Carbanak requires people, process and tech, but mostly people

Penetration Testing Experts


The Carbanak malware was injected into the bank targets using sophisticated spear phishing emails. When employees clicked on the email attachments, they downloaded malware onto their computers. The malware used was completely undetectable by anti-malware programs.

The malware took advantage of a zero-day exploit to install itself on users’ machines. It lurked for a long time, learning about the bank's data, systems and processes.

The gang then carried out undercover surveillance, taking control of cameras to spy on employee accounts, enabling them to successfully imitate regular employee behaviour. This enabled the attackers to take over legitimate accounts and manipulate balances in each banks’ online system.

It made no difference what software the banks were using, as the reconnaissance allowed the gang to pass off their activity as usual employee actions.  Kaspersky reported that Carbanak also remotely seized control of ATMs and ordered them to dispense cash at a predetermined time, when a gang member would be waiting to collect the money.

The banks have suffered losses as high as £1bn, and more than 100 institutions in 30 countries have so far been identified as being attacked. And the attacks are probably still happening.

In a predictable twist, US banks are denying that they have been a target of the malware, claiming they would have quickly picked up that large amounts of unauthorised cash was leaving their accounts and that they knew about the Carbanak attacks “months ago”.

Kapersky then countered with the sensible point that the Carbanak criminals would be able to work out the extent of funds they could remove from US banks without triggering any alarm systems.

In some cases, Carbanak inflated account balances before pocketing the extra cash through a fraudulent transaction. Because the legitimate funds were still there, the account holder would not suspect a problem.

The nature of this attack threat is the fact that it is very difficult to detect and banks could unwittingly be targets without realising.

But how can the industry prevent future thefts?

It is a mixture between improving existing security systems and adopting new technologies. As other commentators have said, a multi-layered approach is needed to identify the covert malware and improve employee training, plus beefing up network and system controls.

As ever, humans are the first weak link. I do not think any technologies can really help solve the phishing problem, instead it needs to be about raising user awareness and constant vigilance.

Financial institutions need to implement the best training for their employees to enable them to identify spear phishing attacks. The fraudulent emails used by Carbanak were very sophisticated and looked like they were sent from a co-worker. Regular simulated phishing attacks are necessary so that employees can identify these attacks.

Employees need to be monitored even more closely. Training needs to be ongoing, not just once a year to reach minimum required standards. A human firewall system is one of the best and most affordable ways to protect a bank’s assets.

Implementation of fundamental controls, such as file integrity monitoring and security configuration management, are just as important. The Carbanak malware has such sophisticated evasive behaviours that bank systems need a stealth sandbox to automatically detect them with an analysis environment to ensure they are protected against the covert threat.

Participation in threat intelligence networks are key to ensuring the financial industry is updated to every new evolving threat. Communication between banks, the authorities and cyber security professionals will help the detection of new and atypical cyber attacks.

So, a mixture of threat training, simulated phishing attacks, implementation of existing systems, sharing of intelligence and the adoption of new industry technology may help the banks stay at least one step ahead of the new breed of cyber criminals.

This article was first published in Computer Weekly on 23rd March 2015. The original article can be read here

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top