A few months after hackers broke into Bangladesh's central bank and came close to getting away with $1 billion, researchers have uncovered evidence that a separate hacking group is targeting the same payment network.
The researchers, from security firm Symantec, said in a blog post published Tuesday that they recently found new tools that target users of SWIFT, a payment network banks use to transfer payments that are sometimes in the range of hundreds of millions of dollars. The malicious tools monitor Swift messages sent to infected computers for International Bank Account Numbers or other keywords relating to specific transactions. When the tools encounter a message that contains a targeted text string, they use a "suppressor" component to move it out of the local file system to prevent it from being seen or recovered by the intended recipient.
"One of the files found along with the suppressor was a small disk wiper, which overwrites the first 512 bytes of the hard drive," Symantec researchers wrote. "The area contains the Master Boot Record (MBR) which is required for the drive to be accessible without special tools. We believe this tool is used to cover the attackers' tracks when they abandon the system and/or to thwart investigators."
Finance messaging giant SWIFT plans new measures to help banks combat fraud, after a gang broke into Bangladesh's central bank in February and stole £57 million pounds—and were only caught because one of them made a typo in a £15 million transfer.
The banking communications network, which allows financial institutions across the world to send each other secure messages about their transactions, is introducing "Daily Validation Reports," which it bills as a mechanism to help customers detect unusual patterns in their message flows, and give them more of a chance "to identify possible fraud attempts and improving the likelihood they can cancel any fraudulent transfers."
The heist, which could have cost almost £700 million but for the typo—which spelled the name of a Sri Lankan NGO called the "Shalika Foundation" as the "Shalika Fandation"—which raised red flags at Deutsche Bank, who warned the Bangladeshis, allowing them to cancel most of the rest of the transactions. Worse still, the Shalika Foundation appears not even to exist, Reuters reported.