High Dollar Cyberheist Caused By Phish-prone Employees

In what appears to be one of the largest and most highly sophisticated cyberheists ever, more than 100 financial institutions in 30 countries have been the victim of a cyberheist that lasted in some cases nearly 2 years. Most of the banks that were hit are in Russia, but also include banks in Japan, Europe, and the United States. The cybergang behind this appears to be the first international cybermafia, a group of cybercriminals from Russia, Ukraine and other parts of Europe and China, according to a report released by antivirus company Kaspersky and reported on in the NY Times. Kaspersky could not release the names of the banks because of nondisclosure agreements. The NY Times said that The White House and FBI have been briefed on Kaspersky Lab’s findings, and Interpol is coordinating an investigation.
Kevin Mitnick, KnowBe4’s Chief Hacking Officer said, “Even after 20 years, social engineering is still the easiest way into a target’s network and systems, and it’s still the hardest attack to prevent.”
KnowBe4’s CEO Stu Sjouwerman stated, “While this cyberheist is considered very sophisticated, spear-phishing is one of the most preventable and affordable. You would expect the finance industry to set the bar very high and have employees trained within an inch of their lives not to fall for such an attack. We would highly encourage financial institutions to take a look at their training methods and beef them up accordingly.”
The gang responsible for this has been dubbed the “ Carbanak cybergang” because of the name of the malware they used. As reported by the NY Times on Saturday, February 14th, the gang managed to stay under the radar and inside bank networks by sending spear-phishing emails to employees containing infected attachments which were opened, infecting the workstation. Once inside, patterns were noted so they could study behavior and use this to stay under the radar.
Sjouwerman noted, “There are a myriad of ways such cybercriminals will attempts to gain access. Spear-phishing emails are getting more complex and are not as easy to see. They can be disguised as a voicemail message, a notice from another employee or a special request for wire instructions. Employees need to be trained on what to expect. Best practices also cover sending out regular phishing tests to employees as part of their training, keeping making security a priority and keeping it top of mind.”
Sjouwerman offered, “Security Awareness Training is really needed for every employee in any organization, not just banks. It allows you to put in place a more effective human firewall and protect your corporate and financial assets.”
KnowBe4 recommends checking suspicious email that may have one or more of the following red flags:
“1) You don’t recognize the sender’s email address as someone you ordinarily communicate with.
2) This email is from someone outside your organization and it’s not related to your job
3) This email was sent from someone inside the organization or from a customer, vendor,
or partner and is very unusual or out of character.
4) Is the sender’s email address from a suspicious domain? (like micorsoft-support.om)
5) You don’t know the sender personally and they were not vouched for by someone you trust.
6) You don’t have a business relationship nor any past communications with the sender.
7) This is an unexpected or unusual email with an embedded hyperlink or an attachment
from someone you hadn’t communicated with recently.”
For more information or to get a free phishing test to see how “phish-prone” your employees are visit: http://www.Knowbe4.com
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.
About Kevin Mitnick
Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and speaker, and has authoreIn cd three books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC.