorities at the earliest; Keeping it under the wraps will cost more than mere brand image, and may lead to legal proceedings.
- Create awareness at the top management level on the potential vulnerabilities and threats and recent attacks scenario. It will have a trickledown effect on establishing a secure environment.
- Cyber security awareness training for customers is a must, and it has to be organized by banks.
- Periodic VAPT and zero day vulnerabilities exercises will ensure that there are no network backdoors and tunnels.
- Focus on behavior-based approach to securing the internal systems.
Prasanna warns that banks are going to face an increasing number of such threats in the future, and what's being reported is the tip of the iceberg. "Banks need to think beyond the traditional threat vectors and prepare themselves for the unexpected, because it's impossible to predict how, when and why the hackers target you."