It was recently announced by the Federal Reserve Bank of St. Louis, one of twelve regional federal banks serving banks in Arkansas, Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee that it was the target of a cyberattack a month earlier on April 24, 2015 in which unknown hackers managed to hack into the domain name system (DNS) for the bank and manipulate the routing settings causing users of the bank’s economic data and research databases including Federal Reserve Economic Data (FRED), Federal Reserve Archival System for Economic Research (FRASER) and Archival Federal Reserve Economic Data (ALFRED) to be sent to phony websites that appeared to be the Federal Reserve Bank of St. Louis’ databases. Banks and others who used these databases on April 24th may have had their user names and passwords compromised and may also have unwittingly downloaded malware on to their computers. It is not yet known who is behind this cyberattack, but the sophistication of the attack points toward a foreign country rather than individual cybercriminals. The information gained through this hacking did not compromise the security of the Federal Reserve Bank of St. Louis, but may well have a potentially serious effect on the security of financial institutions utilizing those databases on April 24th.
Hopefully, the financial institutions that used these databases on April 24th use unique passwords for their other accounts so that the stealing of their passwords would not compromise their security with other sensitive websites and accounts. In any event, these institutions should change their passwords for the Federal Reserve Bank of St. Louis databases as well as any other accounts where they used the same passwords. This is a lesson to all of us, as well, that we should have unique passwords for all of our accounts so if one account is hacked, all of our accounts are not jeopardized. Another concern brought about by this hacking is that the financial institutions using the databases can well expect to become attacked by spear phishing by which the hackers will take personal information gained through this hacking and use it to make phishing attacks against these institutions more legitimate looking and more likely to succeed. This is one reason why I always advise you to never click on links or download attachments regardless of how legitimate they may appear until you have confirmed that they are legitimate. Trust me, you can’t trust anyone.