046 Bank Islami Debit Card Attack Analysis by Shaikh Jamal Uddin

Bank Islami Debit Card Attack Analysis by Shaikh Jamal Uddin

Secure Coat releasing this analysis on the basis of the attack on BIPL infrastructure at 27 October, 2018 which has so many resemblances with the other banks looted recently by Hidden Cobra, AKA Lazarus Hackers.

Every day and every time cyber attacks are surrounding banking industry all around the world because hackers are always behind money and the days are long gone when the heist threat to financial organizations was by physical intrusion. Now Hackers around the world can penetrate to any bank or any organization from any part of the world at any time. This is not the first time that a Pakistani Bank is hit by a cyber attack, in fact on a daily basis cyber frauds are happening in banking industry on a lower scale. The customer’s money is being drained by individuals or small group of fraudsters by replicating Credit/Debit cards and using them on ATM/POS/e-commerce, however upon complains banks make settlements to the customers.

Who targeted Bank Islami?

Bank Islami was targeted by unknown hacker group but if we walk through the attacker’s heist strategy then it wouldn’t be wrong to think about APT38, Lazarus Group also known as “Hidden Cobra”. These hacking groups are involved in stealing millions of dollars from different banks since 2009.They have been suspected to be state sponsored hackers linked from North Korea.

What makes Bank Islami Cyber Attack unique?

Well, it has been the first time in the Banking Industry of Pakistan that a huge amount of money is transferred from Bank Islami to different countries. Bank Islami has accepted (2.6 million PKR) at their end; they have also filed a case against VISA for disputed payments of 6.5 Million dollars. This clearly means 6.5 million dollars are up in the air and not settled between BIPL and VISA.

The bank claimed, they lost 2.6million PKR in the heist which doesn’t look the true figure.

Where the attackers access/stole customer’s data from?

Customer’s data such as credit/debit cards information along with PIN, Bank Logins, full information is widely sold on Dark web, Not only Bank Islami was prone to this threat but every bank that has internet banking , Credit/Debit card facility for their customers.

There are numerous more ways to get bank’s customers data such as hacking into the core banking database or social engineering the customers by vishing/phishing, injecting malware on their systems through various means but highly relevant and easy to get information remains the mysterious Dark web.

What Payment Channels were used to withdraw money?

The Payment channels used were ATM and Internet POS, more than 6.5 million dollars were withdrawn from these channels. However ecommerce channel could have also been easy to break the trail of money and stay anonymous by buying crypto currency or virtual credit cards/Amazon Gift Vouchers but it is not evident so far in the attack strategy. It may have happened to be secure due to SBP directives that forbid crypto currency trading and closure of E-commerce international by default which only opens upon customers consent.

Did the hackers bypass ATM/POS authorization control and breached the daily limits?

Bank Islami was intimated by customers that they are getting payment alert messages from UK, USA, Russia and more countries so what BIPL did…They disconnected the ATM controller for further payments authorizations.

The attack was still continued and BIPL Team had no idea about how more payments transactions are getting authorized when the authorization controller is already shutdown/ disconnected. This was the high time when big chunk of payments started getting authorized. Maybe at that time the attackers also got to know that bank is alerted.

The maximum daily transaction limit given by BIPL for ATM is 75,000 PKR and 300,000 PKR on POS (VISA Gold card), the number of transaction executed during heist were more or less around 5000 from both the channels. The unusual and stream transactions were requesting amount more than usual limits because they were not getting authorized from CBD (Core Banking Database).The attackers breached the customer’s daily transaction limit by man in the middle attack by planting their own authorization controller and sent preauthorized transactions towards 1-Link controller which was further routed towards VISA controller.

How attackers can send preauthorized transactions?

Threat actors have sent smart malwares (Advanced Persistent Threat, APT) to infect the infrastructure systems and got administrative controls over the systems and network of targeted banks. Credentials of core architectural systems were stolen that helped to plant attackers own authorization controller in between CBD and Payment switches to route smooth transactions without any hurdle.

A gritty analysis will without a doubt help in detecting and getting the perpetrators.

In the meantime, banks need to complete a detail analysis to detecting and plug the security holes to enhance security.

Reference:

http://www.securecoat.net/bank-islami-debit-card-attack-analysis-by-securecoat.html

Hacked Credit / Debit Card Monitoring - Dark Web Monitoring Service by SECURE COAT

Join Secure Coat Facebook page

Join Secure Coat Linkedin page

Join Secure Coat Youtube Channel