SWIFT, the financial inter-banking system used by thousands of banks around the world has revealed that cyber-thieves have yet again stolen from a bank that is a part of the SWIFT network.
An undisclosed bank is the second known target of cybercriminals who are likely to have also been involved in the infamous Bangladesh bank heist which saw $81 million stolen from the bank’s NY Fed Reserve account.
A malware targeting a PDF reader that is routinely used by a bank to check its statement messages has been revealed as the cause for the second heist. The criminals are targeting banks that receive PDF reports of payment confirmations. When the malware is installed, it clones the functions of the actual PDF reader. When the user opens a PDF report, the malware manipulates the report to wipe any sign of a suspicious transaction.
SWIFT states that its banks were hacked in the following method:
- Attackers compromise the bank’s environment
- Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network.
- Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials.
- Attackers hide evidence by removing some of the traces of the fraudulent messages.
SWIFT contends that none of its core messaging services, software nor the network itself are compromised. Instead, it warns of a “highly adaptive campaign” that is targeting banks’ second controls around the world.
Specifically, the attackers are targeting and successfully exploiting vulnerabilities in the banks’ funds transfer initiation environments, the advisory from SWIFT read. Remarkably, the attackers are bypassing the primary security measures put in place by the banks to then initiate the “irrevocable” funds transfer.
The cyber-heist specialists have also discovered ways to tamper and sabotage the confirmations that banks implement as secondary controls. Such measures delay the banks’ ability to detect a heist.
The advisory added:
The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.
SWIFT is urging banks around the world to review their security controls and practices in banks’ payment environments, messaging and ebanking channels.
A report from Data Breach Today claims that the hackers’ second victim is a Vietnamese bank.
The current fallout from the original heist began in mid-March this year when the Bangladesh Bank saw its NY Fed Reserve account drained of $81 million. The incident could have been a whole lot worse for the bank as the cybercrooks originally sought to steal a billion dollars.
It was later revealed that malware was involved in the bank heist. Notably, SWIFT refused to take any blame for the heist, in a recent statement.
Featured image from Shutterstock.