FINANCIAL
threats are still profitable for cyber criminals and, therefore, continue to be
an enduring part of the threat landscape. From financial Trojans that attack
online banking, to attacks against automated teller machines (ATMs) and
fraudulent interbank transactions, there are many different attack vectors
utilised by criminals.
Symantec
predicted in 2015, there was an increase in attacks against corporations and
financial institutions during 2016. This was evident from a series of high-value
heists targeting Society for Worldwide Interbank Financial Telecommunication
(Swift) customers. While there is no evidence of any such high value heists on
Swift customers this year, the 2016 attacks saw several such institutions lose
millions of dollars to cyber criminals and nation state-supported attackers
such as the Lazarus group.
On
average, 38 per cent of the financial threats we detected in 2016 were found in
large business locations. Most of these infection attempts were not targeted
attacks but were instead due to widespread email campaigns. Although we have
seen a 36 per cent decrease in detection numbers for financial malware in 2016,
this is mainly due to earlier detection in the attack chain and more focused
attacks.
With
more than 1.2 million annual detections, the financial threat space is still
2.5 times bigger than that of Ransomware. The financial Trojan threat landscape
is dominated by three malware families: Ramnit, Bebloh (Trojan.Bebloh), and
Zeus (Trojan.Zbot). These three families were responsible for 86 per cent of
all financial.
Trojan
attack activities in 2016. However, due to arrests, takedowns, and regrouping,
we have seen a lot of fluctuations over the last year. Globally, financial
institutions in the US were targeted the most going by the samples analysed by
Symantec, followed by Poland and Japan.
Infection
vectors for financial Trojans haven't changed much in the past year and are
still identical to other common Trojans. Distribution mainly relies on spam
email with malicious droppers attached and web exploit toolkits. The use of
scam emails was the most prevalent method of distribution for financial Trojans
in 2016.
The
already well-known Office document attachment with malicious macros continued
to be widely used. However, Microsoft Visual Basic Scripting (VBS) and
JavaScript (JS) files in various attachment forms have also been used in
massive spam runs to distribute malware.
We
have also seen Office documents without macros, and instead with embedded OLE
objects and instructions for the user to double-click the payload. The Necurs
botnet (Backdoor.Necurs), which sent out more than 1.8 million JS downloaders
in one day alone in November 2016, highlights the magnitude of some of these
campaigns.
Phishing
emails, where the victim is lured to fake websites that trick them into
revealing their account details, decreased to just one in 9,138 emails in March
2017. In 2016, the average number of phishing emails was slightly higher than
one in 3,000 emails. Simple phishing no longer works against most banks and
financial institutions, as they rarely rely on static passwords alone. But
phishing attacks can still be successful in stealing online retail account
credentials and credit card details.
-------------------
Equifax
has revealed 2.5 million more Americans than previously thought may have had
information compromised in a huge cyber security breach at the firm.
The
credit report giant said, about 145.5 million of its US customers might have been
affected, up from a previous estimate of 143 million.
---------------------
ATM
and point of sales (POS) attacks continued to increase in 2016. ATM malware has
been around for 10 years but is still effective. With the increase of targeted
attacks aimed at banks, we also saw an increase in attacks against ATMs from
within the financial network. Since the adoption of Chip & PIN has begun to
spread outside of Europe, we have seen a decrease of classic memory scraping
threats, as they are no longer efficient for the attackers.
There
are various degrees of sophistication seen in the wild when it comes to ATM
attacks. For some attacks, the criminals need physical access to the ATM
computer and they get this by opening the cover with a stolen key or picking
the lock.
Once
they have access to a USB port or the CD-ROM, they can install malware and
attach a keyboard to issue commands (the Ploutus malware uses this attack
vector).
Similar
attacks have been reported in hotels where attackers used the often exposed USB
ports on the backside of the check-in computers to install malware.
In retail stores the attackers added their
sniffer to an exposed network port inside the shop. This allows them to
compromise any attached POS device and scrape the memory for payment card
information.
With
physical access to the ATM, another attack vector is possible. As reported in
April 2017, some attackers discovered they could drill a hole into the ATM
casing in order to access the internal bus system. Once access is obtained, a
cheap microcomputer is all that is needed to send commands to the bus in order
to make the ATM dispense its cash.
We
have also seen trends in financial malware attempting to hide configuration
files from researchers as well as the move to redirect attacks or even manually
log into the system to issue large transactions if interesting financial
software is detected.
Mobile
threats on Android are mainly focusing on form overlay attacks or fake online
banking apps. We have seen more than 170 mobile apps targeted by mobile
malware. Mobile threats are still relevant as many financial institutions have
deployed two-factor authentication through mobile phone applications.
As
it has become more difficult to conduct such attacks on the latest Android OS,
we have seen attackers reverting to social engineering attacks, where they
trick victims into authorising fraudulent transactions. The end-user still
remains the weakest link in the chain during an online transaction, which means
even the strongest technologies are susceptible to social engineering attacks.
When
a cyberattacker successfully compromises an internal network, he can steal any
credentials that will help maximise his profits. This could mean stealing
online banking credentials, sensitive personal data or other passwords. It is
common for financial threats to steal any other account information that they
can find on a compromised computer.
Once
compromised, cyberattackers can use any stolen information to spread their
malware further, or even sell them on underground forums. Credit card details
are still the most sold digital goods on the underground forums, while bank
account access information is priced according to the account balance.
For
example, an account with US$1,000 in it can be sold for US$10. An account with
a greater balance will be on sale for a larger sum.
The
attacks are not only targeting the banks' customers. We have seen several
attacks against the financial institutions themselves, with attackers
attempting to transfer large sums in fraudulent inter-bank transactions.
Financial institutions are confronted with attacks on multiple fronts. The main
two types are attacks against their customers and attacks against their own
infrastructure.
In
the event of a cyber breach, companies' losses extend far beyond just monetary
value. Their reputation and customers' trust - areas that take time and effort
to develop - will also be damaged. We expect financial threats to remain a
problem for end-users in the future, but attackers will likely increase their
focus on corporate finance departments and using social engineering against
them. Prevention is by far the best outcome, so it pays to pay attention to how
cyber breaches can be avoided. Emails and infected websites are the most common
infection vectors for malware. Adopting a robust defence against both these
infection vectors will help reduce the risk of infection.
We
expect financial threats to remain a problem for end-users in the future, but
attackers will likely increase their focus on corporate finance departments and
using social engineering against them.
No comments:
Post a Comment