Financial institutions are one of the major targets of Business Process Compromise (BPC) attacks, as seen in the 2016 Bangladesh Bank incident in which $81 million was stolen during a sophisticated attack by abusing the bank’s internal processes. In another recent incident, another BPC attack targeted banks across multiple post-Soviet states, with losses totaling roughly $40 million.
BPC attacks involve manipulation of a legitimate internal process. In these latest attacks, the attackers combined real-life fraud with cyberattacks to pull off the heist. The first part involved the abuse of the Overdraft Limit (OD), which refers to the amount that debit card users can access beyond what is actually contained in their account. In this scenario, attackers sent various individuals to sign up for bank accounts with debit cards. The debit cards were then forwarded to the perpetrators, who were located in various countries throughout Europe.
The attackers also used a phishing campaign to target bank employees, aiming to install malware (Detected by Trend Micro as TROJ_MBRWIPE.B) on their systems. This malware gives attackers a backdoor into the bank’s network and systems. Once inside, the attackers will then use the banks’ VPN credentials to gain access to the network of third-party payment processing providers, after which they will drop various malware, including a monitoring tool that allows access to infrastructure that controls card management. Additional software, the legitimate monitoring tool Mipko, was also installed to capture screenshots and keystrokes, among others.
The sophisticated planning and implementation of the heist make it a perfect example of how a BPC attack works. These attacks are a growing problem for organizations, as information from 2013 to 2015 shows that organizations have lost at least $3.1 billion to BPC attacks—a number that is likely much higher today.
All organizations from large banks to SMBs are potentially vulnerable to BPC attacks. However, there are ways to prevent or minimize the impact of BPC attacks:
Organizations should regularly check on their processes to identify any suspicious activity. Risk assessment should also be done both for the organization and its partners. In this case, both the bank and their third party processor were targeted.
File Integrity Monitoring and Application Control/System Lock Down should be considered for critical systems.
Employee security education should always be a priority, as they are often the cybercriminal’s main targets. This includes the ability to identify and detect common attack vectors such as spam and phishing.
Social engineering attacks can also be minimized by solutions such as Trend Micro InterScan Messaging Security Virtual Appliance with enhanced social engineering attack protection, which can defend against socially engineered emails that are common entry avenues for attackers. The Deep Discovery Analyzer found in the Trend Micro Network Defense family of solutions also helps detect advanced malware and other threats.