The industry cooperative acknowledges yet another act of cyber-fraud was perpetrated via hackers using malware to exploit the SWIFT system.
Hackers in a second major attack have been able to use the SWIFT financial messaging system to break into a commercial bank, according to media reports and officials at the industry cooperative, which issued a message to customers, dated May 13.
For this latest attack, SWIFT officials state that “the SWIFT network, core messaging services and software have not been compromised.”
The first acknowledged attack in February that also exploited the SWIFT network was an act of cyber-fraud against the Federal Reserve Bank of New York to steal $1 billion from the central bank of Bangladesh, according to official confirmations and media reports. The hackers in that case were stopped but not before approximately $100 million was stolen from the Bangladesh central bank account in the U.S. Some of that amount has been tracked down but $81 million is missing.
In fact, the ongoing saga with the central bank of Bangladesh caused SWIFT officials to issue a statement on May 10, in which they said that representatives of the New York Fed, Bangladesh Bank and Swift met in Basel, Switzerland to discuss the details of the cyber-fraud attack.
“In the earlier case we reported to you [the Bangladesh central bank], and this particular case we can confirm that: malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network,” according to today’s SWIFT message to customers.
SWIFT adds: “The modus operandi of the attackers is similar in both cases:
- Attackers compromise the bank’s environment
- Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network.
- Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials.
- Attackers hide evidence by removing some of the traces of the fraudulent messages.”
For the latest case, SWIFT reports that “a piece of malware was used to target the PDF reader application used by the customer to read user generated PDF reports of payment confirmations. The main purpose of the malware is again to manipulate an affected customer’s local records of SWIFT messages – i.e. step 4 in the above modus operandi.
“Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software,” according to SWIFT. “When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions. There is no evidence that the malware creates or injects new messages or alters the content of legitimate outgoing messages. This malware only targets the PDF reader in affected institutions’ local environments and has no impact on SWIFT’s network, interface software or core messaging services.”
SWIFT urges that customers using PDF reader applications “to check their confirmation messages should take particular care.”
SWIFT officials add that forensic experts “believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.”
For both cases, “the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT,” according to the statement.
“The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process,” according to SWIFT. “In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognize the fraud.”
In addition, the hackers are showing “a deep and sophisticated knowledge of specific operational controls within the targeted banks,” according to SWIFT. They have knowledge “that may have been gained from malicious insiders or cyber-attacks, or a combination of both.”
SWIFT is urging that its customers to review controls in their payments and messaging environments, and ebanking channels.
“This includes everything from employee checks to password protection to cyber defenses. We recommend that customers consider third party assurance reviews and, where necessary, ask your correspondent banks and service bureaux to work with you on enhanced arrangements,” according to SWIFT. “We also urge all customers to be forthcoming when these issues occur so that the fraudsters can be tracked by the authorities, and SWIFT can inform the rest of community about any findings that may have a bearing on wider security issues.”
The complete message is available on the SWIFT website: http://bit.ly/1Xp9bbH
Need a Reprint?