Bank had no firewall license, intrusion or phishing protection – guess the rest

Crooks used RAT to hijack superusers at India's Mahesh Bank, stole millions

An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.

The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India's smaller banks.

It certainly thinks small about security – at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021. At least one of those mails succeeded in fooling staff, resulting in the installation of a Remote Access Trojan (RAT).

Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application.

Hyderabad Police's analysis of the attack found that Mahesh Bank had carelessly allowed its population of super-users to reach ten – some with identical passwords. The attackers compromised some of those accounts and gained access to databases containing customer information including account balances.

The attackers also created new bank accounts and moved customers' funds into those accounts. Over $1 million of such stolen funds were shifted to hundreds of other accounts at Mahesh Bank and other financial institutions.

To complete the heist, the attackers made withdrawals at 938 ATMs across India and made off with the cash.

Hyderabad City Police wrote they were able to spot the attack and freeze another ~$2 million of funds before they could be lifted.

The force's report of the incident is not kind to Mahesh Bank, noting that it had "no proper network infrastructure", took no precautions to isolate head office applications from its branches, lacked many basic security tools, did not train its staff for the eminently foreseeable eventuality of a phishing attack, and did not have a valid license for its firewall at the time of the attacks.

The latter is not uncommon because enterprise software is often priced to western standards, and users in less prosperous nations who find the cost prohibitive roll the dice on unsupported and/or out of date code.

"Investigation so far revealed the hackers, and the main kingpins are located outside India, most likely in UK and Nigeria," Hyderabad City Police has stated. "The amount withdrawn is transferred to Nigeria, most likely through Hawala or crypto currencies."

Hyderabad Police has detailed the attack in the video below – most of which is not in English, but does feature diagrams in that language. ®

Youtube Video

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022