Banking hack heist yields up to $1 billion

An international hacking ring has stolen as much as $1 billion from more than 100 banks in 30 countries in what may be the biggest banking breach ever, a new report shows.

The scheme, which goes back as far as 2013, uses malware so sophisticated that hackers have used it to dispense cash from ATMs without any physical contact with the machines, according to the report by Moscow-based security firm Kaspersky Labs.

The hackers then sent mules to pick up the cash, according to the shocking report released Monday.

The malware used in the hacks, dubbed Carbanak, targets employees of banking institutions, rather than customers, and suggests a "new era in cybercrime" in which criminals go after institutions' internal operations, the report said.

The Kaspersky report declined to name the banks that have been compromised, but said the victims were mostly "Russian-speaking financial institutions," and the malware was largely downloaded from Russian.

Still, the problem is global and has targeted banks in China, Ukraine, the U.S., India, Sweden and Great Britain, the report said.

The attackers, who also hailed from China and Europe, appear to be "trying to expand operations to other Baltic and Central Europe countries, the Middle East, Asia and Africa," the report said. Also, the malware may be used to target other institutions, not just banks, the report said.

Losses per bank ranged from $2.5 million to as much as $10 million, the report said, adding that one institution lost a whopping $7.3 million due to ATM fraud alone.

The hackers seemed to deliberately limited their theft to about $10 million per bank before moving on to their next target, which may explain why the fraud went undetected so long.

Total financial losses could be as a high as $1 billion, however, "making this by far the most successful criminal cyber campaign we have ever seen," said the report.

Read a copy of the report here.

J.P. Morgan Chase was among the banks targeted through a system of fake accounts, according to the NYTimes, which first reported on the report on Sunday.

Experts on Monday said they are taking the threat seriously — and so should banks.

"The 'Carbanak cybergang' operation reported by Kaspersky is no doubt the most daring, most sophisticated, and potentially the most damaging cybercrime directly against banks up to date," said Fengmin Gong, chief strategy officer at Cyphort.

The method of attack also shows that cybercriminals have "leapfrogged" in ability compared to recent point-of-sales attacks at retailers, like Target, Gong said.

Carbanak is the name given to the malware by Kaspersky Lab. The main difference between Carbanak and other so-called Advanced Persistent Threats attacks, or APT attacks, is that the attackers are targeting money rather than data, the report said.

After infecting a network, the criminals would lie in wait, often for months at a time, while learning how to operate the controls in order to cash out, the report said.