Contact Contact Us

MAS Warns of Phishing Emails, North Korean APT Groups Steal Money from Financial Institutions

The Monetary Authority of Singapore (MAS) has warned the public of phishing emails impersonating the authority to deceive recipients into disclosing personal and financial information. The phishing emails are disseminated with subject titles pertaining to fund transfers and compliance matters. MAS urged the public not to respond to the emails, open the attachments, or click on links.

The US authorities and cybersecurity vendor FireEye published separate reports about North Korean APT groups that have been pilfering money from banking institutions around the world. The US authorities highlighted the Hidden Cobra APT group’s ATM cash-out scheme dubbed FASTCash, which has been targeted at banks in Africa and Asia and pilfered tens of millions of dollars. FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions by configuring and deploying legitimate scripts on compromised switch application servers to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages. All the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions.

In addition, FireEye introduced another APT group dubbed APT38, which shares certain similarities with Hidden Cobra and APT37 but differs in terms of targets and tactics, techniques, and procedures. Since at least 2014, APT38 has carried out attacks in more than 16 organisations across at least 13 countries, attempting to pilfer more than US$1.1 billion dollars from financial institutions. It is known to conduct lengthy planning and stay in a victim environment for as long as necessary to understand the network layout, required permissions, system technologies, and so on. The APT group is also known to use custom developed tools that will destroy evidence or victim networks after an attack.

[1] MAS issues warning on fraudulent e-mails
[2] HIDDEN COBRA – FASTCash Campaign
[3] APT38: Details on New North Korean Regime-Backed Threat Group

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883