Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response

Mexico Investigates Suspected Cyberattacks Against 5 Banks

$20 Million in Potential Losses After Real-Time Payment Connections Compromised
Mexico Investigates Suspected Cyberattacks Against 5 Banks

Mexican officials are investigating a series of technical glitches that may have been a prelude to a large cyberattack affecting at least five banks, according to news reports. The full scope of the incidents, however, remains fuzzy.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The losses could be as high as 400 million pesos ($20 million), although much remains unknown, Mexican media outlet El Financiero reported on Monday.

Fraudsters created money transfer orders, wiring the money to other accounts and then withdrawing it, Reuters reports. Investigators are attempt to determine whether fraudsters may have had inside help because large cash withdrawals are rare, it reports, adding that Banorte, the country's second largest bank, was among those targeted.

Mexico's central bank, Banco de México - abbreviated as Banxico - is investigating five banks whose connections to its electronic payment system were compromised, Bloomberg reports. The central bank's head of operations, Lorenza Martinez, tells Bloomberg that the vulnerability in the connections allowed money to be withdrawn from bogus accounts at the bank.

Efforts to reach Banxico and several other banks weren't immediately successful.

Slower Transactions

The first hiccups at Mexican banks appeared in late April. Banxico on April 27 warned of issues among banks that use Mexico's Interbank Electronic Payments, known as SPEI. The system, which is accessible to consumers, allows for interbank transfers between accounts at different domestic banks, with transactions completing in just seconds.

On April 30, Banxico warned that the issues could be slowing down SPEI payments. But it assured the public that the integrity of the system had not been compromised and that SPEI "continues to operate normally and safely."

Banco de México - aka Banxico - headquarters in Mexico City. (Photo: Alfonso21 via CC)

Nonetheless, Banxico encouraged banks to use a back-up interbank transfer system rather than SPEI. Three banks moved to the alternative transfer system, changing over to the central bank's settlement system, the Associated Press reported.

Banxico reported that it detected security incidents at three banks on April 27; Associated Press reported that they involved software vulnerabilities. At the time, Banxico requested that banks slow down transactions, such as debit card purchase approvals and electronic payments, which led to widespread delays (see Hackers Target 3 Mexican Banks' Real-Time Transfers).

Hackers' Interest In SPEI

Mexico's banking system apparently hasn't been targeted by cybercriminals in Asia or Russia, says Andrew Komarov, a threat intelligence researcher. That's likely because moving money internationally out of Mexico is difficult due to strict foreign exchange controls and extensive approval processes required to move money, he says. Such schemes would require an extensive in-country team, including money mules to withdraw fraudulent funds, he says.

The attacks were more likely done by a group within Mexico or other places in Central and Latin America with thriving blackhat scenes, such as Brazil, Komarov contends (see Cybercrime Se Habla Español: Inside the Underground).

Late last year, Komarov says hackers in underground online forums were seeking detailed documentation on how SPEI works, which would be an obvious first step in any effort to build compatible malware.

"It confirms there was interest in this banking system," he says, adding that the same kind of documentation was sought prior to a spate of attacks involving fraudulent SWIFT money-moving messages and against ATMs.

In January, Mexico's government-run export bank, Bancomext, was targeted by hackers, but it said no money was stolen. "Authorities have confirmed that the modus operandi of the alleged hackers is similar to intrusions that have occurred in other institutions in Mexico and Latin America," the bank reported.

Despite the report that there were no losses, Komarov says: "We know with high confidence the attack on Bancomext and recent events are closely related to each other and may be related to chain of targeted attacks against Mexican financial system."

Echoes of Fraud via SWIFT

The issues in Mexico follow a series of increasingly bold attacks by hackers against banks, particularly in locales where security measures may be weaker.

Attackers have sought to gain access to the SWIFT financial messaging software that's inside most banks and used to facilitate international transfers.

SWIFT faced a crisis after hackers in February 2016 attempted to steal $951 million from the New York Federal Reserve account of Bangladesh's central bank. The attackers exploited poor security controls and used malware to eventually steal about $81 million (see Bangladesh Bank Hackers Steal $100 Million).

Bangladesh is still trying to recover some of those funds, but they're likely gone for good, New York Times recently reported.

The Bangladesh Bank attack has been widely attributed to the Lazarus Group, which is suspected to be affiliated with North Korea.

Bangladesh Bank headquarters in Dhaka. (Photo: Google Street View)

Later that year, SWIFT tripled its security team and established a 24/7 operations center to better prepare itself for attacks upon its members. It also launched a campaign to bring its members up to speed on security best practices (see Security Investments Consume SWIFT's Profits).

But hackers haven't given up. Just last month, Malaysia's central bank blocked an attack that attempted to manipulate its SWIFT system (see Malaysia's Central Bank Blocks Attempted SWIFT Fraud).

Executive Editor Mathew Schwartz also contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.