$1 billion bank heist reveals ongoing vulnerability of digital lives, accounts

The Internet is a scary place. You are never truly alone, for someone or something is always watching your every move. You are being tracked, possibly by people or computers, to see what sites you visit and what your interests are. If you are doing some online shopping, you will probably see some ads for the site you have visited the following day and this isn’t an accident. Along with being tracked by companies, you might be tracked by individual people, especially if you are using an unencrypted public Internet connection—but even private connections are not free of risk these days. Every time you enter a password or an account number, there is a chance that someone is intercepting the message and can use it whenever they want. That’s what happened recently for too many banks to count.

In what is being called perhaps the largest bank heist ever, hackers stole potentially more than $1 billion from over 100 banks and ATMs across  30 different countries. Reports from the Internet security firm Kaspersky Labs have stated that the hackers installed spyware on bank computers, through which they then mimicked employee protocols for transferring funds for accounts and ultimately moved a vast amount of money into funds specifically created for the online heist. (CNN, “Hackers stole from 100 banks and rigged ATMs to spew cash,” 2.15.15)

The criminal group receiving credit for the crime has been called “Carbanak,” based on the name of the backdoor malware they used—though they have also been cited as “Anunak”. Carbanak is comprised of members from all over the world including Russia, Ukraine, China, and other areas in Europe. This isn’t the group’s first strike either; they have already been credited with lifting $17 million from banks over the winter holiday season and stealing inside trader information to obtain a trading advantage on the stock market. (Security Week, “Cyber Gang Linked to Theft of $17M From Banks, Retailers: Research,” 12.22.14) Along with these charges, they are also suspected in smaller online heists dating back to late 2013.

How could this happen, one might wonder. It sounds like it would be complicated to hack into over 100 banks at the same time. Here’s the sad reality: It’s really not. Hackers can insert phishing mechanisms into emails or through websites with little hassle. In the specific $1 billion hacking instance here, Kaspersky Labs has stated that phishing devices were transferred through Microsoft Word: “All observed cases used spear phishing emails with Microsoft Word 97–2003 (.doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE- 2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).” (Kaspersky Labs, “Carbanak Apt: The Great Bank Robbery,” 2.2015) After bank employees’ emails were infiltrated with these exploitive devices, the group was able to surf through hundreds of banking computers in search of an administrative computer. Once that adminstrative system was found, Carbanak could intercept any clerk’s screen at any time using a mirror system.

With reading about all the recent hacking, we must be mindful that anything we do online is not personal and isn’t ever 100 percent safe. While researching for this article, I was trying to find recent data on the hacking of passwords and how many passwords have recently been compromised. Instead, I was introduced to a website that easily explained how in 5 to 10 minutes I could hack any of my friend’s Facebook passwords and take over their account.  Is it really that simple?!

Upon further investigation, I found that recently 10 million-plus usernames and passwords for a variety of sites have been published, ranging from Facebook and Twitter to bank and medical accounts. The publication, by researcher Mark Burnett, claims to have “no new data” but is actually a complication of information gathered from various security breaches. In response to the uproar over his publication, Burnett has spoken out saying, “It is important to note that I didn’t leak these passwords, they are already out there.” Burnett makes it clear that what he has done isn’t real hacking, and most of us have a blind eye to criminal acts of cyber nature until its too late. He followed up saying, “If a hacker needs this list to hack someone, they probably aren’t much of a threat.” (The Hacker News, “Researcher Publishes 10 Million Usernames and Passwords from Data Breaches,” 2.10.15)

With this recent Carbanak attack following the Sony hack late last year, I think this is just the beginning of cyber warfare. Security companies, such as Kaspersky Labs, have quickly been able to identify how major attacks have occurred, but the perpetrators still remain at large. How one can take preventative measures isn’t always clear, besides staying off the Internet, but that doesn’t appear to be possible for many of us.

Hacking has been going on for quite some time and it’s nothing new; it just might be something to be more mindful of. We all know the basics: Don’t open attachments from strangers, use secure Internet sources as much as possible. At the end of the day no matter what, our online information is at risk, and it seems the best thing we can do is be prepared to be hacked and try and make a plan of what to do when it happens.


—Delaney Fischer ’15 is a neuroscience major.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Miscellany News reserves the right to publish or not publish any comment submitted for approval on our website. Factors that could cause a comment to be rejected include, but are not limited to, personal attacks, inappropriate language, statements or points unrelated to the article, and unfounded or baseless claims. Additionally, The Misc reserves the right to reject any comment that exceeds 250 words in length. There is no guarantee that a comment will be published, and one week after the article’s release, it is less likely that your comment will be accepted. Any questions or concerns regarding our comments section can be directed to Misc@vassar.edu.