After thethat saw crooks steal $81 million via the widely used SWIFT bank transaction system, two more attacks that leveraged the same application came to light this past week.
The first was a failed attempt to steal money from Vietnam’s Tien Phong Bank. Attackers managed to get ahold of the bank’s SWIFT login credentials, and using its SWIFT username and password, tried to move $1.36 million out of its account.
First attack was detected and stopped
The bank said it detected the abnormal operation and stopped the transfer before it left its account. This happened at the end of 2015, but the bank only recently acknowledged the incident after security firm BAE Systems revealed that another bank was hit by the same SWIFT malware that was detected on the Bangladesh central bank’s computers.
SWIFT, which is nothing more than a glorified CMS for moving money between banks, works just like any software that handles sensitive information and requires users to log in using a special set of credentials.
These credentials can be phished, or they can be dumped from the SWIFT system using special software (infostealers, password dumpers).
Bank in Ecuador loses $12.2 million
Credentials seem to have been compromised for a third bank, as, Banco del Austro (BDA) from Ecuador. Just like the Vietnam bank account, this attack was never revealed to the public, nor to SWIFT’s operators. Unlike the Vietnam bank attack, this one was successful.
It appears that the attacker managed to steal $12.2 million out of BAE’s accounts at the US-based Wells Fargo bank. The cyber-heist took place on January 28, and the funds were sent to different accounts in Hong Kong.
The details about this heist came to light after BDA sued Wells Fargo for failing to detect the attacks, even if the credentials were compromised on its side.
Ecuadorian bank recovered some of the money
A third bank was also involved in this heist, which is Citibank, but this bank decided to reimburse the Ecuadorian bank with $1.8 million after it failed to detect the abnormal operations that took place outside of BDA’s business hours and involved unusual large funds.
Neither BDA, Wells Fargo, nor Citibank told SWIFT about these attacks using its system. Coincidentally, Citibank’s managing director, Yawar Shah, is also SWIFT’s chairman, and he also failed to tell his engineers about what happened.
There’s a de-facto thinking engrained in the banking sector that SWIFT is 100 percent secure against attacks. BAE Systems’ investigation into the Bangladesh central bank hack proved that SWIFT is just as vulnerable as any other piece of software and that security practices are as important as the software.
“This is absolutely a financial services culture problem. The mitigating effort that could drive the most risk reduction is not some fancy tool or new framework but instead, the institutions must look very hard at their cyber security lifestyle,” Adam Meyer, chief security strategist at SurfWatch Labs told Softpedia.
“Those who acknowledge that cyber risk is directly tied to the successful delivery or their products and services, customer trust, and institutional resilience will be in a better position for the future. Those who still think this is solely a technology problem that can be solved with a magic tool won’t fare well.”