Banks located in the region of the Middle East are being targeted by a “wave” of cyber attacks, according to a report from FireEye, with advanced social engineering tactics implemented to entice users to open malicious macro-enabled Microsoft Office documents.
Without disclosing the names of the banks involved, FireEye’s Dynamic Threat Intelligence (DTI) team said it had identified emails containing malicious attachments being forwarded to multiple banks in the region.
The researchers said the attacks appeared to be part of an initial campaign to determine the information held within the Banking organizations.
According to the report, the attackers sent multiple emails containing macro-enabled Excel (XLS) files to employees working in the banking sector in various parts of the Middle East.
The messages in the emails were related to IT infrastructure, containing information on logs of Server Status Report or lists of Cisco Iron Port Appliance details, FireEye said.
In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached.
This latest development comes hot on the heels of last month’s news that Qatar National Bank (QNB) – the largest bank in the Middle East – had been breached, with 1.4 GB of customer data reportedly being dumped on a file-sharing website before being quickly taken offline. The data included account numbers, customer names and passwords.
However, FireEye’s report does not appear to state anything about the QNB attack, which has been linked to a Turkish group of cyber criminals known as the Turkish Bozkurt Hackers.
Soon after news of the QNB breach broke, the group claimed responsibility in a video posted online, while also claiming to be behind a breach of United Arab Emirates (UAE)-based Investbank UAE, in December 2015.
In both cases, the banks were sent threats that the data would be posted online if the cyber criminals’ demands were not met. While these threats have not been made public, the assumption among industry insiders is that the motivation behind the attacks was purely financial.