The SWIFT Hack: A Look At Credential Theft


Dan Ennis CEO

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is the global financial network that banks use to transfer billions of dollars every day. With over 11,000 financial institutions using this network, it’s easy to understand why SWIFT was such a juicy target.

What is harder to comprehend is the realization that a major component of international banking has been crippled by the use of targeted keylogging malware resulting in credential theft. In this instance, the cyber criminals responsible for the attack to the SWIFT network (and reportedly for last year’s highly publicized Sony hack) deployed malware into an unprotected banking network, gained access to valid user accounts and covered their tracks expertly.

Credential Theft

Credential theft has remained highly destructive, and a sought after criminal commodity being traded like any other resource. With every change by the security industry, cyber criminals appear to outpace the implementation of new defenses.

One thing has remained true throughout all of these changes, credential theft continues to be highly destructive, especially within the Financial Services sector. Credential theft is a recurring weakness to every transaction performed.

Cyber criminals are obtaining credentials by compromising an environment, obtaining valid credentials and submitting fraudulent transactions by impersonating the users whose credentials were stolen. And, in the case of the SWIFT breach, covering up the evidence of the fraudulent actions by removing the traces of the transactions.

Preventing Credential Theft

Keylogging malware gains access and hides itself in the operating system, then starts intercepting keystrokes through the kernel. This method is difficult to establish and counter as keyloggers residing at the kernel level are very difficult to detect.

Trusted Knight’s Protector product establishes itself at the Ring 0 level in the operating systems API stack and bounces any malicious kernel level hooking from the chain. It also prevents cycle based interrupt attacks by providing encrypted data from driver based installations.

This method of protection presumes that a system will be or already is compromised and stops the malware from performing the way the cybercriminals have intended.

Read more about how Protector can prevent credential theft and defends against all strains of malware that are responsible for the overwhelming majority of financial loss.