How Hackers Pulled Off a $20 Million Mexican Bank Heist

WIRED | 3/15/2019 | Lily Hay Newman
k.collazi (Posted by) Level 3
Click For Photo: https://media.wired.com/photos/5c7f16f9b948cc3e88226461/191:100/pass/Banxico-DEFR8E.jpg

In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here's how they did it.

At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico. The hackers' affiliation remains publicly unknown. Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system, and security oversights in SPEI, Mexico's domestic money transfer platform run by central bank Banco de México, also known as Banxico.

Thanks - Security - Holes - Bank - Systems

Thanks to security holes in the targeted bank systems, attackers could have accessed internal servers from the public internet, or launched phishing attacks to compromise executives—or even regular employees—to gain a foothold. Many networks didn't have strong access controls, so hackers could get a lot of mileage out of compromised employee credentials. The networks also weren't well segmented, meaning intruders could use that initial access to penetrate deep into banks's connections to SPEI, and eventually SPEI's transaction servers, or even its underlying code base.

To make matters worse, transaction data within internal bank networks wasn't always adequately protected, meaning attackers who had burrowed in could potentially track and manipulate data. And while communication channels between individual users and their banks were encrypted, Loza also suggests that the SPEI app...
(Excerpt) Read more at: WIRED
Wake Up To Breaking News!
A single death is a tragedy, a million deaths is a Government intervention.
Tagged:
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!