Skip to content
Naked Security Naked Security

Attackers used a LinkedIn job ad and Skype call to breach bank’s defences

A Chilean Senator has taken to Twitter with alarming news – the company running the country’s ATM network suffered a serious cyberattack.

Last week, Chilean Senator Felipe Harboe took to Twitter with alarming news – he had got wind that the company running the country’s ATM inter-bank network, Redbanc, had suffered a serious cyberattack at the end of December.

Two days later, not long before a local news site published a story offering more detail, Redbanc issued a public admission that the attack had happened, confirming little beyond the statement that its network had not been disrupted and continued functioning normally.

[translated] This event had no impact on our operations, keeping our services running smoothly. As established in our protocols, we kept the different industry players and authorities informed at all times, with total transparency and spirit of collaboration.

Cyberattacks happen all the time, of course, but this one piqued people’s curiosity for several reasons.

The first was that this was a cyberattack on a company that connects and manages the ATM network for a whole country.

In banking terms, that’s quite a big deal, partly because ATM networks are a juicy target but also because it arrived in the wake of last June’s big ransomware attack against Banco de Chile.

A second bump for the story arrived a few days later when security company Flashpoint said it believed the malware used against Redbanc was PowerRatankba, a platform connected to North Korea’s Lazarus group.

These days attribution has become a big attention-grabber in ways that often drown out more down-to-earth themes buried deeper in this kind of story.

The attack

One of these is the Chilean news site’s claim that the attack started with a LinkedIn advert offering a developer role to which a Redbanc employee replied.

The attackers set up a Skype call to conduct an interview during which the individual was tricked into downloading a file called ApplicationPDF.exe, sent via a weblink, which subsequently infected the employee’s computer.

There’s a technical side to what happened next which Flashpoint analyses in some detail based on what it knows about the malware used.

The malware is said to have executed successfully enough that the attackers were able to explore the network for new security gaps. At some point, this was noticed and further probes were blocked.

A more fundamental point staring back at us is that a company running a critical piece of banking infrastructure allowed attackers into its network after one bogus Skype call.

It’s social engineering, yes, but what type of social engineering?

Had the employee encountered the same ruse in an email inbox, they would have been less likely to have fallen for the trick because that’s the place we all assume social engineering attackers will strike first.

In fact, phishing and social engineering attackers will try to crawl through any crack. What matters is not the channel but the action the target is being asked to take, in this case downloading and clicking on a file.

There are numerous ways organisations could react to a story like this that don’t simply involve stopping employees from using social media applications or downloading files.

One idea is to pen-test organisations to see where these social engineering weaknesses lie before the attackers find them.

Another is to ask employees to authenticate with whom they are communicating before accepting files from them. This simple step could rule out a lot of these attacks before they get to the stage of opening a live communication channel.

The most important might be to reinforce that these attacks happen all the time, and that they are often easy to pull off. Teach employees with a training tool such as Sophos’s PhishThreat to better spot the signs of phishing and spear-phishing.



Decidedly *not* the way you’d prefer your boss to find out you’re looking for another job.


Is it overly harsh to question the skills (or at least attention to detail) of someone seeking a developer position, when they’re suckered by a filename like that?


This was exactly my thoughts, I don’t see how this employee thought he could work as a developer without that basic knowledge of file names


A developer??? Opened .exe file? Now he really needs a nw job


Ah, the youth of today! If you develop in JavaScript for Node.js or to run in a browser, you might never actually have created an EXE of your own – you could code for a lifetime and never knowingly compile or link anything :-)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!