Cybercrooks are Laughing All the Way To the Bank

Financial services firms are favorite targets for cyber criminals. The firms are a treasure trove of tradeable data varying from credit card credentials, customer information, and corporate data that can be abused or sold on the dark net. Compared to other industries, the financial sector still remains extremely vulnerable. Overall, the chance of a financial institution being breached is 300 times higher than that of other organizations. While US companies in general are attacked around 4 million times a year, American financial institutions are victimized at a staggering 1 billion times per year. Recovering from an attack is costly, with the latest estimations calculating the price of $18 million USD per financial institution.

Let’s have a look at some of the breaches that took place in 2018 so far. 



Date Attack Fallout /Damage
Cosmos Bank, India August 2018 Hackers use malware compromising the bank’s ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions. During the first wave, $11.5 million USD was stolen in multiple countries. During the second wave on the same day, $2 million USD was stolen via debit card transactions across India.
Bank of Montreal, Canada May 2018 Hackers used spear phishing attack to get access and then exploited a vulnerable server. Hackers stole data of 50,000 bank customers and blackmailed the bank by threatening to make the data public unless $1 million USD in ransom was paid.
SunTrust Bank, USA April 2018 A SunTrust Bank employee (no longer with the bank) stole customer data. 1.5 million records were stolen including names, addresses, phone numbers and account balances.
Sheffield Credit Union, UK February 2018 It has been reported that the Hackers accessed the computer systems using a so-called “brute-force” attack. The personal data of about 15,000 members were stolen including names, addresses, national insurance numbers and bank details.
City Union Bank, India February 2018 Hackers accessed a SWIFT system to transfer money to banks in 3 different countries using Standard Chartered Banks. Hackers made 3 illegal transfers in total of $1.8 million USD to banks in Dubai (via a Standard chartered Bank in New York), in Turkey (via a Standard Chartered Bank in Frankfurt), and in China (via a Standard Chartered Bank in New York).


The breaches outlined above show that cyberattacks on financial institutions are multi-faceted. The simple stealing of credit card details via phishing attempts is still effective, but has become less profitable. The rules of supply and demand also apply in the dark net economy, and the price per stolen credit card has dropped dramatically from the early days of cybercrime. Furthermore, credit card owners and credit institutions have become more vigilant and have taken security measures.

That’s why virtual bank heists in the form of ATM jackpotting has become popular with hacker groups.  Let’s have a closer look at the Cosmos attack which occurred two months ago on August 11th.

 The First Wave of the Cosmos Attack:

  • The attack started with a patient-zero compromise and lateral movement which compromised both the bank’s internal and ATM infrastructure.
  • Using multiple targeted malware infections, the hackers were able to install a set of malicious ISO8583 libraries and process code injections.
  • This in turn, established a malicious ATM/POS switch in parallel with the existing Central.
  • The hackers were now able to selectively break the connection between the Central and the backend/Core Banking System (CBS).
  • After making adjustments to the target account balances to enable withdrawals, MC was then used in fake off-us, on-us, foreign-to-EFT, standing-in, etc. activity.
  • The hackers authorized specific primary account number (PANs) transactions to implement ATM withdrawals for over $11.5 million USD in 2849 domestic (RuPay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.
  • The hackers then used MC to send fake Transaction Reply (TRE)/ISO8583 x210 messages in response to Transaction Request (TRQ) messages from cardholders and terminals.
  • This ensured that the required ISO 8583 messages (e.g. x200), were never forwarded to the backend/CBS from the ATM/POS switching solution that was compromised.
  • This also ensured that the malicious withdrawals avoided the fraud detection capabilities on the banking backend.

The Second Wave of the Cosmos Attack:

  • The hackers continued the attack by moving laterally.
  • They used the Cosmos bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three malicious MT103 to ALM Trading Limited at Hang Seng Bank in Hong Kong amounting to around $2 million USD.


On the bright side, financial institutions are making tremendous progress in protecting their assets. They are implementing systems that enable them to monitor cyber-attacks and detect where it is possible with additional capabilities to stop cyberattacks and resume operations as rapidly and smoothly as possible. What complicates matters is that there are two groups of threat actors: the crime-for-profit and the state-sponsored ones. That’s why the private and the public sector must work closely together to not only prevent huge losses, but also a financial crisis. Ideally, such a cooperation would be international and encompass private and public financial institutions, regulators and law enforcement.

Until then, financial institutions can already boost their cybersecurity by using Cymulate to test their cybersecurity posture themselves in an easy and convenient way. Cymulate’s Breach & Attack Simulation (BAS) platform allows for an organization to run real cyberattacks in its own environment in a safe manner without harming its network in any way. There is a choice of eight different scenarios to run including Immediate Threat Alert Assessment to check the organization’s vulnerability regarding the latest threats, Lateral Movement Assessment to check if an attacker could  hop from system to system inside a Windows Domain Network, Phishing Assessment to check employees’ awareness of socially engineered attack campaigns that hackers often use to install ransomware or APT attacks, and Data Exfiltration Assessment that tests the control of outbound critical data before any sensitive information is exposed. Organizations can choose to run one, more or all assessments. The simulations can be scheduled in advance (e.g., every week on Sunday morning at 6am) or ad hoc (at any time, from anywhere).

Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.

Start a Free Trial

Don’t speculate, Cymulate