Global cyber security experts visited Manila last week, amid a high-profile Senate probe into an $81-million theft of Bangladesh central bank’s money that reportedly ended up in a Philippine bank and three casinos, only to be withdrawn by unknown individuals later.
“It was the first time it happened, to the best of my knowledge,” David Holmes, senior manager for global security of F5 Networks Inc., says in an interview at Makati Shangri-La Hotel, referring to the attack on the Society for Worldwide Interbank Financial Telecommunication or Swift network, which handles messaging among international banks.
“To the extent of my knowledge, there has not been a Swift compromise before. That’s not necessarily my expertise, but from the people I talked to, they said it is the first one and it is very significant. Now people know that it could be done, and you could pull off a heist of $100 million, every hacker in the world who deals with banks may be focused on that right now,” says Holmes, who is based in Colorado.
Holmes, who was born in Quezon City but grew up in the US, says the risk was much higher last week, than it was a year ago. “But the protection will be better a year from now because of this,” he says.
Holmes, who has a 25-year experience in security and product engineering, says many Philippine banks are already customers of F5 Networks, a US company which specializes in application delivery networking technology.
“We have a lot of banking customers here in the Philippines. It is a problem everywhere. When the amount is $100 million, I expect some finger pointing in the months to come,” he says, referring to the Bangladesh’s heist, allegedly perpetuated by a group that used Philippine banks and casinos as conduits.
Holmes says as the banking technology becomes more digital, the sector will be more exposed to threats, and there will be a greater demand for cyber security experts. He says based on a study by research firm IDC, some 20 million jobs in cyber security will be unfilled globally by 2020.
Cybercrime is estimated to cost the global economy some $455 billion annually, according to F5 Networks. In 2014 alone, around 42.8 million security incidents were detected by businesses, up 48 percent from 2013.
Kapersky Lab, an international software security group, says in a separate report that in the third quarter of 2015, the Philippines ranked as the 33rd most malware infected country in the world. These attacks included mobile threats and money stolen from online bank accounts.
Meanwhile, Derek Manky, a global security strategist of Vancouver-based Fortinet Inc., says the state of cyber security now lags behind cybercrime in countries such as the Philippines. He says cybercrime is now valued anywhere between $500 billion and $1 trillion. Fortinet is a $1.2-billion cyber security organization, with 4,100 employees, with a goal to become the world’s leading cyber security solutions provider by 2020.
“Cybercrime has no borders. When we look at the global cybercrime trend, it is incredibly busy. We are seeing almost 500,000 hacking attempts in just one minute. In terms of malware, we are seeing 100,000 attempts to plant malicious software,” Manky says in an interview at a restaurant in Makati City.
Manky, who formulates security strategy, has more than a decade of advanced threat research. His ultimate goal is to make a positive impact towards the global war on cybercrime. He is in the board of the Cyber Threat Alliance where he works to shape the future of actionable threat intelligence.
“When it comes to threat of cybercrime, there is no single silver bullet. Activities are happening at all levels. Cyber criminals are coming from all these verticals,” he says.
“These attacks are spreading from anything around home automation, healthcare, medical, smartphones, infrastructure. Everything that is being connected to the Internet, in things that are becoming a part of our daily lives, we are seeing attacks on these networks,” says Manky.
Money, he says, is the top motivation of cybercriminals. “What is driving all these numbers? Now, there is a lot of middlemen. There are affiliates that get paid to infect systems by criminal organizations,” he says.
He says malware, or malicious code implanted in computer systems, increased 10 times in just two years from May 2013 to July 2015. “Mobile malware is very active in the Philippines…We are seeing worms that are affecting things like smart television, like routers. These worms are sitting on the routers and changing DNS settings, so they can possibly filter and steal credentials for online banking,” he says.
“We are in a big problem for 2016 and beyond when we will see a massive outbreak of big infection, surpassing the largest botnets [zombie army] in PC. I am talking 40 million to 50 million devices more,” says Manky.
Manky, however, says going after the people behind cybercrimes such as the Bangladesh’s heist will take months, if not years. “I have heard three or four theories over the last day. They are jumping to conclusions. It took four years to investigate TJ Maxx, to get evidence. It takes time to understand these things,” he says, referring to the hacking of TJ Maxx credit cards.
Philippine banks are now under pressure to increase their protection, after a branch of Rizal Commercial Banking Corp. was reportedly used by hackers to transfer $81 million from an account of Bangladesh central bank at the New York Federal Reserve.
Hackers reportedly used a malware, similar to the one carried out by the Carbanak gang, to commit the illegal transfer to a Philippine bank. Carbanak gang reportedly stole $1 billion from financial institutions from 2013 to 2015.
In the Bangladesh’s heist, the money transferred to RCBC was converted into Philippine pesos by remittance company Philrem Service Corp., through RCBC Treasury Remittance. It was then transferred to three casinos before it was delivered to unknown individuals.
“These sort of things have been happening for a long time now. Transferring money to offshore account is one thing. But [banks] need to secure from the inside out. Traditionally, security has been focused on the outside, keeping hackers out of the systems. What about the insider threat? If you have proper protection, you can quarantine threats…so that the attacker cannot even communicate,” Manky says.
Manky says the alleged theft of nearly $100 million from Bangladesh’s central bank to banks in the Philippines would have not have happened without a middleman or an inside person.
“I would not be quick to conclude that these are hackers. It could be an inside job,” he says. “People were quick to attribute that to Russia or China. We don’t know. The case of malicious code planted in cyber network, that could be used to transfer money out. That is case No. 1. The other case is insider job.”
Jeff Castillo, country manager of Fortinet Philippines, says technology alone is not enough to execute a multi-million-dollar theft. “It always involved a person…a middleman,” he says.
Fortinet, in its latest cyber threat assessment program, says no country is immune to security risks and attacks and computer networks around the world are now at risk with sophisticated markets being no exception.
The company says that in the first quarter of 2015, malware attacks in the Philippines mostly leveraged the use of JS (Java Script) and PHP (Hypertext Preprocessor) based malware.
“The key contributors to this growth are the WM and Android malware, both of which have since exploded by as much as 4 digit percentage points. The current top malware is WM/TrojanDownloader.9BB7!tr and serves as a downloader for malicious executables using enabled Word macros,” Fortinet says.
The study says among mobile malware, Triada is currently the top mobile malware in the Philippines. Triada is a sophisticated and modular Android malware that seeks to redirect the money used in in-app purchases to the threat actors.
Kaspersky Lab says Triada, a new Trojan targeting Android devices, is stealthy, modular, persistent and written by very professional cybercriminals.
The stealth capabilities of this malware are very advanced. After getting into the user’s device, Triada implements in nearly every working process and continues to exist in the short-term memory. This makes it almost impossible to detect and delete using antimalware solutions, according to Kaspersky Lab.
The Philippines is among the countries attacked by the Triada malware. The percentage of users attacked in the country is not as many as the incidents recorded in Russia, India and China. However, Kaspersky Lab says makers of Triada are still actively lurking and waiting for more prey.
“Kaspersky Lab has recorded a few incidents of Triada infection in the country last year. This clearly shows Filipino Android users are not safe. With nine out of 10 Filipino mobile users using Android-powered devices, the Philippines is definitely at risk of more Android malware infections,” says Anthony Chua, territory channel manager for the Philippines and Singapore at Kaspersky Lab Southeast Asia.
“The Triada malware is a stealthy and continuously evolving malware with the sole target of infecting more and more Android devices. Because it is modular, it can expand and upgrade and we cannot tell exactly who their next targets would be,” Chua says.
Kaspersky Lab says Triada is yet another sign that malware developers are taking Android seriously, and the latest samples are almost as complex and hard to withstand, as their Windows-based kin. The only good way to fight all these threats is to be proactive, and so a good security solution is a must, it says.
John Maddison, senior vice president of products and solutions at Fortinet, says in a statement that businesses, being constantly under cyber attack, should be more prepared.
“With the attack surface dramatically increased and a mature attackers ecosystem, companies have to be ever more vigilant across all their IT assets,” says Maddison.