The financial services industry is among the most heavily targeted sectors by cybercriminals. In 2015 we saw a surge in attacks that involved extortion, social engineering, credential-stealing malware and sophisticated threats. In order to better defend against these unrelenting and increasingly malicious attacks, financial institutions must continually strive to understand the threats and the actors behind them.
Based on correlating sector data and analysing changes month on month here is a brief overview of the new threats and tactics, techniques and procedures (TTPs) that security professionals in the financial services sector should know about. With relevant and contextual insight, security teams can increase their cyber situational awareness and better align security strategies in 2016.
Two main actors, DD4BC and the Armada Collective, led the way in Distributed Denial of Service (DDoS) extortion in 2015. They use similar TTPs to extort Bitcoins from victims, beginning by notifying them that they are vulnerable to a DDoS attack and increasing attack activity and the ransom request if they are ignored. By the end of the year more bad actors jumped into the fray including a group called Hacker Buba which began tweeting links to customers’ private financial data when its extortion attempts were unsuccessful.
* Social media attacks
There were several notable examples of attackers misusing social media profiles, hiding behind fake profiles to gain trust and extract information for social engineering purposes. Toward the latter part of 2015 both Facebook and Twitter began proactively monitoring for suspicious activity and notifying users if they believed their accounts had been targeted or compromised.
* Spear phishing and whaling
Achieved by the use of reconnaissance to make messages appear more genuine, spear phishing attacks masquerade as a legitimate individual or institution and co-opt their established trust to coerce the target into providing credentials to the attacker. Whaling, targeting multiple victims for larger sums of money, takes this method to the next level and escalated in 2015. It involves spoofing executives’ emails — often those of CEOs — to dupe finance departments to make large transfers into fraudulent accounts. The directive often includes a URL that appears to be a legitimate financial services website but in fact redirects the target to an alternative site.
* Point-of-Sale malware
PoS systems remain a target for criminals despite the adoption of the Europay, MasterCard and Visa (EMV) standard. A number of variants of POS malware, including LusyPOS and BlackPOS, have been observed recently. There is also some evidence that cloning of EMV credit cards is possible.
* ATM malware
Various ATM-specific malware threats were discovered in 2015. GreenDispenser infects ATMs and allows criminals to extract large sums of money while avoiding detection. Reverse ATM attacks also emerged. These attacks use a combination of compromised PoS terminals and ‘money mules’ in order to reverse transactions after money has been withdrawn physically or sent to another bank account.
* Other notable threats
Credential-stealing malware targeting banking customers is on the rise. For example, Dridex has been very active in 2015 and has garnered significant international law-enforcement attention. Exploit kits, which offer a user-friendly way for attackers to infect victims, are also highly active with some of the more popular kits, like the Angler Exploit Kit, incorporating the ability to take advantage of new vulnerabilities extremely quickly.
Sophisticated financial services threats
Throughout 2015 multiple threat actors used sophisticated TTPs in order to infiltrate organisations and exfiltrate valuable data. Typical TTPs include the use of social engineering such as spear phishing, network intrusion techniques and custom malware toolsets and utilities. Examples of such threats include Desert Falcon and Equation Group, which target multiple geographies and multiple sectors, including financial services. An organised gang named Anunak/Carbanak targeted financial institutions specifically. This particularly advanced group broke into internal networks, installed malicious software and took control of victims’ machines to drain bank ATMs of cash and steal money using the SWIFT network.
The financial services sector will likely continue to experience cyber threats more frequently than other industries and from threat actors with access to a range of TTPs. While companies and law enforcement are working together to identify and stop these attacks and the groups behind them, financially-motivated cybercriminals never rest. Organisations must continue their quest for better threat protection and risk mitigation. By understanding which malicious actors may target an institution, why, and their methods of attack, financial services firms can enhance their cyber situational awareness and make more informed decisions about where and how to focus their security resources.
Alastair Paterson, CEO and Co-Founder of Digital Shadows