SWIFT lifts lid on the evolution of international cyber heists

International payments network SWIFT has suggested bilateral data sharing among antivirus vendors and customer banks is crucial to tackling hackers and cyber criminals.

Intelligence sharing among the network community is “critical” according to Pat Antonnucci, head of customer experience for Americas at SWIFT.

Antonnucci was discussing findings from the organization’s report, released last week and based on data from the past 15 months, which stated: “Over the last three years, customers’ anti-fraud systems and other anomaly detection systems have helped thwart the attackers in many instances. Fine-tuning these systems is imperative to their success”.

“We’re sharing more and more through the SWIFT Information Sharing and Analysis Centre (ISAC) portal through bilateral engagement with the communities as well as sharing that data with antivirus vendors and incident response teams,” says Antonnucci. “They’re already putting some of those new detectable variables into the antivirus tools themselves.

“We have over 94% of the community that are testing and realising value in the customer security program, a real uptick, and really raising the bar on their level of compliance and adherence to cyber hygiene,” he says.

While the report does not reveal the statistics for thwarted attacks or the amount of fraudulent transactions, Antonnucci believes that attackers are slowly changing their modus operandi which historically saw them strike at quiet hours, before holidays and where transaction values were very high, over $10m.

In February 2016, $81m was stolen from the Bangladesh Bank by hackers who struck during US and Bangladeshi holidays. But Antonnucci believes hackers are now looking to blend with business as normal rather than slink in the shadows.

“We’ve seen a shift and now attackers are inserting transactions in the middle of the day to look like normal business and the average transaction is between $250,000 and $2m, under the check threshold.

“Through the Daily Validation Report, a snapshot of the prior day, we’ve been able to easily identify anomalies in historic data traffic patterns and that they were outside the norm for either beneficiary, corridors or money amount values or number of transactions,” says Antonnucci.

According to Antonnucci, the data demonstrates that attackers are compromising the local environment – through phishing, force attacks or USB tokens – and then lying low within the system for up to 200 days in the most sophisticated of attacks.

“A lot of our forensics and analytics are now identifying and stopping them in the preparation phase before they actually steal credentials or execute a transaction, based on the shared information from other incidents response teams,” says Antonnucci.

Related reading