The CEO of Swift, whose financial transaction network was breached three times this year and millions transferred to global banks, has warned that there could be more attacks if banks fail to communicate incidents of breaches.
The first cyber heist was reported in February when cyber criminals managed to transfer $81million from Bangladesh Bank's account at the New York Federal Reserve using fraudulent transfer messages on the Swift system.
According to reports, hackers had tried to transfer about $1 billion but finally managed to only succeed in getting just a portion of that amount.
Delivering the keynote address at the 14th annual European Financial Services Conference in Brussels on Tuesday, Swift CEO Gottfried Leibbrandt admitted to two additional attempts after the attack on Bangladeshi bank but warned that there could be more.
"The financial industry, as a community, has to be clear that cyber risk is big; there will be more cyber attacks. And inevitably some will be successful. Acknowledging this doesn’t mean we are resigned to it. Rather, it means that we must work even harder at our collective defensive efforts," he said demanding banks to be more proactive in sharing any and every possible information about cyberattacks.
Admitting two additional incidents he said, "The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts. The banks were compromised, credentials to payment generation systems were obtained to send fraudulent payments and the statements/confirmations from their counterparties were obfuscated."
He however noted that it was not the Swift networks that were compromised but those of the banks.
"Our network, software and our core messaging services have not been compromised. In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the Swift instructions are generated and the confirmations received. And while we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that."
Last week Vietnam's Tien Phong Bank said that it had interrupted an attempted cyber heist that used similar techniques to that of the Bangla bank heist.
The bank however managed to detect the crime and prevented any transactions from going through.
According to reports, cyber-criminals used malware that targeted a PDF reader that confirmed payments and manipulated the reader to “remove traces of the fraudulent instructions,” from the PDF files.
Meanwhile, Fire Eye a cyber security provider has warned that banks in the region are being hit by wave of targeted attacks as criminals are targeting bank employee to gain access into the banking system.
Employees are sent emails, some of them even genuine content and contact info and lure the staff to enable infected macros in order view protected content.
In a statement FireEye says its Dynamic Threat Intelligence (DTI) identified emails containing malicious attachments being sent to multiple banks in the region.
"The threat actors appear to be performing initial reconnaissance against would-be targets and were detected since they were using unique scripts not commonly seen in crimeware campaigns," it said.
The attackers sent multiple emails containing macro-enabled Excel (XLS) files to employees working in the banking sector in the Middle East. The themes of the messages used in the attacks are related to IT infrastructure, such as a log of Server Status Report or a list of Cisco Iron Port Appliance details.
"In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached," it said.
Stating that documents containing malicious macros are commonly used in crimeware campaigns it said attackers may convince victims to enable the running of risky macro codes by telling them that the macro is required to view “protected content” and the attackers took the extra step to actually hide and unhide worksheets when the macro is enabled to allay any suspicion.
"One of the interesting techniques we observed in this attack was the display of additional content after the macro executed successfully. This was done for the purpose of social engineering – specifically, to convince the victim that enabling the macro did in fact result in the “unhiding” of additional spreadsheet data….. In crimeware campaigns, we usually observe that no additional content is displayed after enabling the macros. However, in this case, attackers took the extra step to actually hide and unhide worksheets when the macro is enabled to allay any suspicion," it said.
The report warns banks and its employees to be cautious of such attacks and said more banks in the region could become targets.