SWIFT, the messaging system used by 11,000 financial institutions around the world to send money to each other, has admitted to “other instances” of network abuse weeks after hackers stole $100 million from the Bangladesh Central Bank by exploiting the system.
Reuters first reported on Tuesday that SWIFT had warned its customers that it’s aware of “a number of recent cyber incidents” where attackers had sent fraudulent messages over its system in a bid to try and siphon off money.
SWIFT confirmed this over email to Business Insider, with a spokesperson saying: “We have informed our customers that there are other instances in which customers’ internal vulnerabilities have been exploited in order to stress the importance and urgency of customers’ securing their systems.”
SWIFT says people are obtaining valid logins for banks’ local SWIFT systems and then using those to try and send fraudulent amounts of money to themselves. The criminals also appear to be using a malware to cover their tracks, SWIFT says, making it harder to spot the cyber bank robberies.
The network is asking all of its 11,000 members to now install a software update that will help them spot if malware is being used to cover up bad behaviour.
SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication, is a secure messaging network owned by over 3,000 financial institutions and is used by banks to move money around the world.
Last month cyber criminals targeting the Bangladesh Central Bank and New York Fed stole $101 million (£70.7 million) by exploiting the SWIFT system and could have got $1 billion (£702 million) if the ruse wasn’t uncovered by a typo.
Subsequent investigations revealed that Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network.
Here’s the full statement from the SWIFT spokesperson:
We have informed our customers that there are other instances in which customers’ internal vulnerabilities have been exploited in order to stress the importance and urgency of customers’ securing their systems.
We cannot comment on the details of any particular customer or incident, but confirm that the commonality in what we have seen is that (internal or external) attackers have successfully compromised banks’ own environments and thereby obtained valid operator credentials with the authority to create, approve and submit messages from those entities’ interfaces.
There is a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems, but contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services. The malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.
We have made a mandatory software update available to customers to help them identify situations in which attackers have attempted to hide their traces, whether these actions have been executed manually or through malware, however, the overall security measures remain the best defence against fraudulent actions on their local infrastructure.
The SWIFT network and core messaging services are not affected and continue to operate as normal.