Attacks on Banks

This article provides and overview of the methods currently used by cyber criminals to attack financial institutions and banks in particular. It aims to give IT professionals a more detailed understanding of how financial institutions can be attacked, and what can be done to mitigate such attacks.

The article examines the following topics:

1. General trends
   • Evading detection
   • Money mules
2. Phishing
3. Automated attacks
   • Redirecting traffic
   • Man-in-the-Middle attacks
   • The next generation
4. Solutions

Statistics quoted in the report show the percentage of financial malware detected each month is dropping. However, the number of malicious programs which target financial institutions is increasing, together with an increase in malware capable of attacking more than one bank or institution at once. The vast majority of such programs are designed to attack between one and three banks, and tends to target the most popular banks.

The majority of malicious programs targeting banks tend to be delivered via the Internet as this makes them less likely to attract the attention of security professionals. Also, malware which infects victim systems via the web are hosted on web servers; the code can be modified before it is delivered to the victim machine or system, and this hinders analysis and detection.

The increase in financial malware is the result of the increasing criminalization of cyberspace, with malware being used to make money. In addition to stealing funds, cyber criminals need a way to liquidize their virtual assets. The article examines the phenomenon of 'money mules' who are used in this context to evade the mechanisms developed by banks to detect fraud and other illegal activity.

A never ending stream of phishing emails and phishing construction kits clearly demonstrates that phishing is still a very effective way of getting users to give up their credentials. Additionally, cyber criminals are constantly devising ever more ingenious social engineering schemes in order to trick the more security-savvy user. The article surveys the weaknesses inherent in using a single static user name/ password to access an account. It also examines the potential loopholes which can be exploited by cyber criminals even if more secure methods – such as dynamic passwords or two factor authentication – are used. Even if a user does not fall for a phishing scam, s/he can still fall victim to a technical approach.

Technical approaches include modifying the Windows host file or DNS server settings to redirect traffic to fake sites, or placing a Trojan on the victim machine. Traffic may be redirected from an HTTPS site to an HTTP (i.e. potentially insecure) site. However, redirected traffic will not be processed in real time; when cyber criminals do this (e.g. in order to prevent a victim from contacting his/ her bank and stopping a transaction) a Man-in-the-Middle attack is used.

A MitM attack uses a malicious server to intercept all traffic between the client and the server i.e. the customer and the financial organization. Sophisticated malware which uses such attacks often also makes use of HTML injection. As cyber criminals are eager to maximize their returns while remaining at liberty, they have been examining other ways of conducting attacks, resulting in an increase in Man-in-the-Endpoint (MitE) attacks. Such attacks don't involve an additional server to intercept traffic; all changes are made on the local system. The article provides an overview of the advantages of such attacks over other methods.

Although investing in better security costs a lot of money, this is a choice banks clearly have to make. Single-factor authentication can be bypassed extremely easily by cyber criminals. While it is encouraging that many of the banks which have not implemented two-factor authentication are planning to do so, there is a clear trend: the increased use of two-factor authentication has resulted in an increase in malware capable of defeating this type of authentication.

The article concludes with a number of recommendations for how current security mechanisms could be strengthened or their usability improved. It also highlights some of this issues which are caused by the relatively young nature of online banking security, and concludes that, as ever, any security solution/ process is as only as strong as the weakest link in the chain.