Russian anti-virus software firm Kaspersky Lab said Monday that hackers gained access to banks' computers through phishing schemes and other methods and then patiently spend months learning the banks' systems, taking screen shots and even videos of employees using their computers.
The hackers, thought to be Russian, Chinese and European, have been active since at least the end of 2013 and have infiltrated more than 100 banks in 30 countries, according to a report to be presented Monday at a security conference in Cancun, Mexico.
It is not known exactly how much the hackers have stolen, but it is likely to be anywhere between $300 million and $1 billion. The attacks may also still be ongoing.
Kaspersky's principal security researcher Vicente Diaz told the Associated Press news agency that the online bank robbers were able to program ATMs to dispense cash at specific times and set up fake accounts and transfer money into them.
The hackers also avoided alert systems by limiting their theft to about $10 million (8.7 million euros) before moving on to another bank.
"In this case they are not interested in information. They're only interested in the money," said Diaz. "They're flexible and quite aggressive and use any tool they find useful for doing whatever they want to do."
According to a New York Times report published Saturday, the theft was discovered when an ATM in Kyiv, Ukraine, began randomly spewing out cash without anyone putting in a card. Accomplices apparently posing as lucky customers were filmed simply picking up the cash without touching the machine.
By another method, the thieves effectively created money to steal. They altered customers' bank balances - say from $1,000 to $10,000 - and then transferred the $9,000 difference outside the bank. The customer would likely not even notice, and since many banks only check balances every few hours or so, it would take them a while to realize what had happened.
Hackers are thought to have infiltrated security systems by sending a phishing email containing malware called Carbanak to hundreds of bank workers. Any workers that responded to the email inadvertently downloaded the virus, allowing the thieves to record their keystrokes and take remote screenshots.
Kaspersky would not identify the banks targeted and is still working with law-enforcement agencies, but the thieves appear to have been active all around the world: most of the banks targeted were in Russia, the US, Germany, China and Ukraine, although the attackers may be expanding throughout Asia, the Middle East, and Africa as well.
One bank is said to have lost $7.3 million through ATM fraud. In another case, a financial institution lost $10 million by the attackers exploiting its online banking platform.
No banks have admitted they have had money stolen - a problem that US President Barack Obama is attempting to tackle by introducing legislation to force institutions to release information in the case of personal data breaches.
Obama has been forced to pay more attention to cyber-security in recent months, with the high-profile hack of Sony Pictures, by a group the US maintains were associated with North Korea.
Kaspersky is a cybersecurity firm with close to 3,000 specialists operating in almost 200 countries.
bk/cjc (AP, AFP, Reuters)