Leading premium email service provider utilized by corporations - System hacked - Funds stolen

Problem Statement

A co-operative bank named XYZ*, situated in a town in an Indian state, unexpectedly lost monies from their Sponsorship-Bank-RTGS-Daily-Transaction Current-Account one day. This incident was brought to light when an employee of the bank who sent an email to Sponsorship-Bank asking for an RTGS pay-out discovered that the cash could not be traced back to any bank customer's RTGS payment request.

According to RBI regulations, this cooperative bank has a set balance in its Sponsorship-Bank-RTGS-Daily-Transaction Current-Account. This bank also held the majority of the businesses' bank accounts. This bank RTGS division worker would send out an email to Sponsorship-Bank-RTGS Authority asking a remuneration on behalf of their client from their endorsed Current Bank Account to the specified bank account and refill it daily by deducting the money from their customers the following day. Furthermore, this Sponsorship-Bank RTGS Authority did not offer any confirmation before continuing, nor did it acknowledge the identical transfer of money request. Also, this bank did not have internet security protections enabled, making it simple for the hacker to enter the bank system and indirectly operate it.

Using this compromised email, the hacker gained access to this victim bank's RTGS department hacked the registered (leading premium email service provider) account and made a money transfer request to Sponsorship-Bank Authority during normal bank business hours. The sponsored-bank authority likewise processed the transaction without verifying the legitimacy of the message. This bank employee raised the issue to his management team, who called SOC Shashwat for additional assistance after realizing the gravity of the situation.

Furthermore, this bank desired to maintain its expenditures as low as possible. For asking RTGS pay-out mail to Sponsorship-Bank RTGS payment department, they hired a leading premium email service provider. In addition, to save bank expenditures, they did not undertake any information security training for their workers. Furthermore, workers of this bank's RTGS department had no website restrictions when using the internet.

As a result, this problem demonstrates the perilous effects of granting unlimited internet services to a bank's high-risk employees, along with the bank's lack of investment in safeguarding its information systems and security protocols. The hacker unscrupulously took full advantage of this bank employee flaw using a browser extension tool and moved a large amount of money without being discovered. Furthermore, it was observed throughout the inquiry that this bank had not created sufficient information security management policies before contacting SOC Shashwat, which is critical for ensuring the security of the bank's information systems.

Inspection

SOC Shashwat took up this investigation case in response to the organization's email suspicion investigation request.

At first, SOC Shashwat determined that the victim bank employees used a self-leading premium email service provider for email communication, which was enrolled with Sponsorship-Bank RTGS Current Bank Account endorsed to transfer RTGS monies from this bank to the bank account stated by their customers. It was also noticed that this bank received 40 to 50 daily RTGS transfer requests from their clients, but received neither funds transfer permission request confirmation nor transaction completion confirmation from the supplier.

Second, this bank employed Linux operating systems, which had no antivirus installed, no firewall, all workers had unfettered internet access, and no screening protection was detected while browsing the browser. Furthermore, while trying to perform forensics on the RTGS employee's system where the scam occurred, it was discovered that he had browsed through multiple adult content websites where the hacker used a cross-site-scripting (XSS) attack and compelled the user to install (Leading premium email service provider) hacker extension. This malicious extension was designed to seem like a legal email notification extension for the browser, allowing the hacker to overcome email authentication and get access to the employee's RTGS request email account.

Third, it was discovered throughout the inquiry that the hacker launched a sophisticated cyberattack on this bank. The attacker waited a few days before starting the attack, then on one ongoing bank working day, he accessed the victim (RTGS-Bank-email) employee to send an email to the Sponsorship-Bank RTGS team, demanding to transfer monies into an account within normal bank working hours. It was discovered that the account where the money was transmitted was hacked since the hacker had already withdrawn the stolen amounts before the event was reported to the victim's bank.

Lastly, it was discovered that the bank's information technology security policies were ambiguous. Furthermore, multiple undesirable logical ports were opened in the bank's network, allowing the hacker to successfully penetrate the bank's internal network and launch an opportunity-based assault.

As a result of the inquiry, it was discovered that the bank did not have enough information systems security in place to prevent the occurrence of this incident. This incident also demonstrates how a hacker may infiltrate a bank's internal network via a virus-infected browser extension, then wait to exploit the circumstance and unlawfully alter the target bank's communication.

Interpretation

Following an investigation into the underlying cause of the incident, we advised the bank's management to demonstrate duty in procuring resources such as a firewall and server to assist SOC Shashwat in building a safe workplace for them. We also worked with them to develop information security policies following ISO27001 recommendations and RBI requirements, along with establishing action plans to handle risk and improve security, such as taking remedial action.

As part of the remedial action, we proposed that the bank's management assign the private domain-based email to its workers and that the registered email address associated with Sponsorship-Bank-RTGS-Daily-Transaction Current-Account be replaced with the aforesaid new email. The bank's network architecture was then modified, with the clean desktop policy adopted, RTGS and NEFT servers converted to FTP servers, and a unique firewall for ATM, RTGS, and NEFT servers added. Following that, we installed a DMZ server between the internet and this bank's internal network.

Afterward when, we disabled browser extensions after uninstalling them all, banned undesired ports in this bank's network, and restricted all bank employees' USB drive access, including internet access to the web. In addition, we enabled log monitoring and censuring of unfamiliar IP addresses in all of their firewalls. In addition, under the FTP server storage policy, we defined username and password, as well as a time restriction for forcing password changes, for each employee. In addition, we set up an offline backup secure server connection to back up the organization's data every week. In addition, we recommended that the director of this organization receive system/network security and firewall setup recognition training from our firm.

The aforesaid remedial action will assist this bank in becoming ISO27001 and RBI guidelines compliant. This implementation will also assist the company in preventing such incidents from occurring in the future and in maintaining a safe banking environment operating.