Nixu Files: I can’t get no transactions – How a Trojan hurt bank operations

May 22, 2019 at 14:52

A new internal portal in a bank was running smoothly. Then a trusted site host suspended their services because of unpaid invoices. Project lead Jessica just thought they had mixed up their bookkeeping. What no one could have imagined was that a banking Trojan had found its way between the transactions. This customer story may have happened somehow, somewhere. Welcome to the world of cyber noir.


Celebration of a new portal

Gazing out to the city center with a gin & tonic in her hand, Jessica was happy. She’d been working like crazy for eight months to launch a modern-day development portal for a prestigious national bank. “We need to experiment more,” the CEO had said at the beginning. “Otherwise, we will lose the race. I see a lot of potential in the digital era.”

Now, UniqueBankPortal was out. Internal campaigns were running, the portal was working smoothly – Jessica had only seen minor flaws in the feedback form – and the team decided to have a small party on the rooftop of the bank headquarters.

“To a job well done,” Jessica raised her glass.

UniqueBankPortal quickly turned into a success story. Almost 80 percent of the employees used it to access their company accounts more easily. Next year, the bank was going to launch the portal in mobile.

“You have 24 hours”

After the summer, Jessica was having a meeting about the new project, she received a phone call from a subcontractor, Hans, who had been building the site. Boy, was he angry.

“I’ve been sending you emails but no one bothered answering me,” Hans said. “You’ve now ignored so many of our invoices that we have to cut you off the grid.”

“We’ve paid you every dime,” Jessica said with a slice of panic in her voice. “I can certainly remember that because you charge so much.”

“Either way, I cannot support your site for free. You have 24 hours.”

Jessica ran down to the financial department, where Lena, the head controller, showed Jessica all the approved transactions that had gone to the subcontractor filed under the UniqueBankPortal project.

“See? All there. Transfers have been sent every week,” Lena remarked as she showed Jessica her screen.

“And I’ve approved them,” Jessica added. “Maybe Hans just has some problems with his bookkeeping.”

Jessica sent receipts for the payments to Hans. After not hearing back from him, she went back to the meeting. The next day, she logged in to UniqueBankPortal – and stared at the screen. “Page not found.” She tried again. “Page not found.”

She started to receive messages from colleagues: “I can’t get into the portal, and I have a customer meeting, what should I do?”, “The portal is broken, and all my files are there!”, “It’s always like this when getting new systems… I told you so”, and so on.

Jessica was devastated – she was the one who had chosen to partner up with an “agile and modern site host” and didn’t expect this. Hans was upset and didn’t answer the phone. He only sent her a blunt text message: “This isn’t a pro bono job for us. This partnership is over.”

Hidden transactions

Jessica collected a team of cybersecurity experts who started to track the cause of the incident. The lead consultant, Emil, found a new version of a banking trojan called Emotet that had found its way in between Jessica and Hans’s transactions.

Emotet was Trojan malware that was designed to steal bank account details by intercepting internet traffic. This module included a money transfer system, malspam module, and a banking module that targeted European banks.

It seemed that a hacker had broken into Hans’s email account and sent fake sophisticated-looking invoices to Jessica with Hans’s signature. The phishing was so skillful that Jessica couldn’t even say afterwards which message led to the scam invoices.

The malware injected computer code into the networking stack of an infected Windows computer, allowing sensitive data to be stolen via transmission.

Emil’s team started to identify, shutdown, and isolate the infected computers that run the app. Because the Trojan scraped additional credentials, Emil advised everyone to reset their password for other applications that may have had stored credentials on the compromised computer and issue password resets for both domain and local credentials.

Emil’s team succeeded in mitigating the leakage and stopping it from spreading further. The incident was followed by a forensic investigation, but the police never found the attacker(s). Luckily, insurance covered all of Hans’s losses. Jessica and Hans made a new deal to rebuild the portal together with Emil’s team.

Lessons learned

A year after the crisis, in the bank headquarters, Jessica is presenting the safety structures of UniqueBankPortal’s second version.

“Why on Earth didn’t we implement these safety features in the first version,” the CEO asks.

“To be honest,” Jessica says, “No one paid attention to it. We were so eager about the technology.” Silence fell in the meeting room and eyes gazed at the CEO. He cleared his throat.

“Yes,” he said, “I guess we acted a bit hasty on these digitalization things…”

Later during the week, Emil invited Jessica and Hans for drinks to mark the end of the update and the recovery project.

“Last time we celebrated a portal launch, it turned out to be a catastrophe. Somehow, I don’t feel like partying,” Jessica said.

“If it’s any consolation,” Hans said to Jessica, “I’m sorry I got upset. I should have trusted your word. I cost us a whole lot of time.”

“No, I should be the one to apologize. I should have believed you in the first place,” Jessica said.

“There, there, listen to you two,” Emil said. “You definitely need to give yourself credit, both of you,” Emil said. “You’ve hit rock bottom and learned something the hard way. But you wouldn’t do it again, would you?”

“Never again would I start designing a web-based portal without careful cybersecurity monitoring!” Jessica said.

“Never again would I ignore the true needs for up-to-date cybersecurity practices and experts!” Hans said.

“I’m sure you wouldn’t. Now you’ve got some true knowledge and experience. Now, how about some champagne to celebrate the new digital era?”

Emil’s quick guide to network security:

1. Update your software. It's always crucial to install the latest updates for Windows and other software. Companies continually release updates to patch vulnerabilities that can be exploited by hackers. OS patches are the most important.

2. Never trust alarming emails. You should keep in mind that most reputable companies will never request personally identifiable information or account details via email, especially insurance companies and banks. If you receive an email asking for any account information, immediately delete it, or alternatively, flag it for investigation by your IT security department and then call the company to confirm that your account is ok.

3. Do not open attachments in suspicious emails — especially for Word, Excel, PowerPoint, or PDF attachments. Always avoid clicking embedded links in emails, because these can be seeded with malware that is difficult to detect.


Nixu Files is a series of modern-day detective tales where we demonstrate the most thrilling client cases in the industry. The stories read like nail-biting mystery novels, but they are not that far from fiction. Welcome to the world of cyber noir.


Related blogs