Blacksburg bank loses $2.4 million after two phishing attacks
Blacksburg bank loses $2.4 million after two phishing attacks

Bank robbers often stick up the same bank twice, but a recent lawsuit between a Virginia bank and its insurer revealed the bank lost $2.4 million when staffers twice fell for phishing attacks resulting in illegal ATM withdrawals.

The National Bank of Blacksburg is suing its insurer Everest National Insurance Company for breach of contract stating Everest is refusing to reimburse the bank for its losses. However, from a cybercrime standpoint, the interesting part of the story is how the bank was hit and succumbed twice in an eight-month period with a phishing attack.

The first incident, according to court documents from The United States District Court for the Western District of Virginia, took place in late May when unauthorized actors gained access to the bank's system on May 28, 2016, most likely through a phishing attack as was determined by the digital forensics firm Foregenix. In this instance, the phishing email contained malware that was downloaded onto the bank's network giving the attackers access to the STAR Network, which manages the bank customer's debit card ATM activity. With this access, they were able to use hundreds of ATMs across the country to withdraw a total of $569,648.24 from the bank customer's accounts by the time the bank noticed and stopped what was happening on May 30, 2016.

Then, in a case of déjà vu all over again, on January 7, 2017, The National Bank of Blacksburg was again hit with what was determined to be a phishing attack, this time by investigators from Verizon. This time the criminals spent two days using the STAR Network to remove money from customer accounts to the tune of $1.8 million.

The malware employed allowed the attackers to remove or modify the bank's cybersecurity measures and then they used the STAR Network to again remove money from hundreds of ATMs as well as, actively monitor the customer accounts from which funds were being fraudulently withdrawn. This allowed the Intruder(s) to remove blocks, activate accounts and continue to access and remove funds from the affected accounts, the court documents said.