1. 1H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
INNOV-ACTS, Limited
H2020 FINSEC Project
The FINSEC project is co-funded from the European Union’s Horizon 2020 programme under grant
Agreement No 786727
Notable Recent Cybersecurity
Incidents in the Finance
Sector
15/04/2020
2. 2H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Bangladesh Bank cyber heist (source: Wikipedia)
Among the biggest cyber heist in history
Fraudsters intruded SWIFT network
Initial transfer was US $1 billion to Federal reserve bank of New York out of which $850 million were blocked
Five of the thirty-five fraudulent instructions were successful in transferring $101 million, with $20 million
traced to Sri Lanka and $81 million to Philippines.
SWIFT Alliance Access software manipulation
Happened sometime between February 4–5 when Bangladesh Bank's offices were closed.
4/15/2020
3. 3H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Dridex take down operation and revival
Dridex is a banking malware that has been seen most active between late 2015 and early 2016
At Oct 2015 UK’s National Crime Agency (NCA) in cooperation with Federal Bureau of Investigation
(FBI) and Europol coordinated a take-down activity by ‘sinkholing’ infected computers’ traffic
Before this operation there was an £20m of estimated losses in the UK alone (source: Europol)
The cybercriminals were believed to be based in Eastern Europe and target end users via
documents delivered by e-mail addresses that seem legitimate
Despite its declined activity, Dridex malware continue to evolve and remains a serious threat to
end-users of financial services
4/15/2020
4. 4H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The Volusion case
Volusion is a company that provides e-commerce software and marketing and web design services to
SME’s
At October 9, 2019, Check Point security researcher Marcel Afrahim discovered that a malicious
JavaScript file was injected in the checkout page of e-commerce sites to extract credit card information
The attackers used Typosquatting and code injection (source: Zdnet)
March 19, 2020 “Fraudsters have currently generated $1.6 million USD in revenue from these stolen
payment cards, with the breach potentially exposing up to 20 million records.”
Experts believe that cybercriminals operating under the moniker “Magecart” are behind this attack
5. 5H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Bank of Valletta
February 2019 various news outlets reported the hack of Bank of Valletta (BOV), one of Malta's biggest banks
The hack took place on February 13, 2019. Using malware planted on the bank's internal servers, hackers transfered
€13 million ($14.7 million) from the bank's internal systems to accounts in the UK, the US, the Czech Republic, and
Hong Kong
Security analysts believe that EmpireMonkey cybercrime group is believed to be behind this attack
A number of accounts were used to receive those funds, one of them was in the UK and was held in Belfast. Around
£800,000 was transferred.
Attackers used macros to copy wscript.exe to another file
4/15/2020
6. 6H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
ECB bring down reporting dictionary
ECB discovered that Banks’ Integrated Reporting Dictionary (BIRD) website 15 August 2019 was breached (source:
ECB - https://www.ecb.europa.eu/press/pr/date/2019/html/ecb.pr190815~b1662300c5.en.html)
The breach was discovered after routine maintenance
As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter
may have been captured.
The affected information consists of the email addresses, names and position titles of the subscribers.
Attacker can use this data for further activities (conduct spear phishing attacks to high rank officials, management
staff)
4/15/2020
7. 7H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Binance Security Breach (Source: Company’s own website)
Binance is a cryptocurrency exchange headquartered in Malta with significant presence in Asia
The company disclosed the security breach on May 7, 2019
The hackers were able to withdraw 7000 BTC, worth worth nearly $41 million at the time of the incident
Binance said hackers used various techniques --such as "phishing, viruses and other attacks"-- to gain access to user
accounts, including "API keys, 2FA codes, and potentially other info."
As a result, the cryptocurrency exchange had to suspend operations
The company said it will compensate affected customers through its Secure Asset Fund for Users (SAFU)
4/15/2020
8. 8H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Edenred Payment Solutions malware incident
Edenred Payment Solutions is a French company specialized in prepaid corporate services
(known for its Ticket Restaurant offering)
The company disclosed that it detected malware in its IT infrastructure on 21 November 2019
(source: Edenred)
Edenred was able to put back its systems into service on 23 November 2019
The company notified the authorities
There is no indication of theft of personal data which would have a significant impact given
that the company operates in 46 countries and managed 2.5 billion transactions in 2018
4/15/2020
9. 9H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Sberbank Data Leak
Sberbank is the largest bank in Russia operating in Russia, Europe and at many post-Soviet countries.
The bank reported a possible data breach in 2 October 2019. The event was reported by popular news outlets
as well
Personal information of up to 60 million credit card holders were leaked in an incident that is probably the
largest data leak in Russian banking.
The data went on sale in online black market. Reportedly snippets of 200 customers were offered to potential
“customers” for testing
The database was offered being offered per line for 5 Russian Ruble (US$0.076) or in total 300 million rubles
($4.6 million)
The bank believes that the leak can be attributed to an insider
4/15/2020
10. 10H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
€24 MILLION CRYPTOCURRENCY THEFT
On 25 June 2019, Europol announced the arrest of 6 individuals for cryptocurrency theft (source:
Europol)
Arrests were made after a joint operation of UK’s South West Regional Cyber Crime Unit (SW RCCU)
with the Dutch police (Politie), Europol, Eurojust and the UK’s National Crime Agency (NCA)
This was the result of a 14-month long investigation
The theft, which targeted users’ Bitcoin tokens, is believed to have affected at least 4 000 victims in 12
countries
Cybercriminals used typosquatting to spoof a well-known online cryptocurrency exchange to gain
access to victims’ Bitcoin wallets
4/15/2020
11. 11H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
GozNym Gang Arrested
On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries,
dismantled a group of international cyber criminals that is associated with GozNym
malware
The gang used GozNym malware to steal an estimated $100 million from 41000 victims
and their financial institutions
GozNym is a hybrid banking malware designed to capture victims’ online banking login
credentials. It has been used since 2016 to target Polish, German and U.S. online banking
The international operation included searches in Bulgaria, Georgia, Moldova and Ukraine.
This led to criminal prosecutions in Georgia, Moldova, Ukraine and the United States.
4/15/2020
12. 12H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Retefe: a 5 year long banking malware
Retefe is a special banking malware that has been seen active between 2014 and 2019
It is a special piece of banking malware that is primarily targeting German, Swiss and Austrian
individuals
It has been initially discovered in 2014 by Trend Micro
The malware operators used advanced methods to redirect users to spoofed internet banking
sites in order to steal banking credentials
Over the course of time, the malware has evolved from using proxies to Tor network and
stunnel (secure tunneling) to redirect users in spoofed sites to achieve its illicit perposes
4/15/2020
13. 13H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Metro bank (UK) hit by cyber attack
On January 31, 2019 news outlets reported a cyber attack against Metro bank PLC in UK
Sophisticated hackers exploited a flaw in SS7, a signaling protocol for telecom operators. They
were able to intercept sms text that was used in 2-factor authentication (2FA) in e-banking
This exploitation gave them the ability to perform banking transactions protected by 2FA
The bank officials said that a small number of customers were affected
As a result the bank’s risky assets raised by $900 million
4/15/2020
14. 14H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The Evercore security breach
Various news outlets reported the security breach on Evercore (source: The Times)
Evercore investment bank, headquartered in New York with a global presence was
reportedly hacked in November 2018
The hack was the outcome of a successful phishing attack to one of the bank’s junior
administrator in London
The hackers got access to the administrator’s inbox and reportedly extracked 160.000
data objects like sensitive documents, invitations and emails
Sources close to Evercore said there is no evidence of data misuse out of this hack
4/15/2020
15. 15H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Cobalt group activity
Cobalt is a cybergang targeting financial institutions (e-payment systems, ATMs, SWIFT) since at least
2013
The group mainly targets banks in Eastern Europe, Central Asia, and Southeast Asia
Cobalt is likely associated with Carbanak remote backdoor
Banks in more than 40 countries have been allegedly attacked by Cobalt group and the overall losses
are estimated to be above EUR 1 billion (Source: Europol)
The leader of the cybergang was arrested in March 2018 following an international operation
between Europol, US FBI, the Romanian, Moldovan, Belarussian, Taiwanese and Spanish authorities
4/15/2020
16. 16H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
DarkVishnya: Eight banks hacked in Eastern Europe
According to Kaspersky, at least 8 banks were hacked from the inside between 2017 and 2018
The attacks, nicknamed DarkVishnya were executed with the use of inexpensive netbooks,
Raspberry Pi and Bash Bunny
Attackers didn’t use any of the traditional delivery methods like phishing emails. Instead a
visitor pretending to be a courier or a job seeker connected the device to the banks’ network
The device offers remote access to the attackers via e.g. a 3G/LTE modem
This type of attacks are difficult to detect because there is no infection in the banks IT
equipment
4/15/2020
17. 17H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Lessons learned
The increased use of e-transactions in today’s finance leads to more opportunities for
cybercriminals
Organized cybercrime gangs are difficult to dismantle as often the developed malware
will be re-used by new cybergangs
Law enforcement operations need international cooperation as often cybergangs are
setup worldwide and rely on remote hacked infrastructure for their activities
Cybercriminals utilize different techniques to evade detection
They evolve their modus operanti in accordance to current IT trends
4/15/2020