The birth of online banking ushered in a new era of hacking entailing spear-phishing tactics aimed at stealing user credentials. From here, it becomes easy for hackers to siphon funds from their victims into remote accounts, often located overseas.
That's one way to do it, but another method being employed by cyber criminals is to skip the middle man and go straight to the source: Why not rob banks directly?
Bangladesh Bank almost loses $1 billion
In March, a group of yet-to-be identified cyber criminals attempted the largest bank heist in history. According to Reuters, hackers were trying to wire roughly $900 million into foreign accounts from Bangladesh Bank.
"The hackers breached Bangladesh Bank's systems and stole its credentials for payment transfers," bank officials said, according to Reuters. "They then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh Bank's account there to entities in the Philippines and Sri Lanka."
The good news is that the cyber criminals only got away with a fraction of the amount they were after. The bad news is that $900 million is a lot of money, which means in this case, a fraction of the target is still a whopping $80 million, making it one of the biggest heists to date. The incredible part of all of this is just how close the hackers came to stealing the entire sum. The only reason they were caught is because of a typo in the word "foundation." A routing bank caught the misspelling and held subsequent transfers.
Russian banks robbed of a cool $25 million
March was a apparently a rough month for bankers. According to a recent Trend Micro blog post, Russian security researchers broke the news that from August 2015 to February 2016, a cyber criminal organization stole an estimated total of $25.7 million from Russian banks. The hackers are believed to have perpetrated the theft using "malware-laced Word documents" that downloaded and installed keylogger malware. From here, the hackers could log keystrokes within the banking institution and steal the information they needed to orchestrate the theft. The researchers named the exploit "BuhtrapWorm."
Prior to the heist, the largest amount stolen from a Russian bank had been $9 million. BuhtrapWorm blew that figure out of the water by a long shot.
A common thread
In early 2015, The New York Times ran a piece about a band of international bank robbers that managed to steal a confirmed value of $300 million, but could have possibly made off with as much as $900 million. Times reporters David E. Sanger and Nicole Perlroth noted that it's difficult to estimate an exact amount of how much was stolen, "because the thefts were limited to $10 million a transaction, though some banks were hit several times." In total, the hackers stole from as many as 100 banks in 30 countries.
Once again, the tactic of choice is believed to have been malware that most likely ended up on the system as a result of a phishing scam. In other words, hackers flood workers' inboxes with spam emails that install the bug. From here, they can quietly collect the data they need to steal millions of dollars from a financial institution. This is most likely how Bangladesh Bank, as well as the aforementioned thefts in Russia took place. Indecently, it's also how cyber criminals take over Twitter accounts and hijack an email account to send out spam. But in this case, the objective was much more sinister and far more lucrative.
The moral of the story here is clear: From Russia to Bangladesh, cyber criminals are using common hacking ploys such as spear-phishing for big bank heists.