Hackers' $1 billion bank theft may affect consumers

WASHINGTON -- The hacker gang that looted as much as $1 billion worldwide from banks was unusual: It stole directly from the banks, instead of ripping off their customers.

But this was hardly a bit of Robin Hood banditry that spared innocent account holders. Security experts say consumers still need to keep a close eye on their checking and savings, as epic computer breaches such as this theft -- documented in a report issued Monday -- are becoming all too common.

"Customers are still at risk," said Sergey Golovanov, a researcher at the Russian cybersecurity firm Kaspersky Lab that released the report. "Criminals had access to all banking infrastructure, so they were able to get any data about customers."

Doug Johnson, senior vice president at the American Bankers Association, said there's no evidence any U.S. bank has been a victim of this particular breach. Still, the report found some of the proceeds were deposited with banks in China and the United States.

The hacks detailed in the report, which was presented at a security conference in Cancun, Mexico, are the latest twist on data breaches that have struck not just banks but the health insurer Anthem and major retailers such as Target and Home Depot.

It appears as though the hacker gang accessed computers by having bank employees click on email attachments. They relied on a technique known as "spear phishing," in which they sent emails from a fake account that looked familiar to the bank workers. Those emails infected the computer with a form of malware called Carbanak and gave the gang entry into the internal network, allowing them to mimic the actions of workers responsible for the cash transfer systems.

In a plan that smacked of a Hollywood thriller, the hackers then lurked unseen in the systems of more than 100 banks in 30 countries, according to the Kaspersky Lab report. Working in stealth for months, the group would learn how each bank operated and used that knowledge to steal up to about $10 million in each raid, a sum just small enough to go nearly undetected in the daily shuffle of money.