If you haven’t heard of Carbanak, you’re not alone. It’s the name given to both a gang and a specific type of malware that has been used to swindle more than a billion dollars from over a hundred different financial institutions. The gang represents something fairly new and different in the world of hacking, and there’s very real fear among both banks and other corporations that this represents a paradigm shift in the way sophisticated hacking attacks are run.
The Anatomy of an “Old-Style” Hack
Consider some of the biggest, most talked about hacking attacks of the prior year. Target. Hobby Lobby. A major insurance company. What did they all have in common? The answer is that the hackers were after the personal data (financial or medical). They specifically did not target the corporations themselves, but rather, millions upon millions of individual user accounts. These, they would later resell on the black market and make a killing.
That’s decidedly not what Carbanak did.
Instead, they inserted their malware into the bank’s system, slipped past the firewalls of the target companies, set up dummy accounts and simply turned the spigot on, siphoning tens of millions, not from individual accounts, but from the banks themselves.
Sure, Target was disappointed and rightly concerned when forty million user accounts got hacked, but aside from giving them a PR black eye, it actually cost them very little in terms of their bottom line. The same certainly cannot be said of the aftermath of the Carbanak hacks.
To say that financial institutions and other major corporations are rattled would be an understatement. Not just rattled, but outright terrified, and with good reason. There have been hackers since before the internet existed. In a very real sense, it was hackers who built the internet, and that is the reason the community is so astonishingly good at staying ahead of curve. The very best security analysts? Former hackers themselves. In fact, one of the earliest hacking groups to gain notoriety was called the “Legion of Doom.” They were widely feared in their day.
They didn’t get caught though. They didn’t get put in jail. Instead, they got hired. Most of them by various government agencies. Unfortunately, private companies don’t have pockets as deep as the Federal Government, and small-to-medium-sized businesses have to make do with whomever they can afford. That’s not a knock against your IT talent. Odds are they’re very good at what they do, they’re just not “hacker-good,” and because they’re not, they’re destined to be a step or more behind.
Combine that with the fact that most companies use a standard two-tier defense to protect their data, and it’s easy to see why the level of fear is ratcheting higher. A two-tiered system of defense is composed of a firewall and some kind of antivirus protection. It’s fine as far as it goes, but increasingly, it will only serve to protect your company against casual hacks. Such systems provide relatively little challenge for the top level, sophisticated crews like Carbanak. Beware.