Attackers used a LinkedIn job ad and Skype call to breach bank’s defences

Last week, Chilean Senator Felipe Harboe took to Twitter with alarming news – he had got wind that the company running the country’s ATM inter-bank network, Redbanc, had suffered a serious cyberattack at the end of December.

Two days later, not long before a local news site published a story offering more detail, Redbanc issued a public admission that the attack had happened, confirming little beyond the statement that its network had not been disrupted and continued functioning normally.

[translated] This event had no impact on our operations, keeping our services running smoothly. As established in our protocols, we kept the different industry players and authorities informed at all times, with total transparency and spirit of collaboration.

Cyberattacks happen all the time, of course, but this one piqued people’s curiosity for several reasons.

The first was that this was a cyberattack on a company that connects and manages the ATM network for a whole country.

In banking terms, that’s quite a big deal, partly because ATM networks are a juicy target but also because it arrived in the wake of last June’s big ransomware attack against Banco de Chile.

A second bump for the story arrived a few days later when security company Flashpoint said it believed the malware used against Redbanc was PowerRatankba, a platform connected to North Korea’s Lazarus group.

These days attribution has become a big attention-grabber in ways that often drown out more down-to-earth themes buried deeper in this kind of story.

The attack

One of these is the Chilean news site’s claim that the attack started with a LinkedIn advert offering a developer role to which a Redbanc employee replied.

The attackers set up a Skype call to conduct an interview during which the individual was tricked into downloading a file called ApplicationPDF.exe, sent via a weblink, which subsequently infected the employee’s computer.

There’s a technical side to what happened next which Flashpoint analyses in some detail based on what it knows about the malware used.

The malware is said to have executed successfully enough that the attackers were able to explore the network for new security gaps. At some point, this was noticed and further probes were blocked.

A more fundamental point staring back at us is that a company running a critical piece of banking infrastructure allowed attackers into its network after one bogus Skype call.

It’s social engineering, yes, but what type of social engineering?

Had the employee encountered the same ruse in an email inbox, they would have been less likely to have fallen for the trick because that’s the place we all assume social engineering attackers will strike first.

In fact, phishing and social engineering attackers will try to crawl through any crack. What matters is not the channel but the action the target is being asked to take, in this case downloading and clicking on a file.

There are numerous ways organisations could react to a story like this that don’t simply involve stopping employees from using social media applications or downloading files.

One idea is to pen-test organisations to see where these social engineering weaknesses lie before the attackers find them.

Another is to ask employees to authenticate with whom they are communicating before accepting files from them. This simple step could rule out a lot of these attacks before they get to the stage of opening a live communication channel.

The most important might be to reinforce that these attacks happen all the time, and that they are often easy to pull off. Teach employees with a training tool such as Sophos’s PhishThreat to better spot the signs of phishing and spear-phishing.