Banks: It’s Where the Money’s At

A reporter once asked Willie Sutton, the feared but curiously beloved American bank robber who stole over $2 million in the 20s and 30s, why he chose to hold up banks. Sutton’s famous reply was, “Because that’s where the money is.” Hackers who conduct phishing attacks seem to embrace Sutton’s easy money mantra, with banks and money transfer firms receiving over 40% of phishing attacks in the second half of 2014.[1]

Robbing With Charm and Personality Instead of Guns

Where the phishers diverge from Sutton is on tactics. While Sutton never killed anyone, he always carried out heists using a pistol or Tommy gun, noting, “You can’t rob a bank on charm and personality.”[2] Oh, but you can. Just ask anyone in the finance industry who has fallen victim to a spear phishing attack. Sutton, who died in 1980, would have been amazed at how banks get robbed with charm and personality today.

Spear phishing thrives on personality, the invented kind. Spear phishing is a new, highly threatening form of phishing email. While basic phishing attacks try to trick email recipients into divulging personal information or clicking on links that download malware onto their devices with mass, undifferentiated emails, spear phishing takes the process a few steps further with highly customized attacks. Spear phishing attack emails feature specific references to people and projects that the recipients knows.

In a spear phishing attack, you’ll get an email that looks as if it’s actually from your friend Joe but isn’t. The email might mention a project you’re working on with Joe and ask you to review a document, which is attached. The document contains malware, but you may never know it. The malicious actor has no incentive to shut your devices down. The longer you do your work with him logging all your key strokes, the more information he gains about your company. This is a necessary for hacking a financial institution.

As Steven D’Alfonso reported in, spear phishing was the delivery mechanism for the powerful Carbanak malware, which criminal gangs used to steal more than $300 million from banks in Russia, Japan, Switzerland, the Netherlands and the United States in 2013 and 2014.[3] But, installing the malware is not enough or even the primary goal for most spear phishing attacks. Financial institutions are complicated environments, with numerous systems, levels of access and internal controls. It takes long-term, sustained and in-depth espionage to figure out exactly how to steal money from a financial institution.

According to The New York Times, the gangs using the Carbanak malware had to learn enough about the banks’ internal operations and staff to be able to impersonate employees who authorized transfers, managed automatic teller machines, and more.[4] They had to steal administrative passwords and establish enough root presence in systems to operate bank applications remotely. This took more than just a few spear phishing attacks. It likely took a sequence of spear phishing attacks that gathered more and more credentials and detailed inside knowledge about the bank.

In this way, the initial attack from “Joe” might enable the hacker to figure out who is in charge of the funds transfer desk. Then, after spear phishing that individual, the hacker can learn not only the bank’s SWIFT passwords, but also the unique workflows that the bank uses to process transfer. They grab screen shots of SWIFT terms and learn exactly how a specific bank moves money around — who has approvals and so forth. As SecureList put it, “Once the attackers are inside the victim´s network, they perform a manual reconnaissance, trying to compromise relevant computers (such as those of administrators’) and use lateral movement tools. In short, having gained access, they will jump through the network until they find their point of interest.”[5]

In order to avoid detection, the amount stolen at any given time in the Carbanak hacks was often quite low. For example, a gang might add $8,000 to someone account and then quickly transfer it ou