Skip to content

Carbanak – the cyber theft of the century

According to multiple estimations Carbanak has generated around 1 billion dollars by hitting banks worldwide. It was mainly attacking companies in Europe, the United States, and China between 2013 and 2014.

Modus Operandi

Each attack started with a well-crafted spear phishing email. It contained a malicious attachment that installed a backdoor on the victim system. After the installation it provided access to the entire target bank network. Through a series of lateral movements, the attackers could search and obtain access to the “point of interest” of the network. Simply speaking, it was a computer which they could use to make money transfers.

The criminals then installed remote access tools in the infected terminals. They were capable of capturing videos, screenshots and everything people typed on the keyboards. Their goal was to learn each employee’s daily activities and collect data necessary to impersonate employee behaviour. They could then camouflage money transfers by the “rutines”.

The monitoring phase then began. Each bank had different internal mechanisms and procedures. Therefore, this phase was different for each bank and lasted from 2 to 4 months. Once properly trained, the thefts started the attacks. They used 2 main methods:

Transfer of virtual money from “inflated” accounts

One of the Carbanak criminals, the database officer, “inflated” accounts of the bank’s underactive customers by overwriting the balance. Immediately afterwards another criminal, assigned for that specific purpose, transferred the created funds to malefactors’ accounts.

Checking the ATM

The criminals agreed with local bank staff, called “mules”, and conducted a series of ATM thefts. The first set up the system, so that ATMs would issue money on specific days and times, while the “mules” would go to the place and withdraw the money. You can watch an ATM theft video.

The complex organizational network behind these attacks belonged to the organized crime. At the top there probably were Russian speaking cybercriminals, who conceived and designed the attack method. There were numerous technical and banking staff below, already experienced and capable to quickly learn the specific banking procedures. Finally, even further below, there was the actual workforce or workers. They were involved in the cash collection, opened the accounts for the money transit, or acted as baits.

How to defend yourself

Even today Carbanak remains one of the most profitable cyber theft in history. So how would you stay cyber safe?

  • One of the important things is to be aware of cyber security threats anyone can face at his workplace. A  can upskill employees to recognize and properly communicate security incidents
  • An anti-spam and an anti-phishing solution would prevent infected email from getting into a corporate network, solving the root problem
  • Finally, regular security monitoring and in-depth analysis of data on the internal network would help. They will reveal lateral movements and abnormal traffic inevitably generated by attackers, allowing a ready response to any intrusion, and minimizing the damage

Related post

gisec global 2024

Taking place from April 23 to 25 at the Dubai World Trade Centre, GISEC Global 2024 is a leading event in the cybersecurity realm of the MENA region. It brings…

ransomware attacks in healthcare

In 2023, the healthcare industry was ranked as the fourth most impacted by successful and publicly disclosed cyber-attacks[1], falling behind Manufacturing, Professional/Scientific/Technical, and ICT industries. Accounting for 9% of the…

5 minutes
cybersecurity career 500x500

In today's digitally driven world, the demand for cybersecurity professionals is higher than ever, and this urgent need is underscored by projections indicating a potential shortfall of approximately 3.5 million…

4 minutes
Back To Top