From Vault to Vulnerability: Modern Day Bank Robbers Hit the Web

Ever since the creation of the bank, criminals have set their sights on these institutions as a get-rich-quick scheme. Though their goals have remained the same, their methods have evolved, as today’s bank robbers have traded in their masks for keyboards. For those in the banking industry fighting on the front lines of the escalating cyber war, this isn’t news. But as attacks continue to become more targeted and sophisticated, IT teams are struggling against a range of agents, from common hackers to nation-states, to keep their networks and their vaults secure.

The Turning Point

After two years of avoiding detection, a massive cyber criminal ring was uncovered by Kaspersky Labs in 2015 dubbed Carbanak (after the strain of malware used in the group’s attacks) that infiltrated over 100 banks in 30 countries, making off with as much as $1 billion. This signaled a departure from the more customary attack, where the target is personally identifiable information (PII) belonging to bank customers. Instead, Carbanak targeted the banks’ internal money processing services and automated teller machines (ATMs).

Gone Phishin’

Given Carbanak’s success, attackers are turning their attention away from customer PII and toward the banks themselves. New variants of the malware surfaced last fall delivered through phishing attacks, and new criminal groups emerged as recently as this past February, employing similar tactics of spear phishing to embed customized malware and gain control over bank machines.

One such group stole over $100 million in March 2016 from the Bangladesh central bank account at the Federal Reserve Bank of New York. Attackers spied on the Bangladesh Bank for weeks before the attack, quietly infiltrating dozens of computers with phishing attacks to steal credentials for payment transfers. The attackers then ordered fraudulent transfers from the Federal Reserve and deposited the funds into bank accounts in the Philippines.

Further cementing malware as the preferred weapon of the modern day bank robber is the discovery of a new hybrid banking trojan called GozNym – a combination of the Nymaim malware that first popped up in 2013 and Gozi malware that emerged in 2012. Attackers successfully used GozNym to steal an estimated $4 million by targeting the customers of banks in April 2016. Once inside the bank’s system, the GozNym trojan transfers financial data and screenshots back to the attacker, who then can use that information to steal directly from the bank customer’s account.

Phishing attacks are one of the oldest tricks of the hacker trade, and for good reason: they’re immensely successful. Attackers take meticulous care in developing convincing emails that appear to be legitimate banking communications to trick bank employees – or third parties with access to bank systems – into handing over their user credentials. Once inside, attackers exploit known vulnerabilities in commonly used applications that remain unpatched by large banks due to their cumbersome infrastructure.

Securing the Vault

While bank IT teams have made strides to protect customer data and limit credit card fraud, the security of the bank’s own internal systems has been taking a backseat.

Here are a few steps that bank IT teams can take to better secure the vault:

  • Assume the network has already been breached. Or, if it hasn’t, it will be soon. Adopting this mindset forces the IT team to prioritize the most business-critical parts of the network. This is where network segmentation works as a strategy. When done correctly, network segmentation, achieved through the creation of network zones, limits the ability for a hacker to move laterally across a compromised network. Network segmentation is a constant job of updates and configurations, but it can mean the difference between a hacker getting only as far as an employee’s infected computer, instead of helping themselves to the bank’s ATM systems.
  • Establish an enterprise-wide security policy. A well-defined security policy serves as a crucial road map for any bank IT team to maintain a truly adaptive security architecture. It’s what helps the people tasked with protecting the bank’s systems determine the best way for the network to operate with minimal risk. Additionally, the security policy should take into consideration all regulatory and enterprise compliance requirements and how often patches are being applied.
  • Enforce your security policy. It’s one thing to have a security policy in place that defines how the IT platform behaves, and another to actually enforce it. Doing the former but not the latter can lead to some serious problems. A good security policy is a dynamic, constantly evolving document that should be updated continuously. It’s a collaborative effort across the enterprise–network operations, security operations, and the CIO.

We’re facing a new generation of attackers that have an intimate knowledge of banking systems’ inner workings. While managing network security has become a complex, resource-intensive task, it’s crucial for senior management to have an accurate picture of the organization’s security posture at all times and the ability to act quickly to close any gaps. Carbanak proved last year that stealing directly from the bank’s systems yields far bigger payouts for cyber criminals than the sale of stolen PII, and this trend shows no signs of slowing down as new variants continue to emerge now, over a year later.


Ofer Or is vice president of products at Tufin®, the leader in Network Security Policy Orchestration. Tufin enables the world’s largest financial institutions to centrally manage, visualize & control enterprise-wide policies while maintaining cybersecurity, business agility and continuous compliance. For more information, visit

Written by Ofer Or