Recently, news broke about the Bangladesh central bank becoming a victim of an $81 million bank robbery. This cybercrime started, as do so many, with some social engineering.
Specifically: With “spear phishing,” which lured bank employees into unwittingly downloading malware used by the hackers to infiltrate the bank’s computers and obtain passwords and cryptographic keys used for electronic fund transfers.
Armed with this information the cyberciminals sent dozens of account transfer requests from the Bangladesh central bank to the Federal Reserve Bank of New York, where the Bangladesh central bank has accounts containing billions of dollars. Four account transfer requests processed by the New York bank electronically sent about $81 million to accounts in the Philippines. There the funds were transferred multiple times, including transfers to Philippine casinos, in an effort to launder the money.
A fifth transfer request to a supposed Sri Lankan non-profit organization aroused suspicion with Deutsche Bank, a routing bank in the transaction, due to the misspelling of “foundation” as “fandation.” That prompted a closer investigation of the transfer request. At the same time, the Federal Reserve also became suspicious at the large number of transfer requests being made to private entities instead of banks and halted the remaining approximately thirty requests that, if they had been processed, would have resulted in losses of a billion dollars.
This kind of bank robbery is the stuff of movies like Ocean’s Eleven. However, an even greater threat to the security of our bank accounts is posed not by sophisticated cybercriminals half a world away, but by rogue bank insiders working with outside criminals taking advantage of more basic flaws in bank security.
A recurring theme in many cybercrimes is the use of insiders to gain valuable information. In many cases, the enablers are unwitting participants in the process. These people may not realize that such seemingly innocent actions as opening an e-mail message can be the first step in a nefarious process. This is why bank and credit union personnel should be mindful of, and adhere to, their institutions’ data privacy and management procedures at all times. Otherwise, they can be an unwitting Trojan horse for data thieves.
Overview by Ed O’Brian, Director, Banking Channels Advisory Service at Mercator Advisory Group
Read the full story here