Pakistani CERT Alerts that Almost All Banks in the Country are Compromised

Delaware, USA – November 7, 2018 – This Sunday, the Pakistani CERT published a Threat Intelligence report on recent attacks on banks in the country. The first reports of the theft of funds from personal banking accounts at different banks appeared in mid-October. On October 27, BankIslami recorded a suspicious transaction of a large amount outside the country and turned off international payments until the end of the investigation. Soon, nine more attacked banks shut down international transactions. The investigation showed that cybercriminals posted data dump on Darknet with over 9,000 payment cards details the day before, it is worth noting that the cost of one card exceeded $100, which is several times higher than the average price of payment cards on such resources. On October 31, the attackers showed the next part of the stolen data, this time they posted 11,000 cards issued by 21 Pakistani banks. CERT reports that crooks can purchase text-based credit card details for making online purchases, as well as skimmed dumps, which can be used to clone a card. Experts suggest that attackers compromised several ATMs or merchant machines belonging to different banks. Before putting up cards for sale, cybercriminals used them on their own for about two weeks, perhaps the traces they left will help researchers to find them.

Also this week it became known about a massive data breach in HTBC. Details and the number of victims of the attack are not yet known, but the attackers gained access to customers’ full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account statements, and statement histories. It’s alleged that attackers obtained credentials bases from several websites and used them to log into HSBC online banking accounts that reused the same credentials. To detect such attacks, you can use Brute Force Detection rule pack, which warns the security team about password guessing attempts, even if the attack is conducted from different IPs: https://my.socprime.com/en/integrations/brute-force-detection-arcsight