SWIFT warns of malware attack on another of its customers

Funds transfer network SWIFT has warned banks to be on the alert for attempts to replicate an attack that tried to net $1 billion from Bangladesh Bank

Financial transaction network SWIFT has renewed its warning to customers to be on their guard following the discovery of malware at another bank using its services.

The bank first asked customers to take steps to secure their systems in the wake of an attempt to steal US$951 million from Bangladesh Bank in February. Attackers there appear to have used custom malware installed on computers at the bank to send fraudulent messages over the SWIFT network seeking to transfer money from the bank's account with the U.S. Federal Reserve Bank of New York.

That attack appears not to have been an isolated incident, as SWIFT said Friday it has now learnt more about a second instance in which malware was used.

While SWIFT did not name the target, a report from security researchers at BAE Systems, also published Friday, pointed to a commercial bank in Vietnam as the latest victim.

The malware attacks were not directly on the transaction network or core messaging system, but instead were targeted at customer banks' secondary security controls, SWIFT said.

With its ability to transfer billions of dollars to accounts around the world in a few keystrokes, the SWIFT financial transaction network is increasingly being instrumentalized in cyber attacks on financial institutions.

While the number of cases of fraud at its customers is so far small, forensic experts believe the new discovery is part of a wider and highly adaptive campaign targeting banks, SWIFT said.

Posting on the BAE Systems threat research blog, researchers Sergei Shevchenko and Adrian Nish said what ties together the cases discovered so far is the use of an unusual file wipe function the malware uses to make deleted files unrecoverable. The function first fills the file with random characters to ensure nothing can be recovered from the sectors it occupies on disk, then changes its name to a random string before deleting it.

In both cases, SWIFT said in its latest warning, the attackers have exploited vulnerabilities in the systems banks use to initiate fund transfers, stealing banks' credentials and using them to send irrevocable fund transfer orders over the SWIFT network.

In addition, the attackers have tampered with secondary controls such as records of statements and confirmations that the banks use to recognize fraud. For example, SWIFT said, in the latest case the attackers targeted the bank's PDF reader, using malices software to modify it so as to hide traces of the fraudulent transactions in PDF reports of payment confirmations.

SWIFT asked its customers to review security controls across all their payment systems, from employee checks to cyber defenses. Banks using PDF reader applications to review confirmation messages should take particular care, it said. The asked banks to help track down the fraudsters by advising it if any incidents were discovered.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place