Hackers Use Compromised Banks as Starting Points for Phishing Attacks

Cybercriminals attacking banks and financial organizations use their foothold in a compromised infrastructure to gain access to similar targets in other regions or countries.

In a report released today and shared with BleepingComputer, international security company Group-IB specialized in preventing cyber attacks describes a so called cross-border domino-effect that can lead to spreading an infection beyond the initial target. The report is based on information from incident response work conducted in 2018 by the company's team of computer forensics experts.

Chaining attacks for maximum gain

The incident response activities at various financial institutions revealed that in some cases the attacker used their access to send emails to other banks and payment systems.

"So the threat actor definitely carried out attacks beyond its initial targets," a company representative told us.

One example comes from a bank in Russia, which the attacker used to deliver phishing emails to another bank in Kazakhstan. A chain attack was observed, with organizations in other countries being probed with malicious messages in an attempt to get access to their systems.

The cybercriminals then ran a phishing campaign using the infrastructure of a bank in Kazakhstan to infect another one in Georgia.

Although the focus of the report is on companies in Russia and Eastern Europe, Group-IB incident responders were able to follow the attacker's trail to targets in the Commonwealth of Independent States (CIS) - an organization of 10 post-Soviet republics in Eurasia, and in Europe.

"A financially motivated hacker group always seeks to maximize the gains: by taking control over a bank’s systems it aims not only to withdraw money from a compromised bank but also to infect as many new victims as possible," says Valery Baulin, head of Group-IB Digital Forensics Lab.

He explained that the "domino effect" resulting from the chain attack is a dangerous vector because the hackers get to use the database of the compromised bank's partner companies. A recipient getting an email from a partner organization and a trusted source is more likely to open a malicious attachment.

Banks in Russia are easy targets

The key takeaway in Group-IB's report is that Russian banks are ill-prepared for cyber attacks, with more than half showing signs of trespassing in the past. 29% of the companies where Group-IB carried out incident response activities last year had active malware on their network infrastructure, the report informs, and the internal IT security services had no clue about it.

The methods for getting the money out remained the same; funds withdrawn via payment cards, through fake law-firm accounts, payment systems, or straight from the ATMs.

However, the volume of cash stolen has increased and hackers were able to operate quicker: if three years ago it took them 25-30 hours to get their hands on $3 million, in 2018 they grabbed the same amount in less than 15 minutes from various cities in Russia.

According to the security experts, hackers owe their success in part to deficient central management, an insufficient level of event logging and inter-departmental cooperation.

Furthermore, lack of clear procedures and IT specialists slow reaction to n hacking incident add to the problem. With more than 60% of the banks that contracted Group-IB's expertise, the team noticed that the organizations could not initiate a password change process in a short time.