Phishing email – let them in

A group of un-known hackers have managed to steal almost $1 billion from over 100 banks based in 30 countries – a successful phishing attack let them in

The attackers used spear phishing attacks to send emails containing links which, once clicked on by the user, infected the systems with Malware.

The spear phishing emails contained attachments with compromised Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files. It’s thought that the Malware was designed to exploit Microsoft Office (CVE- 2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761) to execute shell code, which decrypted and executed the backdoor shells – this allowed the attackers install additional software such as the Ammyy Remote Administration Tool.

Ammyy was a preferred tool for the attackers because it is white listed (allowed) by many organizations for use by systems administrators.

According to the report from Kaspersky Labs, the attackers were able to navigate internal networks and find administrators’ work stations, use the web cameras for video surveillance, allowing them to see and record everything that happened on the screens of staff.

The main areas the hackers wanted to exploit were the money processing services, Automated Teller Machines (ATM) and financial accounts; the attackers are also thought to have used the Society for Worldwide Inter-bank Financial Telecommunication (SWIFT) network to transfer money to their accounts.

The ATM network was also compromised and was used to dispense cash from specific ATMs at specific times where they were ready to collect it.

The attacks continue

Info taken from and accredited to the Kaspersky Lab