If you were an attacker looking for the biggest financial return on your investment in evil criminal schemes, you would probably look at international banking transfer systems as being a nice, big target. In fact, a security investigation company revealed that at a number of banks connected to the Society for Worldwide Interbank Financial Transactions (SWIFT) network were recently targeted in massive fraud attacks. It may seem surprising, but the attackers were able to easily cover their tracks on the systems they accessed after submitting bogus transfer request messages.
Security firm FireEye indicated that the Central Bank of Bangladesh, as well as a number of other banks in New Zealand and the Philippines were all hit with attacks that leveraged stolen access. SWIFT is a highly trusted network, so if an attacker is able to gain access to one of the systems belonging to a bank connected to the network, any messages they send to other banks over the network will tend to be trusted by them.
If you know you’re a big target, you’ve got to be sharper than most
We would expect that, even if were hard to completely prevent sophisticated attacks, detecting and tracking down these fraudulent requests should be fairly straightforward. However, it turns out that the attackers apparently knew at least one of the weaknesses in the SWIFT system, and were able to manipulate the SWIFT software to erase log evidence that could have limited the damage or provided investigators with more information about the attacks.
SWIFT has issued an update to software to make it harder for attackers to cover their tracks. However, it seems odd that they did not have these measures in place before. Having “digitally signed” audit logs and file system integrity safeguards would have been a standard approach that many security professionals would have recommended from the start.
Based on the information published so far, it seems that the measures in place to isolate SWIFT systems from other networks were thought to be strong enough. But this doesn’t seem to have been the case.
Lessons learned for big and small businesses
This begs the question, how did the attackers manage to steal the access codes for the targeted banks? Most often, this is done through social engineering scams where employees are tricked into cooperating with people they think are authorized, such as executives, IT support staff, other banks’ staff, or vendor support staff. Any of these roles could be impersonated with a little research by an attacker.
In a normal business environment, especially those where all employees have Internet connections, employees can easily be tricked into entering login passwords on spoofed web pages. So, it’s important for staff to know and understand the risks of impersonation and website spoofing, and why procedural safeguards are in place.
Here’s an article that has more details on the investigations.