The art of the cashout: the evolution of attacks on payment systems

Thursday 3 October 14:00 - 14:30, Green room

Saher Naumaan (BAE Systems Applied Intelligence)
Irving Méreau (SWIFT)

The risk-reward calculation of an attack on an institution’s payment system nets a huge payoff if successful. Over the last few years, these attacks have become more commonplace and seem to be constantly evolving. The intrusions demonstrate advanced technical skills and creative methods of cashing out. The attacks show again how attackers are investing in being able to manipulate parts of the banking system with the regular appearance of new malware, and increasingly seem to be co-ordinating with other criminals, particularly when it comes to the post-intrusion cashout. This presentation will cover heists seen in 2018 and 2019, details of the newest malware used by the attackers, trends in tooling and techniques, further evidence of the potential nature of their relationship with other criminal groups, and what might come under attack next.

(This is an invited talk)



Saher Naumaan

Saher Naumaan is a threat intelligence analyst at BAE Systems Applied Intelligence. She currently researches state-sponsored cyber espionage with a focus on threat groups and activity in the Middle East. Saher specialises in analysis covering the intersection of geopolitics and cyber operations, and regularly speaks at public and private conferences around the world, including SAS, Virus Bulletin and Bsides. Prior to working at Applied Intelligence, Saher graduated from King’s College London with a Master’s degree in intelligence and security, where she received the Barrie Paskins Award for Best M.A. dissertation in war studies.




Irving Méreau

Irving joined SWIFT in 2007 and has held various positions within IT. Irving has been Head of Customer Security Intelligence at SWIFT since January 2018. As Head of Customer Security Intelligence, Irving is responsible for the forensic investigation and analysis of malware identified on compromised customer systems. The result of these investigations, combined with the analysis of threat intelligence specifically related to SWIFT customers, is used to inform SWIFT's customers on how they can better protect their local SWIFT infrastructure against cyber-attacks.

Back to VB2019 Programme page

Other VB2019 papers

Catch me if you can: detection of injection exploitation by validating query and API integrity

Abhishek Singh (Prismo Systems)
Ramesh Mani (Prismo Systems)

From industry report to classroom arrest

Marijn Schuurbiers (NHTCU)
Iris Haenen (NHTCU)

Panel: Bursting the myths about threat intelligence sharing

Kathi Whitbey (Palo Alto Networks)
Jeannette Jarvis (Fortinet)
Dan Saunders (NTT)
John Fokker (McAfee)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.