A few weeks back SWIFT released a report – ‘Three years on from Bangladesh: tackling the adversaries‘ – detailing SWIFT cyber threats that have emerged in the last few years since the Bangladesh Bank hack. That bank heist was described by the SWIFT CEO Gottfried Leibbrandt “as a watershed moment for the banking industry..”, since the incident SWIFT have launched many initiatives such as the Customer Security Program and worked to engage and collaborate with stakeholders across the financial services landscape.
The SWIFT report is a must-read for SWIFT customers to better understand the evolution and current payments/SWIFT cyber threat space. Following is a quick summary of the highlighted SWIFT cyber threats:
1.) Targets
SWIFT found across many of the reported incidents:
- Hackers were in the preliminary stages of the attack, having compromised the users workstation, but not yet accessed the banks payment systems
- Target banks are in countries listed on the Basel AML Country Corruption list with a very high risk rating
- Most recently attacks have honed in on financial institutions in Africa, Central Asia, East and South East Asia and Latin America
- Most of the target banks were smaller with reference to daily cross border payments
- Fraudulent payments are mainly entered using the interface GUI, and not originating from the back-office payment systems
2.) Amounts
It goes without saying the bigger the fraudulent payment, the bigger the reward. But the larger value transactions are also more easily detectable so the threat has evolved:
- Up to early 2018 fraudulent per transaction amounts were ten or tens of millons of USD
- More recently, to avoid detection, the average fraudulent transaction amount has reduced to 0.25 million USD to 2 million USD
- Where existing payment corridors were being used, fraudulent transaction amounts were much larger than the average amount over the last 24 months
- Fraudulent payments were managed by 1 or 2 receiver banks and heading to the same beneficiary country
- Each incident saw an average of 10 fraudulent payments issued within 2 hour window
3.) Reconnaissance
Attackers are prepared to wait and silently watch for weeks and even months before launching an attack. The time is used to learn patterns of behaviour before launching the cyber attack. Ensuring institutions have a cybersecurity incident response plan is critical to help organisations pre-plan their responses.
4.) Timings
The following timing patterns were highlighted by the SWIFT report:
- To avoid detection, attacks are launched outside of business hours or during public holidays
- Fraudulent payments are sent during business hours to simply mingle in and merge with legitimate SWIFT traffic, making it much more difficult to detect by receiving institutions
- This has been happening more frequently in recent inidents
The longer it takes for organisation to detect a fraudulent payment the better it is for the attacker, since it gives them more time to reach the intended Beneficiary bank and being cashed out
5.) Message Types
- Mostly MT103 (Single Customer Credit Transfer) SWIFT message type was used by attackers
- Messages were typically processed by at least 3 different institutions in 3 different countries:
- The Target bank (indicated in “Sender BIC” or “Sender”)
- The Receiving bank or Nostro Account owner of the Target bank (“Receiver BIC” or “Receiver”)
- The Beneficiary bank (“Beneficiary” or “Account With institution”)
6.) Currencies
Majority of cross border fraudulent payments were made in:
- USD – 70%
- EUR – 21%
- Other – 9%
7.) Beneficiaries
In order for the fraudulent payments to be successfully “cashed out” the beneficiary or “mule” accounts are key. SWIFT found the locations of these mule accounts to be pretty startling:
- Asia Pacific – 83%
- Europe – 10%
- North America – 4%
- Middle-East – 3%