SWIFT beefs up security measures

Financial messaging services provider SWIFT has outlined a series of measures in response to a series of actual and attempted thefts carried out on banking customers.

They follow a pledge made last week by SWIFT’s chief executive officer (CEO) Gottfried Leibbrandt that security upgrades and better information sharing would be introduced for its inter-bank transfer system.

In addition to increased information-sharing between banks, tougher security requirements will be introduced for bank software that interface locally with SWIFT’s network, including greater use of two-factor authentication when banks shift funds.

There will also be new audit and certification frameworks and standards and a greater use of tools to detect fraudulent transactions over SWIFT.

The most notorious attack occurred in February, when Bangladesh’s central bank lost US$81m. In addition, Ecuadoran bank Banco del Austro SA lost $12m, and similar methods were employed against a bank in the Philippines and Vietnamese bank Tien Phong.

Security software and services company Symantec believes that the gang that carried out the heist of the central bank of Bangladesh, was also behind the attacks on the Vietnamese and Philippines banks.

According to Symantec, the tools known to have been used in all of the attacks except for Banco del Austro share code similarities. It claims that an analysis of the code links it to a “threat group” known as Lazarus. The tools used in the attacks against Banco del Austro haven’t yet been identified

“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee,” stated a blog post by Symantec’s Security Response team.

“At first, it was unclear what the motivation behind these attacks was; however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.”

Symantec added that security software and services companies are cooperating closely in an initiative called Operation Blockbuster in a bid to better protect themselves and their clients against Lazarus. As part of the initiative, vendors are circulating malware signatures and other useful intelligence related to these attackers.

“The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region,” stated Symantec.

“While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant.”


Related reading