You are here

Financial cyber threats loom large

Malware in the sector, with more than 1.2 million annual detections, is more than twice as prevalent as ransomware.

Cyberattacks are not only targeting the banks' customers. There are several attacks against the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent inter-bank transactions.

FINANCIAL threats are still profitable for cyber criminals and, therefore, continue to be an enduring part of the threat landscape. From financial Trojans that attack online banking, to attacks against automated teller machines (ATMs) and fraudulent interbank transactions, there are many different attack vectors utilised by criminals.

As Symantec we had predicted in 2015, there was an increase in attacks against corporations and financial institutions during 2016. This was evident from a series of high-value heists targeting Society for Worldwide Interbank Financial Telecommunication (Swift) customers. While there is no evidence of any such high value heists on Swift customers this year, the 2016 attacks saw several such institutions lose millions of dollars to cyber criminals and nation state-supported attackers such as the Lazarus group.

On average, 38 per cent of the financial threats we detected in 2016 were found in large business locations. Most of these infection attempts were not targeted attacks but were instead due to widespread email campaigns. Although we have seen a 36 per cent decrease in detection numbers for financial malware in 2016, this is mainly due to earlier detection in the attack chain and more focused attacks.

With more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of ransomware.The financial Trojan threat landscape is dominated by three malware families: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot). These three families were responsible for 86 per cent of all financial Trojan attack activities in 2016. However, due to arrests, takedowns, and regrouping, we have seen a lot of fluctuations over the last year.Globally, financial institutions in the US were targeted the most going by the samples analysed by Symantec, followed by Poland and Japan.

Infection vectors for financial Trojans haven't changed much in the past year and are still identical to other common Trojans. Distribution mainly relies on spam email with malicious droppers attached and web exploit toolkits. The use of scam emails was the most prevalent method of distribution for financial Trojans in 2016.

The already well-known Office document attachment with malicious macros continued to be widely used. However, Microsoft Visual Basic Scripting (VBS) and JavaScript (JS) files in various attachment forms have also been used in massive spam runs to distribute malware. We have also seen Office documents without macros, and instead with embedded OLE objects and instructions for the user to double-click the payload. The Necurs botnet (Backdoor.Necurs), which sent out more than 1.8 million JS downloaders in one day alone in November 2016, highlights the magnitude of some of these campaigns.

Phishing emails, where the victim is lured to fake websites that trick them into revealing their account details, decreased to just one in 9,138 emails in March 2017. In 2016, the average number of phishing emails was slightly higher than one in 3,000 emails. Simple phishing no longer works against most banks and financial institutions, as they rarely rely on static passwords alone. But phishing attacks can still be successful in stealing online retail account credentials and credit card details.

ATM and point of sales (POS) attacks continued to increase in 2016. ATM malware has been around for 10 years but is still effective. With the increase of targeted attacks aimed at banks, we also saw an increase in attacks against ATMs from within the financial network. Since the adoption of Chip & PIN has begun to spread outside of Europe, we have seen a decrease of classic memory scraping threats, as they are no longer efficient for the attackers.

There are various degrees of sophistication seen in the wild when it comes to ATM attacks. For some attacks, the criminals need physical access to the ATM computer and they get this by opening the cover with a stolen key or picking the lock.

Once they have access to a USB port or the CD-ROM, they can install malware and attach a keyboard to issue commands (the Ploutus malware uses this attack vector). Similar attacks have been reported in hotels where attackers used the often exposed USB ports on the backside of the check-in computers to install malware. Or in retail stores where the attackers added their sniffer to an exposed network port inside the shop. This allows them to compromise any attached POS device and scrape the memory for payment card information.

With physical access to the ATM, another attack vector is possible. As reported in April 2017, some attackers discovered they could drill a hole into the ATM casing in order to access the internal bus system. Once access is obtained, a cheap microcomputer is all that is needed to send commands to the bus in order to make the ATM dispense its cash.

We have also seen trends in financial malware attempting to hide configuration files from researchers as well as the move to redirect attacks or even manually log into the system to issue large transactions if interesting financial software is detected.

Mobile threats on Android are mainly focusing on form overlay attacks or fake online banking apps. We have seen more than 170 mobile apps targeted by mobile malware. Mobile threats are still relevant as many financial institutions have deployed two-factor authentication through mobile phone applications.

As it has become more difficult to conduct such attacks on the latest Android OS, we have seen attackers reverting to social engineering attacks, where they trick victims into authorising fraudulent transactions. The end-user still remains the weakest link in the chain during an online transaction, which means even the strongest technologies are susceptible to social engineering attacks.

When a cyberattacker successfully compromises an internal network, he can steal any credentials that will help maximise his profits. This could mean stealing online banking credentials, sensitive personal data or other passwords. It is common for financial threats to steal any other account information that they can find on a compromised computer. Once compromised, cyberattackers can use any stolen information to spread their malware further, or even sell them on underground forums. Credit card details are still the most sold digital goods on the underground forums, while bank account access information is priced according to the account balance. For example, an account with US$1,000 in it can be sold for US$10. An account with a greater balance will be on sale for a larger sum.

The attacks are not only targeting the banks' customers. We have seen several attacks against the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent inter-bank transactions. Financial institutions are confronted with attacks on multiple fronts. The main two types are attacks against their customers and attacks against their own infrastructure.

In the event of a cyber breach, companies' losses extend far beyond just monetary value. Their reputation and customers' trust - areas that take time and effort to develop - will also be damaged. We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them. Prevention is by far the best outcome, so it pays to pay attention to how cyber breaches can be avoided. Emails and infected websites are the most common infection vectors for malware. Adopting a robust defence against both these infection vectors will help reduce the risk of infection.

We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them.

  • The writer is Symantec's senior vice-president, Asia Pacific

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to