Group-IB researchers recently uncovered a series of attacks by a hacker group they’re calling MoneyTaker, which has successfully breached more than 20 banks, financial software vendors and legal firms in the U.S., U.K. and Russia over the past two years.
The researchers have confirmed at least 16 breaches by MoneyTaker in the U.S., three in Russia and one in the U.K.
“By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed,” the report states.
In the U.S., the group has hit companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida, with an average loss per attack of $500,000.
According to Group-IB, the hackers steal internal documentation, including admin guides, internal regulations and instructions, change request forms, and transaction logs, in order to learn about bank operations to prepare for future attacks.
“A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB,” the report states. “Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker.”
The group is named after a tool first used in an attack on a Russian bank. The tool contains modules that search for payment orders and modify them, replace payment details with fraudulent ones, and erase traces of the attack.
“In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones,” the report states. “This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones.”
Dmitry Volkov, head of Group-IB’s cyber intelligence department, told Bloomberg that the hackers “understand that banks — especially community banks with limited resources — are the easiest marks.”
A recent MediaPro survey of 1,000 U.S. finance employees found that 79 percent of finance workers show a lack of preparedness against eight key cyber security and data privacy threat vectors, including incident reporting, physical security, identifying malware warning signs, cloud computing, identifying phishing attempts, and others.
Thirty-four percent of financial sector employees took risky actions when presented with scenarios related to building access (physical security), compared to 24 percent of the general population in a similar survey.
Similarly, more than twice as many financial sector respondents misidentified phishing emails as legitimate ones compared to respondents in the general population (19 percent vs. 8 percent).
“The results of our survey show more work is needed to shore up the human defenses of financial institutions,” the report states. “Millions (or billions) of dollars to beef up merely the technical side of an organization’s information security strategy could be ill-spent if investments are not made in security and privacy awareness training programs.”