Putting in place a sophisticated digital racket, hackers were able to steal millions of dollars from up to 100 banks in what the Russian cybersecurity company Kaspersky Lab is calling “the most successful criminal cyber campaign we have ever seen.”
Kaspersky, which helped uncover a piece of malicious software in the systems of bank computers, says the scheme worked like this: First the hackers were able to install malicious software on computers by phishing bank employees. That led to the infection of hundreds of machines.
The hackers kept watch until they found the computer of an administrator. That’s when they recorded the screen and keystrokes to learn the system. Eventually, they mimicked the staff and transferred large sums of money from banks in Russia, Switzerland, Japan, the United States and the Netherlands to dummy accounts in other countries.
In other cases, they simply instructed ATM machines to dispense money at certain times, where a conspirator would collect it. Perhaps in a sign of the hackers’ sophistication, each bank robbery took two to four months from the infection of the computer to cashing the money out.
Kaspersky was first alerted to the scheme by a piece of code hiding in an infected ATM machine. They investigated for months and eventually pieced together what was going on.
Kaspersky said it cooperated with police and learned that up to 100 institutions were targeted.
“In at least half of the cases the criminals were able to extract money from the infected institution. Losses per bank range from $2.5 million to approximately $10 million,” Kaspersky said in a statement.
The New York Times, which reported on the heists over the weekend, says that projection is impossible to verify and the White House and FBI said they had been briefed and are still working to confirm and then “assess the losses.”
The Times adds:
“No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.
“But the industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement that ‘our members are aware of this activity. We have disseminated intelligence on this attack to the members,’ and that ‘some briefings were also provided by law enforcement entities.'”