Targeted attackers primarily focus on financial institutions, opting to follow the quickest way to access finances. Obviously, there is no sense to attack a special-purpose software developer’s website, as very few people will notice its unavailability during a couple of hours. However, banks may dramatically suffer from targeted attacks. Such attacks are called pointed (or targeted) because a cybercriminal targets a victim (company or individual) beforehand, makes thorough preparations and selects or develops sophisticated attack tools, thus making such attacks extremely efficient contrary to massive attacks.
There are several types of targeted attacks. The best known among them are Distributed Denial of Service (DDoS) attacks. Common public belief is that DDoS attacks are the most widespread of these attacks, but that belief is not accurate. DDoS attacks are just more visible since they address an enterprise information system (most often a corporate website or an intranet) in order to cause a denial of service — a situation when authorised system users cannot access system resources (servers), or access may be very difficult.
This type of attack is a real threat for banks that provide comprehensive internet banking services (user account, online payments, etc.). It is immediately noticed when such a website is inaccessible or if its services are unavailable. The 2015 attack against the Finnish financial group OP-Pohjola is among the most noticeable attacks of this year.
There are special DDoS protection tools that many major banks and financial institutions know about and employ on a mandatory basis. Just like DDoS attacks are often targeted at banks, banking clients will most often suffer from a form of attack known as “phishing” — a very widespread type of targeted attack.
Phishing is when online banking pages are substituted with false ones in order to retrieve clients’ confidential information (user account logins and passwords, account and credit card numbers, etc.) which are then used to gain access to and transfer their finances to cybercriminals’ accounts.
In such cases, I would recommend that banking clients to carefully check an online banking page’s address bar, and to refrain from entering any personal data if the page address differs from the address the page usually displays. The same goes for when ‘http’ protocol is used instead of ‘https’.
In addition, in order to gain unauthorised access to and steal client information such as user passwords and credit card data, cybercriminals often leverage social engineering techniques in order to deceive bank clients. Social engineers and hackers exploit the very nature of human beings. Their attacks target individuals who lack experience in matters of information security. A social engineer knows almost everything about a victim and utilises this knowledge during the attack.
As an example, targeted social engineering may include an email or SMS sent to the victim, allegedly on behalf of the bank’s client manager, containing the following text: “Dear Mr. Anderson, Your Bank [author’s note: the client’s bank is identified in advance] is checking the security system. Please send your credentials (user log-in name and password/credit card number and PIN) to this email address/SMS number.”
Unfortunately, there are no effective technical means to combat attacks powered by social engineering. A bank should give its clients insight into information security. Clients should be made fully aware that a bank would never request log-in names, passwords, card numbers, PINs, CVV/CVVC or other client confidential data, as such requests are prohibited by information security policies adopted by a vast majority of banks.
The most powerful targeted attacks against banks are those powered by special-purpose software. This is the most destructive and quick-spreading type of attack, and InfoWatch possesses special software that ensures protection against them, and thus detects targeted attack malware almost in each pilot project.
Among the most well-known attacks of this type are Stuxnet (Iran’s nuclear sites), ZeuS (theft of money from client accounts with European banks), and those attacks against RSA and Nortel, etc.
But how do cybercriminals perform targeted attacks against banks?
Once an organised team of hackers or cybercriminals accepts a request for a targeted attack against a specific bank, preparations starts with the leveraging of design technology in order to develop sophisticated malware specifically tailored to infiltrate this specific bank’s security system.
It may be injected into a bank operator’s workstation in order to substitute accounts during wire transfers or to withhold small sums from them, with the amount being credited to third party accounts. Such a theft often goes unnoticed because clients may believe it to be a result of bank commission.
In addition, such malware can be injected into the bank’s processing system, which is very difficult to perform because banks’ processing servers employ very strong protection measures, but when successful, hackers can gain full access to all the bank’s transactions!
Targeted attack malware can bypass standard information security means such as anti-viruses, firewalls and others, so special-purpose security systems were developed to prevent targeted attacks. First, it can be software products such as InfoWatch software that dynamically scans (with regular intervals) the enterprise information systems for abnormalities (changes unknown before).
If such abnormalities are detected, InfoWatch security systems sends relevant data to a special-purpose expert cloud where further analysis and evaluation shows whether the abnormalities relate to a Trojan or other such malware.
Secondly, some security software and hardware systems emulate the enterprise information system, redirect all the traffic thereto, and analyse such traffic for malware. However, some malware can recognise the emulated environment and run smoothly within it.
The third approach to protecting from targeted attacks is so called ‘debris analysis’, when a consulting team analyses the incident, used malware, scenarios, etc. so that the company could secure itself from similar threats in the future.
According to the international analytical agencies, enterprise infrastructure faced more malware-based targeted attacks than DDoS attacks in 2014. This is because the costs of both attacks are the same, while malicious code targeted attacks are much more effective and profitable. Thus, financial organisations become the No 1 target cybercriminals can expect maximum profit from.
This is not a threat of tomorrow, but that of today, and the time for the cyber battle has already come.
The writer is Deputy CEO at InfoWatch.
