Leading paid email service provider used for Corporate – System Hacked – Loss of Funds
A cooperative-bank named XYZ*, located in a town based in Indian state suddenly lost funds one day from its Sponsorship-Bank-RTGS-Daily-Transaction Current-Account. This incidence came to light, when this bank employee, who initiated email to Sponsorship-Bank requesting RTGS pay-out found that these RTGS payment funds could not be traced to any bank customer’s RTGS payment request.
This cooperative-bank maintains a fixed balance amount in Sponsorship-Bank-RTGS-Daily-Transaction Current-Account as per RBI rules. Also, majority of the merchants’ bank accounts was based in this bank. This bank RTGS department employee used to send an email to Sponsorship-Bank-RTGS Authority requesting pay-out on behalf of their customer to the specified bank account from their sponsored Current Bank Account and replenish it daily by deducting the amount from their customers the next day. Additionally, this Sponsorship-Bank RTGS Authority neither provided any confirmation before proceeding nor acknowledge the same transfer of funds request. In addition, this bank did not have browser security features installed, which made it easy for the hacker to penetrate into bank system and indirectly control it.
The hacker, thus took undue advantage, accessed this victim bank’s RTGS-department compromised registered (leading paid email service provider) account and sent funds-transfer request to Sponsorship-Bank Authority using this compromised email during usual bank working hours. The sponsored-bank authority also did not verify the authenticity of the mail and completed the transaction. Upon understanding the urgency of the situation, this bank employee escalated the incident to his management team, who further contacted Shashwat Solutions for further consultation.
Further, this bank wanted to keep their costs minimum as possible. They used leading paid email service provider for requesting RTGS pay-out email to Sponsorship-Bank RTGS transfer department. Also, they did not conduct any information security induction for their employees from the point of view of saving bank expenses. Additionally, this bank’s RTGS department employees had no website restriction while accessing the internet.
Hence, this issue proves the lethal consequences of providing unrestricted internet access to bank’s high risk employee, weak network infrastructure, lack of bank’s investment on securing its information systems and security compliance. The hacker unethically took advantage of this bank employee weakness with the help of browser extension tool and transferred the large sum of funds without even getting noticed easily. Moreover, it was identified during investigation, that this bank had not defined proper information security management policies before consulting Shashwat Solutions, which is important for maintaining bank’s information systems security.
Upon the XYZ cooperative-bank case investigation request, Shashwat Solutions undertook this investigation case.
Firstly, Shashwat Solutions primarily identified that this victim bank employees used personal leading paid email service provider for email communication, which was registered with Sponsorship-Bank RTGS Current Bank Account sponsored to transfer RTGS funds from this bank to the requested bank account specified by their customers . Also, it was noted that this bank had 40 to 50 daily RTGS transfer requests from their customers, where the bank neither got funds transfer approval request confirmation from the sponsored nor confirmation of the transaction completion.
Secondly, this bank used Linux operating systems, where no antivirus has been installed in their system, firewall was absent, all employees had free access to their internet and no filtering protection was found while accessing the browser. Also, while performing forensics on the RTGS employee’s system on which fraud has occurred, it was identified that he has browsed through multiple adult content websites through which the hacker used cross-site-scripting (XSS) attack and prompted the user to install (Leading paid email service provider) hacker extension. This malicious extension was made to look as a legitimate email notification extension for browser, thus helping the hacker to bypass email authentication and enter the bank employee’s RTGS request email account.
Thirdly, during the investigation, it was identified that the hacker sophisticatedly launched a cyberattack on this bank. Before launching the attack, the attacker waited for few days and on one ongoing bank working day he accessed the victim (RTGS-Bank-employee’s email) to send an email to Sponsorship-Bank RTGS team, requesting to transfer funds into an account during usual bank working hours. Also, it was found that the account where the money got transferred was compromised as the hacker had already withdrawn the stolen funds before the incident came to victim bank’s knowledge.
Finally, it was found that bank’s information systems security policies were vague. Also, numerous unwanted logical ports were open in the bank’s network, which made it easy for the hacker to successfully enter into bank’s internal network and commence an opportunity-based attack.
Thus, during investigation, it was found out that the bank did not have sufficient information systems security present to prevent this occurrence of this incidence. Also, this incidence highlights how a hacker can penetrate into a bank’s internal network by using virus infected browser extension, wait to take situation advantage and illegally manipulate victim bank’s communication.
Subsequently, after investigating the incidence root cause, we suggested the bank’s management to show obligation in acquiring resources such as firewall and server to help Shashwat Solutions to build a secure work environment for them. Also, we consulted them in writing information security policies as per ISO27001 guidelines and RBI regulations along with documenting action plans to address risk and security improvement such as taking corrective action.
As a part of corrective action, we suggested the bank’s management to allot private domain based email to their employees and mandatory change the registered email address linked with Sponsorship-Bank-RTGS-Daily-Transaction Current-Account with above new email. Then, we reconfigured the bank’s network infrastructure, where we implemented clean desktop policy, configured RTGS and NEFT servers to FTP server, adding separate firewall for ATM, RTGS and NEFT servers. Next we added DMZ server between the internet and this bank’s internal network.
After that, we disabled browser extension after removing all of them, blocked unwanted ports in this bank’s network, and all bank employee’s USB Drive access including internet access to websites. Also, we configured log monitoring function and unknown IP address blacklisting in all their firewalls. Additionally, to prevent unauthorised access, we configured username and password along with force password change time-limit for each employee under FTP server storage policy. Further, we configured offline backup secure server to backup organization’s data on weekly basis. In addition, we suggested this organization’s director to get system/network security and firewall configuration awareness training from our consultancy.
The above corrective action will help this bank from successfully become ISO27001 and RBI guidelines compliant. Also, this implementation will help the organization in preventing such incidence from reoccurring again and maintain a secure banking environment operations.
Know what our customers have to say about us.