The apparent attempt by hackers to extort two Canadian banks for millions of dollars is another sign of the ever-changing strategies of criminals, says a security expert.
In a typical data breach attackers try to quickly monetize personal information by using or selling it, noted Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada.
“What’s different here, and not something that’s common, is that they try to extort BMO and Simplii (Financial), saying ‘Pay up or we will throw this data out on a lot of the forums.’
“It’s not your classic ransomware, where someone is holding or locking your data and not exfiltrating it.”
It’s another example of the constant evolution of cyber attacks, he said. “In most cases (infosec pros) set up their defences on understanding the motivation and end game and how the data might be monetized. This provides another model into the mix.”
He was commenting on news that the Bank of Montreal and CIBC’s Simplii Financial online bank received email threats on the weekend that persons claimed to have accessed personal and account information belonging to tens of thousands of customers, and demanded $1 million in cryptocurrency or the data would be released.
According to the CBC, which received what appeared to be a copy of the threat, the alleged hackers claimed they were able to gain access to accounts in part by using a common mathematical algorithm designed to quickly validate relatively short numeric sequences get bank account numbers, which allowed them to pose as authentic account holders who had simply forgotten their password. They say that was apparently enough to allow them to reset the backup security questions and answers, giving them access to the account. It isn’t clear from the synopsis if the reset was done online or through bank customer support staff.
Either way, if true it was a major breakdown in bank security. More than one expert has said the password re-set function is a headache and weakness for companies.
The Open Web Application Security Project (OWASP) has this page with ways CISOs with environments that allow online self-service to test a password reset function.
In 2016 a British penetration testing company posted this blog about a way it found to get around an online password reset function.
Jerome Segura, Canadian-based lead malware intelligence analyst for Malwarebytes, said in an interview the attackers’ claim is possible. Typically an intrusion would take place months before a threat is given to an organization. The intervening time could be used to attempt to reset passwords. He also couldn’t say if the alleged attacker was boasting or using the password reset story as a smokescreen for the real attack vector. The only way to know is through a forensic investigation, he said.
He also said it would be easier for an attacker to infect individual computers with a banking Trojan, which would capture credentials when a user logged into a bank account. However, a complete outline of the attackers’ methods isn’t available.
On the other hand, Segura doubts a phishing attack alone enabled hacks at two banks that allegedly netted information of 90,000 customers. He leans towards the likelihood of a vulnerable server that was exploited. He also wonders about the seeming coincidence that two unaffiliated banks were hit, opening the question of whether they shared a third party supplier that was exploited. or had a similar backend solution.
Given Canadian retail banks are quietly proud of their cyber security reputation, Kabilan was asked if BMO and CIBC are embarrassed at the breach.
“I’m not sure embarrassment would be the right term to use,” he replied. “One of the discussions we (in enterprises) are having is the need to shift our mindset beyond cyber security to one of cyber resilience because in today’s world because of the complexities we face the challenge is it’s not a question of if but when and how bad” a cyber attack will be. “If every organization understands it’s going to happen to you sooner or later, the question is how you step out of it. It looks like, on a first read, they’ve done a number of things right. They’ve gone public and said what’s happened, they’ve not given in and paid the extortion. They are advising people who potentially had their credentials compromised, and they’ll do something to protect these people from fraud and identity theft.”