SWIFT has moved to reassure customers that its network, core messaging services and software have not been compromised by a newly identified malware found in a customer’s environment.
As with the earlier attack in Bangladesh, the newly discovered malware was again directed at banks’ secondary controls, but this one compromised a PDF Reader used by the customer to check its statement messages.
SWIFT noted that this new discovery proves that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.
SWIFT has confirmed that with the previous malware, malicious insiders or external attackers managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network.
The modus operandi of the attackers is similar in both cases. First, the attackers compromise the bank’s environment. Once inside, it obtains valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers’ back-offices or from their local interfaces to the SWIFT network. The attackers then submit fraudulent messages by impersonating the operators from whom they stole the credentials. Finally, attackers hide evidence by removing some of the traces of the fraudulent messages.
In the case of the new malware, the main purpose is again to manipulate an affected customer’s local records of SWIFT messages. Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software. When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.
“There is no evidence that the malware creates or injects new messages or alters the content of legitimate outgoing messages. This malware only targets the PDF reader in affected institutions’ local environments and has no impact on SWIFT’s network, interface software or core messaging services. Customers that use PDF reader applications to check their confirmation messages should take particular care.”
In both instances, the attackers have exploited vulnerabilities in banks' funds transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.
As a preventive measure, SWIFT has reminded all customers “to urgently review controls in their payments environments, to all their messaging, payments and ebanking channels. We recommend that customers consider third party assurance reviews and, where necessary, ask your correspondent banks and service bureaus to work with you on enhanced arrangements.
“In the meantime we would like to reassure you that the SWIFT network, SWIFT messaging systems and software have not been compromised. The security and integrity of our messaging services are not in question as a result of the incidents. We will continue with our security awareness campaign, bilaterally with users and through industry forums and other appropriate channels. We will also continue working with our overseers, with law enforcement agencies, and third party experts.”
SWIFT stressed that users are responsible for the security of their own systems interfacing with the SWIFT network and their related environment.