Considering the sensitive information it holds, it is no wonder that the financial services industry continues to be one of the most targeted critical infrastructure sectors by current cyber-criminals. Recent societal and technological changes during 2021 have made matters worse.
The ongoing COVID-19 pandemic has created a ripe target field for cyberthreats as industries and individuals alike became vulnerable as they wrestled with remote working practices, mass digital disruption, and widening security perimeters. Cyber-criminals, have only become more self-assured as they move beyond traditional theft and ransoms to leak sensitive information, discredit reputation, and commit fraud. Many of these ‘new breed’ cybercriminals are armed with sophisticated malware that was once out of their reach but is now more readily available through subscription models and underground forums.
Blueliv’s latest whitepaper, Follow the Money, takes a close look into this evolving threat landscape. Supported by intelligence gathered by Blueliv’s Threat Context, their whitepaper identifies recent attacks, popular cyber threats and the threat actors behind them and offers the financial services industry advice on how to manage this cyber-risk. Below, are highlights from this whitepaper:
- Phishing - Phishing is a seminal technique cyber-criminals use to steal credentials and personally identifiable information (PII) and remains one of the most effective attack vectors. It is typically used in conjunction with social engineering techniques to extract information from victims and trick them into believing that the email they have received is legitimate (often from a bank or government body) and something they need to act on. This action often sees the victim clicking a link or an attachment containing malware that grants the attacker access to their systems.
- Business Email Compromise (BEC) - BEC attacks allow malicious actors to gain access to a business email account and pose as the owner to defraud the target company and its employees, customers or partners. In doing so, attackers can access sensitive data via company systems and networks. BEC attacks target financial institutions due to the valuable information available should attackers succeed. Once in a network, attackers focus on tricking other employees into transferring money into criminal bank accounts or disclosing access information that would enable them to do so themselves.
- Ransomware - A type of malware that encrypts victim files and holds them ransom until the victim agrees to pay a ransom, ransomware attacks have rocketed in popularity and sophistication over the past two years. Typically, attackers demand their victims pay the ransom in a specific time frame, or else they leak the encrypted information publicly. Should the victim pay, the attacker may offer a means for the victim to regain access to the system or data. These attacks are historically opportunistic, though they are becoming increasingly targeted. Successful ransomware attacks usually begin with an attacker gaining access to a device via a spam attachment attached to an email disguised to be from someone the recipient trusts. Once clicked and downloaded, the file gives the criminal access to the machine.
- Credential Theft - Using just one stolen credential, criminals can gain access to a company’s systems or networks to launch a more comprehensive attack, transfer money to money laundering and insurance scams, and even spread malicious links among other employees. Credential theft is a universal problem that affects every modern industry and costs the global economy millions of dollars every year.
- Malware Infection - Malware infections use a malicious email to launch various types of attack campaigns, from credential theft to trojans and more. According to Blueliv’s data, outlined in its latest financial services threat landscape whitepaper, the top five malware stealers used for credential theft explicitly targeting the financial services sectors as of October 2021 are Azorult, Arkei, Redline, Raccoonstealer and Collector.
- Banking Trojans - Banking trojans are computer programs built to steal sought after information stored or processed through online banking systems and typically rely on form-grabbing, code injection, and specific stealer modules dropped in the infected machine. These modules may impose a legitimate piece of software to lure users into installing them. From there, they search and extract sensitive data that the criminals can monetize.
- Point of Sale (POS) Malware - All digital consumer purchases at a retailer are handled by POS systems built of hardware (e.g., the terminal used to read the customer’s card) and software that tells the hardware what to do with the information it receives. Malware built to infect these systems has gained popularity in recent years and has allowed criminals to extract card data which can then be used or sold on, both of which result in financial gain for the attacker. A combination of hard-to-detect data-exfiltrating malware, legacy hardware, which is difficult to patch, and general OS vulnerabilities mean that this threat can be hard to defend against.
- Mobile apps Malware - While they boast a high level of security, the reality is that many banking apps, just like other civilian apps, have common flaws and vulnerabilities that criminals can exploit and extract sensitive data from. Mobile banking trojans, in particular, are “one of the most rapidly developing, flexible and dangerous types of malware” and have functionalities that include credential theft as well as stealing funds from mobile users’ bank accounts. Recent research highlights a year over year increase of 129% in malicious actors targeting smartphones since 2019 due to increased use of mobile banking applications.
- Distributed denial-of-service (DDoS) Attacks - This attack sees cybercriminals flood and crash a target website by overwhelming it with traffic. Attackers utilize multiple compromised computer systems as sources for the attack traffic, including computers and other network-connected devices. Recently, off-the-shelf toolkits have become available to attackers who would otherwise not have had access to such an attack vector, thanks to DDoS-for-hire sites. DDoS attacks disrupt business function, damage traffic and databases, and can lead to substantial financial losses to the victim, even smaller attacks can be damaging if they take a website down and force customers to take their business elsewhere. These attacks are a significant risk to financial services institutions since revenue will likely be disrupted due to an attack, not to mention costs for remediation and even customer compensation.
- Cryptojacking - Cryptocurrency has become incredibly popular over the past year. The market moves millions of dollars each day with almost no regulations in place, making it the perfect target for threat actors. Cryptocurrencies are, by design, private and anonymous, and therefore it is difficult for victims to protect themselves or their finances in the face of an attack. All an attacker needs to do is gain access to a target’s device via a cleverly disguised phishing email. From there, they can generate and transfer cryptocurrency to their personal accounts.
So, the question is now presented: How can the financial services industry manage its cyber risk? While financial institutions typically invest more into security than other industries, they cannot possibly invest the time or money needed to implement every single security solution out there or build a team of security experts skilled enough to protect their data from the numerous threats facing them. Even the world’s largest banks, investment funds, and financial services organizations are unable to plug every gap in their security infrastructure. That is where threat intelligence comes in.
True threat intelligence offers organizations real-time information on the threats lurking outside their perimeter, actionable insights into infected devices to prevent fraud and the ability to detect leaked, stolen and sold user credentials in real-time. With this, organizations can act on fresh and reliable information to mitigate or altogether avoid the threats outlined in this blog and can focus their often limited resources on the most crucial threats targeting their networks and infrastructure. Simply put, threat intelligence empowers security teams to act more effectively and more efficiently in the face of cyber threats.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings