The financial sector is a gold mine for cybercriminals, and every customer, employee, and business entity are a potential target. Online banking and mobile apps have amplified the opportunities for threat actors of all skill levels. This blog reviews three common attacks designed to steal money and information through a financial institution.
No discussion on cyberattacks is complete without a mention of phishing. This is a malicious attempt to steal sensitive information by tricking someone into doing something. The attacker poses as a trustworthy entity and asks the potential victim to take some action, like resetting a password, verifying credit card details, etc. Some attacks target bank customers to get access to financial accounts. Others may target bank employees to gain access to the internal systems of the company. Some examples:
Fake banking websites: A classic scam that just keeps getting more sophisticated. The attackers create a fake website that mirrors a bank’s legitimate website. Most victims who get to this site have received an email with an urgent warning about a security breach, system update, expired password, etc. The link in the email brought them to this phishing website, where they can resolve whatever issue generated the warning. Whatever data is entered into the site is sent to the attacker.
Protect yourself from this scam by checking the URL of a website before entering user credentials and other sensitive information. The best practice is to navigate to your bank's site directly by typing the URL into your browser, rather than clicking on a link in an email.
Mobile Banking Trojans: We’ve discussed these attacks at length, and they deserve a mention here. These are among the most dangerous and prolific attacks, and the damage they do goes far beyond your bank account. Defend against these attacks by understanding how they work and using caution when installing an app.
Business Email Compromise (BEC) fraud: BEC attacks are particularly insidious because they rely on compromised email accounts from real people. Attackers use the legitimate email account of an executive to request urgent wire transfers or sensitive information. By using the real email account of the real executive, the attacker can make requests with some authority and intercept any responses from the recipients.
This scam depends on the absence of business policies and security awareness. Make sure the company has strict controls in place to prevent accidental approval of fake invoices and payments and wire transfers.
A successful phishing attack often marks the beginning of another cybercrime. In 2019 the Russian (language) gang ‘Silence’ infiltrated Dutch-Bangla Bank with a multi-step phishing campaign targeting bank employees. The gang gathered information about the targets through malware-free messages that may have looked like bulk marketing messages or spam. These email messages were used to test the security posture of the email system and confirm that targeted email addresses were valid and working.
This data helped the group craft the phishing campaign that delivered the malware-laden attachment. At least one employee opened this attachment and accidentally installed the malware on the bank’s network. Silence threat actors were able to access bank systems and steal roughly $3 million over the following three months.
Financial institutions should maintain ongoing cybersecurity training for employees to help them defend against phishing attacks. Email protection with AI-driven inbox security can flag phishing attempts by learning the communication patterns of the organization. This type of system can intercept or flag phishing messages from external and internal senders, even if there is no malicious attachment or link.
Financial institutions usually offer specific information on how to identify and handle cyberthreats. Using Chase as an example, you can see how to spot suspicious emails, how to report fraud, etc. If you suspect a phishing attack or you have been a victim of an attack, contact your financial institution immediately and report the incident.
Ransomware is one of those threats that creates several layers of damage to your company. Not just your data or your computer system, but your entire brand:
Data exfiltration: Ransomware sends copies of your data to the attacker prior to the encryption event. This allows the attacker to demand payment in exchange for not selling or leaking the data to third parties.
Data encryption: The ransomware encrypts any data it finds, and the attacker demands a ransom in exchange for decryption. What happens next depends on how well the company prepared itself for this type of crime.
System downtime: When mission-critical data is encrypted, systems can be disabled and effectively useless. Sometimes the downtime interferes with business operations, sometimes it’s just a nuisance in the background. Either way, downtime always has a cost.
Brand damage: There is always collateral damage when a successful ransomware attack affects partners, vendors, employees, or customers. It may be their sensitive data that is stolen, or they may simply wonder if they can trust the company again. Sometimes this damage cannot be undone.
Each of these events will cost a company, either in ransom paid, IT recovery costs, or business lost due to downtime and brand damage.
A bank doesn’t have to be hit directly with ransomware to be disrupted by an attack. More than a dozen financial institutions around the world lost online foreign currency services when the REvil ransomware gang struck Travelex on December 31, 2019. The gang demanded $6 million in exchange for destroying the sensitive data it had stolen from Travelex prior to encryption. The Wall Street Journal later reported that Travelex negotiated the ransom and paid $2.3 million in Bitcoin.
A comprehensive patch management system is a foundation of cybersecurity and defends your company from more than just ransomware.
APTs are targeted attacks where threat actors gain access to a network and remain undetected for a long period of time. Potential victims are identified and targeted based on the purpose of the attack. This could be espionage, financial gain, or system disruption based on an ideological or geopolitical motive. The skill and resources needed to deploy such attacks are out of reach for criminals who rely on quick paydays or subscription malware. These are long-term, labor-intense attacks that are usually carried out by nation-state actors and organized criminal gangs.
APTs infiltrate a system using whatever means possible, including phishing attacks, malicious attachments, exploits and vulnerabilities, and insider threats. A successful APT attack will perform several tasks:
Network reconnaissance: Exploring and investigating a network is one of the most important jobs of the APT because the attacker can use this information to amplify the attack. This is one reason why network segmentation is so important to security. Lateral movement through the network is divided into smaller sections that are contained by secure boundaries.
Avoiding detection: APTs are good at hiding, which is why they are ‘persistent’ threats. They can cover their tracks by deleting logs, altering timestamps, and using other techniques that make them harder to find.
Escalation of privileges: APTs always attempt to get the highest possible permission set to the network. Several methods can be used for this, including social engineering tactics that are based on information learned from network reconnaissance.
Establishing backdoors: Threat actors create additional ways into a network so they can access the system at will. These backdoors could remain in place on a network for months or years after the original breach.
Data exfiltration: APTs will siphon data out of a victim’s system when the threat actor considers it safe to do so. Network reconnaissance helps the attacker determine the location, value, and best method for extraction.
Malware installation: APTs often employ additional malware to assist in the attack. An infostealer might be deployed just long enough to capture some credentials, or ransomware could be installed on the attacker’s way out. Using malware in this way allows the developers to focus on the core functions of their APT and not spend time creating one bloated piece of malware that would be more difficult to hide.
A sophisticated attack might do a lot more than this, or it might just perform stealth reconnaissance for as long as possible. It depends on the purpose of the attack.
Dozens of financial institutions have been targeted by APT threat actors. The French (language) APT group OPERA1ER is suspected of 30+ successful attacks between 2018 and 2022. Total thefts are at $11 million, and actual damages to the companies may be as high as $30 million. OPERA1ER targets banks, financial services, and telecom companies.
The North Korean state-sponsored Lazarus Group pulled off one of the largest cyberheists in history in the 2016 attack on Bangladesh Bank. The APT malware was developed by the Lazarus Group and delivered through phishing emails with malicious attachments. Once installed, the malware allowed Lazarus Group to create backdoors, steal credentials, navigate the bank’s network, and cover their tracks by changing transaction-related log entries. As of February 2023, the bank has recovered about $15 million of the $81 million taken in the heist.
Multiple layers of security are required to fully defend against APT attacks. Network, application, and email threat vectors should be secured with protection that defends against intrusion and data exfiltration. Signal sharing, up-to-date threat intelligence, and comprehensive logging can help administrators create security policies that are informed by current attacks. This will help IT teams identify system anomalies more quickly and possibly prevent an APT from establishing a foothold in the network.
Many attacks begin with a phishing email, and an AI-based anti-phishing system should be a requirement for any financial organization. Proper data backups cannot prevent the theft of data, but they can restore data that may have been destroyed in an attack.
As with any other cyberthreat, APTs may be blocked or minimized with proper patch management, employee security training, and an incident response plan.
Natrix offers Barracuda's complete portfolio of solutions to protect you from phishing, ransomware, and APT attacks. See how we can help protect your company at www.barracuda.com.
By Christine Barry
This article originally appeared on Journey Notes, the Barracuda blog.
Back