A worldwide gang of hackers has stolen up to $1bn over the last two years, in one of the most successful cybercrime campaigns in history.
Carbanak targeted as many as 100 different banks, e-payment systems and other financial groups across 30 countries in Europe, Asia, North America and Oceania, in a series of advanced persistent threats (APTs) that took months to pull off.
Sergey Golovanov, principal security researcher at Kaspersky Lab, the security firm which helped uncover the attack, said: "These bank heists were surprising because it made no difference to the criminals what software the banks were using.
"The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery."
The hackers gained initial entry to banking systems through spear phishing attacks, installing malware that allowed them to monitor admin activities which they later mimicked to transfer cash out of the system unnoticed.
In some cases customer account balances were topped off before the excess was siphoned off into the attackers’ own accounts, while in others the hackers programmed cash points to release money at set times and went to collect it.
"These attacks again underline the fact that criminals will exploit any vulnerability in any system," said Sanjay Virmani, Director of the Interpol Digital Crime Centre. "It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."