NEW YORK (CNNMoney) — Hackers have stolen approximately $1 billion in what could be one of the largest bank heists ever, according to a new report from the Internet security firm Kaspersky Lab.
Kaspersky said Sunday it has uncovered how hackers surreptitiously installed spying software on bank computers, eventually learned how to mimic bank employee workflows and used the knowledge to make transfers into bank accounts they had created for this theft.
More than 100 banks were hit, Kaspersky said, and based on the hackers’ practice of stealing between $2.5 million and $10 million from each bank, it estimated “total financial losses could be as a high as $1 billion, making this by far the most successful criminal cyber campaign we have ever seen.”
Kaspersky did not name the banks but said they are institutions located in 25 countries, including the United States.
It also said the “attacks remain active,” and provided tips for bank officials to determine if their computers are vulnerable.
The thieves were Russian, Ukrainian, Chinese and European, Kaspersky said.
The individual thefts involved no more than $10 million apiece.
Kaspersky called the malware “Carbanak” and said it provided the hackers the ability to watch bank employees conduct their business.
“This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems,” Kaspersky said. “In this way the fraudsters got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out.”
After penetrating a bank’s computer systems, the hackers lurked for “two to four months” before striking in one of several ways, like changing an account balance, then transferring the excess funds into their own accounts. They also spewed cash out of ATMs when “one of the gang’s henchmen was waiting beside the machine” to collect the money.
An industry cybersecurity group has “disseminated intelligence on this attack to the members,” according to The New York Times, which first covered the report. The Financial Services Information Sharing and Analysis Center told the Times that “some briefings were also provided by law enforcement entities.”