Kaspersky Labs recently revealed one of world’s biggest cyber-heists, where clever use of digital signatures on executable code allowed malware to execute freely within the global banking environment without raising suspicion.
The Carbanak advanced persistent threat (APT), which originated from a notorious Eastern European cybercrime outfit, managed to target 100 banks across 30 separate countries and pilfer over US$1 billon in 24 months.
This is unprecedented in scale, bigger than any single robbery committed by any cybercrime gang.
Kaspersky security analysts stumbled on to the true nature and extent of this insidious attacker after being summoned by the CSO of a Russian bank to investigate why one of its domain controllers was sending data to the People’s Republic of China.
Logs have shown that the remote access software was routinely accessed from two separate IP addresses located in the Ukraine and France.
Kaspersky subsequently published a solemn message to the security community:
“We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers. APTs are not only for stealing information anymore.”
As I've written before, once a cybercrime gang has you in its sights, all bets are off.
Compliance frameworks and security governance management systems will not keep you safe.
Unfortunately, you are reliant on the people in your organisation being your first and last line of defense, and given each and every one of the banks targeted in this attack were compromised using spear phishing, this demonstrates that people really are the weakest link.
In the case of the Carbanak attack vector, the bad guys used spear phishing emails with Microsoft Word 97 – 2003 (.doc) files or CPL files (control panel extensions) to launch their malware.
For all intents and purposes, the email messages looked legitimate to the recipients and in some cases were sent from compromised coworkers ́accounts.
Once a system was compromised, it was used as the transmission vector for attacks to other partner financial institutes, as well as locally inside the compromised network.
All it takes is for one unfortunate user in your enterprise to click a dodgy link or run a malicious attachment and it is literally game over.
So, how do we eradicate this spear phishing threat? The answer is almost certainly, not with technology alone.
It’s much better to respect your users' intelligence and teach them what the threats are and how to determine if a spear phishing email is legitimate or not.
This kind of detection is hard to automate in software but easy for a user to verify based on a good dose of awareness and a sprinkling of ingrained mistrust.
We can layer defence after defence into our technical security architecture but unless we bolster the knowledge of the end users with a security awareness culture, people will remain the weakest link and will inevitably be the focus of an initial attack.
It's the only way to plug the last big hole in your defences.