Light Dark
March 2, 2015 By Steven D'Alfonso 3 min read
Banking & Finance
Fraud Protection

Summary

The recent attacks reported by Kaspersky Lab, which originated from a new malware dubbed Carbanak, were targeted attacks that allowed the criminal group in question to exfiltrate hundreds of millions of dollars from approximately 100 banks in several countries. Malware such as Carbanak is a focused attack against banks that eliminates the need to compromise individual consumers. IBM Red Cell highlighted similar activity in an October 2014 post.

Kaspersky Lab released information about the new malware and the associated attacks on Feb. 16. Kaspersky’s Global Research and Analysis Team detailed the malware scheme here.

Carbanak: Most Advanced Malware to Date?

Carbanak is a cleverly designed malware that allows cybercriminals to remotely access a bank’s systems and cash out large sums of money. According to Kaspersky, Carbanak was delivered to bank employees through spear phishing emails. The malware granted criminals access to manually explore the bank’s network and systems until it found a point of interest. The malware also allowed the criminal groups to record videos and keystrokes, which were then sent to a command-and-control server. The criminal group was able to learn the operations of each infected bank and determine the most efficient way to cash out.

Cash-Out Methods

Kaspersky identified several ways in which funds were removed from the bank:

  • ATM Cash (Jackpotting): The malware allowed the criminals to dispense cash from specific ATMs automatically at designated times. Money mules collected the cash as it was dispensed.
  • Online Banking: The money could be transferred to fraudster-controlled or money mule accounts. From there, the funds could be withdrawn in cash or further transferred to other accounts around the globe.
  • Electronic Funds Transfers: At some institutions, the criminals were able to compromise the wire transfer system and send funds directly to accounts located in foreign countries.
  • Inflated Account Balances: While not a specific cash-out method, in some instances the criminal group was able to falsely inflate account balances and then transfer the inflated amount through one of the above methods. In doing so, they were able to disguise the fraud because the internal bank accounts reflected their true balance after the inflated funds were transferred.

Humans Are the Weak Link

The sophistication of the Carbanak malware is impressive. However, the delivery of the malicious code into the affected organizations is very basic: The criminal group used spear phishing emails targeting employees at each financial institution. Kaspersky Lab explains that spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Unlike phishing scams, which cast broad, scattershot attacks, spear phishing hones in on a specific group or organization. If an employee opened one of these emails and clicked on the infected attachment, the malware would be downloaded to the employee’s computer. This gives the criminals the opportunity to manually move about the bank’s systems.

Most, if not all, financial institutions have some level of information security compliance or awareness training, yet phishing attack campaigns continue to be successful. The fraudulent emails are typically very well designed and often appear as though they were sent from a co-worker.

Analyst Comments

We noted in October that ATM malware was the next generation of ATM attacks. While we believe this to be true, the Carbanak malware portends a potential trend toward direct attacks against financial institutions. When a customer is compromised, detection of the crime is often quick because the customer is missing money. An attack against an individual account is also limited to the amount of money that is in the deposit account. A direct attack against a bank may allow the malicious actors to extend the length of the compromise and “live” within the bank’s systems for several months while planning a large exfiltration of cash.

Carbanak has highlighted the deficiency in employee awareness. Most institutions require compliance training on this topic annually, often to meet minimum regulatory requirements. To better protect against these types of attacks, financial institutions should develop and employ ongoing training and awareness programs and implement “red team” programs. Red team programs simulate actual phishing and spear phishing attacks. The purpose of these programs is to heighten employee vigilance for fraudulent emails. Employees that are duped into opening malicious attachments under controlled situations will learn to be aware of actual phishing attempts from cybercriminals. Red teaming as part of an overall training program will help organizations build a solid anti-cybercrime culture.

 |  |  |  |  |  |  |  | 
Steven D'Alfonso
Senior Financial Crimes Intelligence Specialist, IBM Red Cell

More from Banking & Finance
November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature