{"id":49794,"date":"2016-05-20T09:10:55","date_gmt":"2016-05-20T16:10:55","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=49794"},"modified":"2025-05-27T22:40:39","modified_gmt":"2025-05-28T05:40:39","slug":"attacks-swift-banking-system-benefit-insider-knowledge","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/","title":{"rendered":"Attacks on SWIFT Banking System Benefit From Insider Knowledge"},"content":{"rendered":"<p>In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The malware they used was able to manipulate and read unique messages from SWIFT (Society for Worldwide Interbank Financial Telecommunication), as well as adjust balances and send details to a remote control server. BAE Systems wrote a detailed analysis and concluded that the malware must be based on a framework of different modules that could be used for multiple targets.<\/p>\n<p>This week SWIFT sent another warning without details about another bank, this time in Vietnam that was compromised. According to a bank spokesperson, they detected in a timely manner the fraudulent transfer of $1.13 million in December 2015. Because we know the attackers had some insight into the Bangladesh attack, McAfee assumed the attackers also knew something beforehand about the Vietnamese bank. We investigated possible malware indicators for the latter attack.<\/p>\n<p>Files used for the investigation:<\/p>\n<ul>\n<li>MD5: 0b9bf941e2539eaa34756a9e2c0d5343<\/li>\n<li>MD5: 909e1b840909522fe6ba3d4dfd197d93<\/li>\n<\/ul>\n<p>We focused our analysis primarily on the first sample. The file\u2019s compile timestamp is 2015-12-04 02:04:23. The first submission of the file from Vietnam was on December 22, 2015.<\/p>\n<p>In the case of the Vietnamese bank, the file used for the attack is a fake version of the popular PDF reader Foxit. The malware installs itself in the original Foxit installation directory and renames the original file to FoxltReader.exe.<\/p>\n<p>Once the user starts using the fake reader, the malware executes and writes to a log file in the temp directory C:\\\\Windows\\temp\\\\WRTU\\ldksetup.tmp. Analyzing this file, we see the log data is XOR encoded using the value 0x47.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49805 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png\" alt=\"20160520 SWIFT 1\" width=\"824\" height=\"84\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-1.png 824w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-1-300x31.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-1-768x78.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/a><\/p>\n<p>As in the case of the Bangladeshi bank, the malware uses the configuration file Lmutilps32.dat, which can also be found in C:\\\\Windows\\\\temp\\WRTU\\. This file is also XOR encoded, with the value 0x7C4D5978.<\/p>\n<p>Was this malware part of a targeted attack? Yes, absolutely. As in the malware used against the Bangladeshi bank, we found the SWIFT code for the target in multiple places in the malware:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49804 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-2.png\" alt=\"20160520 SWIFT 2\" width=\"526\" height=\"52\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-2.png 526w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-2-300x30.png 300w\" sizes=\"auto, (max-width: 526px) 100vw, 526px\" \/><\/a><\/p>\n<p>The code TPBVVNVX is the SWIFT code for the Tienphong Commercial Joint Stock Bank, in Hanoi.<\/p>\n<p>We also noticed that there were more SWIFT codes in the code:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49803 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-3.png\" alt=\"20160520 SWIFT 3\" width=\"886\" height=\"282\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-3.png 886w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-3-300x95.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-3-768x244.png 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/><\/a><\/p>\n<p>These banks are based in Australia, Singapore, Japan, Korea, Vietnam, Italy, and the United States. We wondered why the actors would put this particular list in the malware. Further analyzing the working of the malware, we discovered an interesting part in the code concerning \u201dExecuting the real Foxit reader\u201d and the next section in the code states \u201cPDFmodulation success. \u2026\u201d This hints of the manipulation of PDF files.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49802 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-4.png\" alt=\"20160520 SWIFT 4\" width=\"1082\" height=\"302\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-4.png 1082w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-4-300x84.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-4-768x214.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-4-1024x286.png 1024w\" sizes=\"auto, (max-width: 1082px) 100vw, 1082px\" \/><\/a><\/p>\n<p>In the code, we found that the malware uses the original driver fpdsdk.dll from the Foxit SDK to execute the transformation of the files.<\/p>\n<p>We discovered functionality in the code that converts PDF files to XML files, which are stored in the folder C:\\Documents and Settings\\Test\\Local Settings\\Temp\\. The filenames start with XXX or RSP followed by a value between 0-F and finish with the extension .tmp.<\/p>\n<p>Let\u2019s return to our list of SWIFT codes of other banks. The malware reads the SWIFT messages and checks if the sender of the message is one of the listed banks. Once it finds these messages, it reads their information:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49801 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-5.png\" alt=\"20160520 SWIFT 5\" width=\"952\" height=\"460\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-5.png 952w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-5-300x145.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-5-768x371.png 768w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/a><\/p>\n<p>The malware can manipulate these messages: deleting transactions, transaction history, and system logs, and prevent the printing of the fraudulent transactions:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49800 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-6.png\" alt=\"20160520 SWIFT 6\" width=\"1044\" height=\"360\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-6.png 1044w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-6-300x103.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-6-768x265.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-6-1024x353.png 1024w\" sizes=\"auto, (max-width: 1044px) 100vw, 1044px\" \/><\/a><\/p>\n<p>As in the Bangladeshi attack, we found some typos:<\/p>\n<ul>\n<li>Bangladesh: \u201cfandation\u201d instead of \u201cfoundation\u201d and \u201calreay\u201d instead of \u201calready\u201d<\/li>\n<li>Vietnam: \u201cFilleOut\u201d instead of \u201cFileOut\u201d<\/li>\n<\/ul>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-49799 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-7.png\" alt=\"20160520 SWIFT 7\" width=\"520\" height=\"42\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-7.png 520w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-7-300x24.png 300w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<p>Does this analysis tell us anything about the actors? It might, but these details form a weak indicator. How easy is it to misspell some words on purpose to mislead investigators?<strong>\u00a0<\/strong><\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>In both attacks we can see that the attackers have done their reconnaissance properly and may have used an insider to get the details they needed to prepare their attacks. In the Bangladeshi case, for example, the malware samples are tuned to the environment and how the banking system operates, including the supported software, databases, and printer. In the Vietnamese case, the malware is also tuned to fit the environment. The attackers knew that the bank used Foxit and replaced it with a fake version. The attackers have a very good understanding of the SWIFT messaging system and how to manipulate the system to prevent the detection of their fraudulent attempts of transferring the money. The malware in each attack was compiled just before the attack happened.<\/p>\n<p>Although both attacks were discovered at some point during the attempts to transfer large amounts of money, the actors may well have executed a few test runs to check their operations before the real attacks.<\/p>\n<p>The operation in Vietnam happened in December 2015 and was discovered after an investigation of the incident in February 2016 in Bangladesh. The Vietnamese attack was reported to the banking world in May 2016. Would logs still be available for an incident that happened about six months ago? Would the possible test runs be traceable? These are some of the many questions that arise. One lesson from both cases is that when a fraud alert is triggered by either an internal system or by transaction authorities, a thorough analysis\u2014 including an in-depth analysis of the malware\u2014of the tactics and procedures used by the attackers is needed. In this case, investigators can share indicators such as MD5 sums, but because the attackers have customized their malware, sharing would be of little value. On the other hand, sharing the methods used by the attackers, the inner working of the malware, and its manipulation of the systems should teach us where to look and adapt our defenses.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal&#8230;<\/p>\n","protected":false},"author":653,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[76,4452,180],"coauthors":[3576],"class_list":["post-49794","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybercrime","tag-cybersecurity","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Attacks on SWIFT Banking System Benefit From Insider Knowledge | McAfee Blog<\/title>\n<meta name=\"description\" content=\"In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attacks on SWIFT Banking System Benefit From Insider Knowledge | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-05-20T16:10:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T05:40:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"824\" \/>\n\t<meta property=\"og:image:height\" content=\"84\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ChristiaanBeek\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/\"},\"author\":{\"name\":\"Christiaan Beek\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\"},\"headline\":\"Attacks on SWIFT Banking System Benefit From Insider Knowledge\",\"datePublished\":\"2016-05-20T16:10:55+00:00\",\"dateModified\":\"2025-05-28T05:40:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/\"},\"wordCount\":974,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png\",\"keywords\":[\"cybercrime\",\"cybersecurity\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/\",\"name\":\"Attacks on SWIFT Banking System Benefit From Insider Knowledge | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png\",\"datePublished\":\"2016-05-20T16:10:55+00:00\",\"dateModified\":\"2025-05-28T05:40:39+00:00\",\"description\":\"In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Attacks on SWIFT Banking System Benefit From Insider Knowledge\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\",\"name\":\"Christiaan Beek\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"caption\":\"Christiaan Beek\"},\"description\":\"Christiaan Beek is the Lead Scientist &amp; Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \\\"Hacking Exposed\\\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&amp;CK framework and holds multiple patents.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/christiaanbeek\/\",\"https:\/\/x.com\/ChristiaanBeek\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attacks on SWIFT Banking System Benefit From Insider Knowledge | McAfee Blog","description":"In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Attacks on SWIFT Banking System Benefit From Insider Knowledge | McAfee Blog","og_description":"In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-05-20T16:10:55+00:00","article_modified_time":"2025-05-28T05:40:39+00:00","og_image":[{"width":824,"height":84,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160520-SWIFT-1.png","type":"image\/png"}],"author":"Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@ChristiaanBeek","twitter_site":"@McAfee","twitter_misc":{"Written by":"Christiaan Beek","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/"},"author":{"name":"Christiaan Beek","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79"},"headline":"Attacks on SWIFT Banking System Benefit From Insider Knowledge","datePublished":"2016-05-20T16:10:55+00:00","dateModified":"2025-05-28T05:40:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/"},"wordCount":974,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png","keywords":["cybercrime","cybersecurity","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/","name":"Attacks on SWIFT Banking System Benefit From Insider Knowledge | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png","datePublished":"2016-05-20T16:10:55+00:00","dateModified":"2025-05-28T05:40:39+00:00","description":"In recent months, we\u2019ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160520-SWIFT-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attacks-swift-banking-system-benefit-insider-knowledge\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Attacks on SWIFT Banking System Benefit From Insider Knowledge"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79","name":"Christiaan Beek","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","caption":"Christiaan Beek"},"description":"Christiaan Beek is the Lead Scientist &amp; Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \"Hacking Exposed\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&amp;CK framework and holds multiple patents.","sameAs":["https:\/\/www.linkedin.com\/in\/christiaanbeek\/","https:\/\/x.com\/ChristiaanBeek"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/653"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=49794"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49794\/revisions"}],"predecessor-version":[{"id":214562,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49794\/revisions\/214562"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=49794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=49794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=49794"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=49794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}