The attack is ‘part of a wider and highly adaptive campaign targeting banks,’ according to SWIFT.
The SWIFT network recently announced that a second bank has been hit by a malware attack similar to the one that led to the theft of $81 million from Bangladesh Bank in February, the Guardian reports.
In the newer instance, the attack specifically targets the PDF Reader used by customers to download statements.
“Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software,” SWIFT said in a statement. “When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.”
The second attack, according to SWIFT, “evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.”
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” SWIFT added.
The methods of attack (both in the Bangladesh Bank case and in the more recent one) are as follows, acccording to SWIFT:
Attackers compromise the bank’s environment
Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network
Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials
Attackers hide evidence by removing some of the traces of the fraudulent messages
Splunk security evangelist Matthias Maier told eSecurity Planet by email that the news of a second attack should be a wake-up call for banks worldwide. “These are not isolated incidents,” he said. “Serious investigations must follow given the custom built nature of the malware used in these attacks.”
“It appears to have been created by someone with an intimate knowledge of how the SWIFT software works as well as its business processes, which is cause for concern,” Maier added. “However, basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.”
According to the results of the Financial Services Edition of the 2016 Vormetric Data Threat Report, 90 percent of IT security professionals in the financial services industry feel vulnerable to a data breach, and 44 percent have already experienced one.
The report, based on responses from 1,100 senior IT security executives at large enterprises, including more than 100 at U.S. financial services organizations, also found that the leading barriers to adoption of better data security include complexity (68 percent) and lack of staff (35 percent).
In response, 70 percent of respondents are planning to increase spending to protect sensitive data, and 48 percent plan to invest in data-at-rest defenses in the coming year.
Still, 66 percent view meeting compliance requirements as a “very” or “extremely” effective way to protect sensitive data.
“Financial services organizations continue to feel the heat from cyber attackers,” Vormetric vice president of marketing Tina Stewart said in a statement. “They are investing to help solve the problem, but surprisingly, are failing to connect the dots about the best solutions to use.”
“With the world’s financial data in their custody, the most effective way to protect this information, once networks and systems are penetrated, is to enhance data protection investments,” Stewart added.