Hack the Bank electronically is not easy but it is not impossible either. Cutting IT Security budgets, outdated hardware and software help hackers crack the systems and make some serious damages. As many as 250 Million Users are Still using Windows XP and many of them in the corporate environment.
First Step: Preparation
First of all, we have to put together our team. We will need at least 4 software specialists on IBM z/VM, Oracle Solaris, Unix, Bank application software and of cause Windows. One network specialist: Cisco routers, firewalls and communication protocols. A Social Engineer, and one bank insider. The bank insider is enough to be somebody in the window clerk position. It is not very difficult to acquire this type of position. They are generally available and foremost heavily underpaid.
Selecting the Target
It wouldn’t be a good idea to choose a large corporate bank because they can afford the best security hardware and software. A small bank is not a good target either because they can track the money transfers much easier. The best solution is to pick a medium size bank with no more than couple of hundred branches. These banks lately realized the necessity of IT upgrade but they work with a very tight budget.
Every “business plan” needs some entry investments; hardware, software, live expenses, bribes etc. For the beginning, we should be ok with around $100k. We are planning to acquire around $10-20Mill.
First of all, we need to get inside of the bank trough a cable guy or internet provider. Social Engineer can get a job in a cleaning department or as a handyman. Most of the banks don’t monitor the electromagnetic spectrum so they can’t find any spying or listening device. Our “handyman” and the window clerk can check around and gather important information about operating rules, server room, used hardware, employees etc.
After a couple of weeks, we should know, what hardware, software or applications are in use. So, let’s start with some hacking. At the beginning, we have to stay away from account transaction operations. We will check for any network hardware (switches, routers) available and their software-firmware. There are daily added bugs for most of the network software and we can try to get to the server and install some backdoors. This can be very difficult because of the firewalls but we have a social engineer in our team and he will take care of some passwords.
Keyloggers, sniffers, and employee monitoring will gather some passwords. It is not uncommon when passwords are written on a small piece of note paper and just stick on the monitor or server tower. There are tons of databases with hacked passwords on the dark net and we can check if some of the employees don’t have any personal email account out of the company on some free mail server. They most likely use the same password for the company and personal electronic communication.
When we get access to some of the servers, it is time to write some code. It is common practice to encrypt communication on the servers connected to the internet because they are nonstop attacked by the hackers. On the intranet inside of the company is this practice less common. IT department, generally doesn’t patch or update the servers on the local network very often. We will focus on the servers with some “aged” versions of Unix. Then we search for exploits written for that particular type of OS. After we create some root accounts, we can start with installations of backdoors, trojans, sniffers to monitor the whole traffic on the network and start to create our own bank accounts. The email server is the golden mine for us and with access to the email accounts, we can run password crackers and read some important people’s emails. Because we root the server, we can delete any logs, scan for open ports and run network analyzers.
In the same time, we try to look for software applications for bank account management and money transfers. The best option would be to get the source code of these applications to be able to modify them and upload later. CGI script source code is necessary for the modification of the internet banking and creating backdoors. If source codes aren’t available with the help of crackers, we try to disassemble the application and modify the code.
Soon or later we will know how the whole structure and the money transfer security approvals work. But we still don’t take any money. While we are busy with our projects, we have to be up to date and regularly check the newest info about security bugs, viruses, DOS attacks etc. Some couple of hundreds “zombie” PCs connected to the high-speed internet will be very handy in the next step of the attack.
The last part of the preparation will be creating offshore bank accounts. The Bahamas, Cayman Islands, as well as some local bank accounts will be needed to trough some stolen IDs.
Our attack has to be planned on one of the eight busiest times of the year. For example, the time around The Black Friday is a great opportunity. First, we activate our “zombie” PCs and start denial-of-service on the servers of the bank. We simply create chaos and panic. We can add some wired calls or block the canalization. Suddenly will the whole IT department start to monitor all systems and read the logs. The bank should react and close all branches until they investigate the cause of the problems. But they won’t. Because the image of the bank would be hurt really badly. But all this is only for the distraction. The main attack will come from three lines.
First, we transfer the money from hundreds of accounts on our accounts opened in the bank. We will take only the amount which will appear like regular transaction (buying iPhone or so.) Important is to watch out for maximum authorization limits. That can be for example 10% of the total amount of available funds on the account or transaction over $5k. Normally the IT department would check for these types of transactions but now they are busy with the panic, we created earlier. When we accumulate money on our in-bank accounts, we will start sending them out of the bank in small amounts.
The second line of attack is to “catch” the payment orders of real clients from our bank to other bank institutions. It is extremely hard to create fake bank transfer with a larger amount of money. Generally, the amount over $10k needs to have approval from two managers to go out of the bank. The bank transfer is encrypted, so we have to “catch” the order straight after it is signed but before it is encrypted. This type of attack is called man-in-the-middle attack. The easy way is to hack SSH client and “catch” the password after the user type it on the keyboard before it is encrypted and send over the network. When the order reaches the sever, which is actually checking the encryption it is enough to modify the SSH client to change the receiver information. There are some utilities, which can do this process of modification while the transfer is running on the same segment too.
The third line of attack is through internet banking. If we have access to the root account, we can just use the same setup like the modifications of the bank transfers. If we don’t have access to the root account, we can change the IP address on the local DNS server and transfer them to a new IP, where we will run the software, which will “talk” to the SSL client and write our modified data about the transfer. The browser of the user will probably “complain” about changed protocol but the majority of the users just click (Ok, I agree! ) anyway.
The money is accumulating on the accounts of in-land banks and is systematically transferred to our off-shore bank accounts. The movement of the money has to be fast and appear disorganized. In the last bank, the money will be collected and taken out in cash.
And we disappear from the show in a deep red Ferrari, buy a villa in Palm Springs and invite Taylor Swift on our after party.
In Developed Countries, it would be difficult to realize but one example for all happened a few weeks ago in Bangladesh. You can look it up here .
The truth is that most of the breaches aren’t revealed to the public. The reason is simple. Banks are for the most part insured against this type of breaches and revealing any information about hack would hurt the brand and bank’s trustworthiness. Reported are mainly only when the amount of stolen money is over $100mil.
But don’t get me wrong, this type of heist is very complicated and sophisticated and only a few hackers really have the capability to even think of it. It is much easier to play Lottery and hope for the best!
I hope this article made your day and pulled you out of your daily routine. This was actually the main purpose of it. This article is considered as a theoretical case study to help IT tech people to better take care of our safety and our money in the daily life.
Here are some examples of recent Bank Hacks
Don’t try this at home!
We take no responsibility or liability, so far as legally possible, for any damages or losses!
Have a great Day!