Banks not learning from their oversights: Phishing rules!
A bank robber, after being apprehended, years ago was asked: “Why did you rob the bank?” The simple and direct response was, “That’s where the money is.” There is no difference today. Organizations will be targeted due to an asset the attackers want access to. This may be data or information, or the familiar cash.
An incident happened in Virginia to a bank and within eight months, the same bank. These illustrate the importance of relevant, regular training for phishing attacks.
Incidents
The target was The National Bank of Virginia located only in Virginia. The bank was compromised twice in eight months. The total amount stolen was an estimated $2.4M. The first was on May 28, 2016. This attack continued through Monday (Memorial Day), and was subsequently detected. The focus of this and the 2nd successful compromise was cash. Once compromised, the money was stolen through hundreds of ATMs across North America with cards whose magnetic strips had been the true user’s data placed on them. The ATMs initially with the first incident had stolen $569,648.24.
Once detected the bank contracted with Foregenix to complete the forensic review. In June 2016, the bank put in place the additional security protocols recommend. Curiously, the bank was breached again, allegedly by the same group, in January 2017. The attackers through this attack were able to steal $1.8M.
Methodology
The two rather deeply probing and expensive attacks were successfully completed with simple phishing emails with attachments. The user opens the email, clicks on the link or opens the attachment, and potentially the IR (Incident Response) Team and other operations have a long day and/or weekend. With the first attack, the initial compromised computer compromised another. This second computer accessed the STAR Network. This is managed by First Data and is used to manage the debit card, transactions, customer accounts, and the use of ATM and bank cards.
With the compromised computer, the attackers had the ability to disable and modify the anti-theft, and anti-fraud protections. This included the PIN, withdrawal limits for the individual person, daily usage, maximums for the debit cards, and fraud score protections.
The interesting twist is either by luck or learning from the 1st attack, the attackers also gained access to Navigator. Navigator was used by the bank to manage their customer’s debits and credits.
During the compromise #2, the attacker credited the bank ’s client accounts for $1,833,984 from several hundred ATMs. The second compromise also occurred over a weekend, between January 7-9, 2017. To make matters worse, the attackers updated for their needs or removed the bank’s critical security controls.
For the second compromise, Verizon was contracted for the forensic review. Verizon noted this was probably done by the same attackers, and the method for entry was the malicious Word document attached to the phishing email.
Cyber-Insurance
The bank did have cyber-insurance in place and in force at the time of the attacks. The insurance company was Everest National Insurance Company. Once the claim(s) had been filed, the insurance did not want to pay. There were two exclusions, and the insurance company claimed this fell under their Debit Card rider. The bank then filed a lawsuit in the Western District Court of Virginia, Roanoke Division (Civil Action No 7:18CV310).
Lessons Learned
Cybersecurity presents a new environment for the enterprise to thrive in. One aspect that is particularly new is cyber-insurance. The insurance industry is still working to detail the working, interpretation, and the method on how to apply this. In purchasing this service and insurance, the business needs to be wary and complete the due diligence, so senior management is aware of the coverage, as much as they are able to.
One aspect to fully explore are the exclusion riders. These, when possible, should be minimized in number. Where these are required, any ambiguity in the wording should be explored and detailed, while being documented. With this, any ambiguities should be limited. Notwithstanding a section to the contrary, the emails and other documents should fill in the gaps.
With the exclusions, this would work to limit the insurance company’s exposure to certain attacks. The industry may not know of a certain attack or one that had not been published yet. The attack vector may not be known yet. The business may be waiving their right to coverage for an unknown attack, or one that had not been created yet.
The business should actively consider consulting with an attorney specializing in this area with regard to the cyber-insurance policy and rider. The agreement and insurance rider are written with the insurance company’s interests in mind. The sections and riders may be vague where needed, and be able to apply exclusions where they may need it.
Insurance works, in theory, and practice, by pooling risk. The pool consists of individual policies. The insurance companies use large mathematical formulas to determine what factors to take into account. The larger the pool, assumptively the less overall risk, fewer claims, and subsequently larger profits. If there are too many claims, the insurance company’s profits will be lower. The organizations are profit driven, and not an altruistic entity.
Even if the organization follows industry standards and recommendations, there may be issues. The InfoSec environment is ever-changing. There are new attacks, updated old attacks, nuances, or old issues never fixed. To anticipate every issue and attack angle is not possible.
Phishing continues to be a rather viable attack vector. These can be skillfully crafted, with the business symbols and graphics. All it takes is one person in the right department (e.g. accounting, finance, tax, or Human Resources) clicking on one link and the business operations can get very interesting, very quickly. The phishing training needs to be regular, and relevant. As for the National Bank of Virginia..."Fool me once shame on you...fool me twice shame on me".
Resources
Krebs, B. (2018, July 18). Hackers breached virginia bank twice in eight months, stole $2.4m. Retrieved from https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.