SWIFT: India City Union Bank Heist

TLP AMBER ANNOUNCEMENT:

On Saturday 17 February 2018, India’s City Union Bank disclosed that its systems were hacked. They discovered that three fraudulent remittances, totaling nearly $2 million, were sent to accounts in Dubai, Turkey, and China via the SWIFT financial platform. SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is the world’s largest electronic payment messaging system, facilitating the exchange of more than $6 trillion a day. The majority of international interbank messages use the SWIFT network. This network enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable format. SWIFT sends payment orders, which must be settled by correspondent accounts that the institutions maintain with each other. SWIFT bank heists in the past have been attributed, with medium confidence, to North Korean actors...READ MORE

Wapack Labs has cataloged and reported on cyber threats targeting SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

China Bank Regulation and Foreign Bank Access

During 2017, Chinese banking regulatory agencies have issued a series of new banking restrictions with serious impact on Chinese banking practices and potential impact on foreign financial institutions as well. They have been forcing compliance with the new regulations with USD $400 million in fines on banking institutions in 2017 alone. The key measures introduced include:

• Stamping out cryptocurrencies - The government has ordered all bitcoin/cryptocurrency exchanges in China to cease operations, and it was using electrical power control to close bitcoin mining operations.
• Suppression of underground banks - To prevent foreign exchange transactions by unauthorized entities abroad, the government blacklisted 40 entities and apparently blocked access to their websites from inside China.
• Slowing capital outflow - The government targeted capital outflows by cracking down on underground money transfers and restricting large overseas mergers and acquisitions.
• Foreign bank access - However, one component of this effort involved a relaxation of regulations rather than a tightening up. In November 2017 China announced that it would soon allow foreign companies to own Chinese banks and investment firms. The cap on foreign investment in Chinese banks will be removed and foreign investors will be allowed to own 51% in financial institutions. Now, foreign banks which set up branches in China will be allowed to conduct business directly with Chinese in Chinese yuan...READ MORE

Wapack Labs has cataloged and reported on Chinese banking regulations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM

Hackers Compromised Russian Bank And Used SWIFT for Withdrawal

On 15 December 2017, a Russian bank lost somewhere between $100,000 and $1 million US dollars after hackers sent SWIFT wire transfers abroad to Europe, Asia, and America. The bank was compromised (medium confidence) by a hacker group who sent malicious attachments to a number of different banks a few weeks prior. SWIFT was not compromised, but was used as a tool to siphon money from the compromised bank. The bank is going through ownership reorganization. Prior to this incident, it was receiving financial regulator warnings regarding its cyber security posture...READ MORE

Wapack Labs has cataloged and reported on attacks targeting banks and SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Shopping Spree with Stolen Credit Cards

While researching a clear web hacker/carder forum, Wapack Labs analysts found a unique domain. Users register for a 15-minute “shopping spree” and are issued a password to their database. The domain has many international cards and boasts over 1 million cards from the U.S.. Once users choose their stolen cards, they add them to a shopping cart, just like a legitimate e-commerce site. The domain filters their database by BIN, Brand, Type, Level, Bank, Country, State, City, ZIP Code, Address, Seller, Base, Load, Expiration Date, Valid, or Sort. All purchases are made via BitCoin.

Wapack Labs has cataloged and reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

African Phishing Attacks and Money Transfer Woes

www.pcmag.com

Current intelligence from Africa revealed that many clients of CBAO Bank, a well-known West African banking group and the newly created Ivorian-Moroccan bank, Banque Atlantique, have been the targets of recent phishing attacks.  Customers are receiving targeted spoofed e-mails from false bank advisors informing them that, for security measures, they must update their banking information either by filling out a dynamic .pdf and sending it to designated e-mail address, or to connect via a given spoofed link from which online account information is then harvested.  These tactics have been used in Western Europe and the U.S. but might be re-employed due to recent success in Africa.  Additionally, money transfer provider’s trustworthiness is appearing to become an issue in Senegal, which has affected many local residents.  Both these issues are being tracked.  This information is being supplied for your situational awareness. 

Publication date:                           17 September 2016

Handling requirements:                 Traffic light protocol (TLP) GREEN

Attribution/Threat Actors:             African phishing and money transfer providers

Actor Type:                                    Tier II     

Potential Targets:                           International

Past Reporting:                               DOC-3811

The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or feedback@wapacklabs.com.

About Wapack Labs

Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.