Carbanak 2.0: the billion-dollar bank heist is back

Cybercriminals are targeting banks and businesses with a new version of a damaging attack that helped them steal $1 billion last year, according to Kaspersky.

Carbanak was first noticed last year. The targeted series of attacks saw hackers net as much as a billion dollars from banks around the world by infiltrating internal networks, and in some cases, directing ATMs to spit out cash.

Now its successor, Carbanak 2.0, is targeting the budgeting and accounting departments of companies beyond banks, and in one instance even changed a firm's ownership details, according to Kaspersky.

Speaking at the security vendor's Security Annual Summit in Tenerife today, researcher Sergey Golovanov said "the aim is to do the same" as last year, with criminals targeting millions of dollars from each attack.

So far, the attack has not been seen outside of Russia, but Golovanov noted that the last version of Carbanak was limited to Ukraine before hopping country to country and spreading around the world.

The company also revealed details on both the Metel cybercrime group and GCMAN, which use similar targeted tactics to rob financial institutions.

Heavy Metel

The Metel group targets specific individuals working at banks with spear-phishing emails using malicious attachments made with the Niteris exploit pack. Once on a computer inside the network, they use legitimate penetration testing tools to jump to other computers, aiming for a payment card processing machine inside the bank.

When they understand the bank's infrastructure, they can tunnel into that machine which is connected to the internet and see details such as card numbers, passwords, and balances, as well as being able to block or cancel transactions.

Criminals can use payment cards to withdraw cash from ATMs, while their colleagues ensure the victim's balance never decreases simply by clicking "cancel" when the transaction comes up on the processing computer.

Golovanov said that meant criminals had to sit there and click "lots of times", while their colleagues drive around Russian cities at night emptying cash machines.

Kaspersky researchers said an investigation by themselves and law enforcement into the group is still underway. So far no attacks have been seen outside Russia, but Kaspersky warned banks to check for infections proactively, as the group's activities could expand.

GCMAN

The second group, GCMAN, sometimes need not even use malware, instead using legitimate penetration testing tools such as Putty and VNC to leverage flaws. Once inside a bank's network, they jump to internal computers by hijacking local domain controllers using the same legitimate penetration testing tools until they find the machine responsible for payment card processing.

Rather than send fellow criminals to bank machines to withdraw, GCMAN makes use of online payments, sending $200 the most allowed in Russia for anonymous payments every minute.

While Golovanov said that may not sound like a lot of cash, and while he could not disclose the sorts of financial damage already wreaked, he warned that it would add up quickly.

All of the attacks are against banks and businesses with firewalls, strong encryption and other security features, but once hackers were inside the company's internal infrastructure, "they were open", Golovanov said.