Daylight robbery. Hackers have stolen $2.4m after two successful cyber attacks on an American bank
Hackers have compromised a bank in the United States twice in the past eight months and made off with millions of dollars.
But the cyber attacks have resulted in a spat between the bank and its insurer provider which is refusing to fully cover the losses.
The incident is a salient reminder of the online threat being faced by banks and financial institutions. Earlier this year the Swiss financial watchdog, Financial Market Supervisory Authority (FINMA), warned that cyber threats were now the biggest threat to the Swiss financial system.
The hackers reportedly used phishing emails to break into the Virginia bank in two separate cyber intrusions over an eight-month period, which allowed them to steal more than $2.4m (£1.8bn) in total.
But now it seems that the National Bank of Blacksburg is suing its insurance provider for refusing to fully cover the losses.
It filed the lawsuit last month in the Western District of Virginia against Everest National Insurance Company. According to that document, the bank was first breached in late May 2016, after an employee fell victim to a targeted phishing email.
This successful phishing email allow the attackers to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network. This apparently is a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers.
Unfortunately, it seems that the second compromised PC had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.
This access, said the bank, allowed the hackers to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.
The first breach apparently took place on Saturday, May 28, 2016 and continued through the following Monday, which was a federal holiday (Memorial Day) in the US.
This allowed the hackers to use hundreds of ATMs across North America to dispense funds from customer accounts. The hackers stole more than $569,000 (£432,000) in that incident.
The bank did reportedly hire cybersecurity forensics firm Foregenix after that breach, and they were able to determine that the hacking tools and activity appeared to come from Russian-based Internet addresses.
And the bank implemented additional security protocols, as recommended by FirstData.
But the hackers were not finished and eight months later (in January 2017) they compromised the bank’s systems once more, again using a phishing email.
According to Krebs, this time the attackers not only regained access to the bank’s STAR Network, they also managed to compromise a workstation that had access to Navigator, which is software used by National Bank to manage credits and debits to customer accounts.
The hackers then used Navigator to fraudulently credit more than $2m (£1.5m) to various National Bank accounts.
Oh dear, oh dear.
Like the first time, the hackers carried out their attack on a weekend and they modified or removed critical security controls and withdrew the fraudulent credits using hundreds of ATMs.
Hackers have used ATMs in the past to access their stolen cash. In late 2016 for example, a cyber-crime gang tricked automatic teller machines in at least a dozen European countries, including the UK, into spewing out cash.
The same technique was also used to remove cash from ATMs in Taiwan and Thailand.
Despite these concerns, industry observers are worried that banks are dramatically under-reporting computer attacks due to their fear of bad publicity.
Last year Symantec warned that banks in 31 countries had been attacked by an aggressive malware campaign from the infamous Lazarus cyber criminal gang.
One of the more famous bank attacks of recent times was the theft of $81 million (£647m) from the Bangladesh Bank’s US Federal Reserve account in March 2016.
How much do you know about hackers? Take our quiz!