As many as five Mexican banks may have been targeted by what appears to be a highly co-ordinated cyber-attack in which unauthorized transfers were made to bogus accounts.
The campaign seems to have focused on the domestic SPEI transfer network, and as such is reminiscent of the recent spate of sophisticated attacks on the global SWIFT inter-bank messaging system.
Lorenza Martinez, head of Banxico’s payment system, told Reuters that five lenders had seen unauthorized transfers and that they are currently running analysis to see if malicious insiders were involved.
SPEI itself is not thought to have been compromised but rather the software used by banks to connect to it, she added.
One source close to the government investigation into the incident told the newswire that hackers stolen over 300 million pesos ($15.4 million) from lenders including Banorte, by issuing unauthorized transfers of money to the fake accounts in other banks. Accomplices then withdrew the funds in dozens of branches, it is believed.
The campaign calls to mind an ongoing spate of attacks on the SWIFT network, which began with an $81m raid on Bangladesh Bank subsequently blamed on a North Korean cybercrime group.
Since then, tens of millions have been stolen from Taiwan’s Far Eastern International Bank, as well as lenders in Russian, Ukraine and other countries, all targeting the SWIFT network in some way.
Fred Kniep, CEO of CyberGRX, claimed the Mexican attacks represent a failure of third-party risk management.
“As the SWIFT Network learned after an attack on a member bank led to a costly breach, it only takes one vulnerability for attackers to gain access to your network and ride in on a trusted connection,” he added.
“Cyber-criminals are increasingly targeting third parties — suppliers, contractors, vendors and, in this case a software provider used by the central bank's SPEI interbank transfer system — to breach high-value networks. Collaboration and information sharing at all levels are the keys to effectively mitigating the persistent and potentially damaging threats posed by attackers.”