The results of Websense’s 2015 Financial Services Drill-Down Report show that financial services are the target of 33 per cent of cyber-attacks. Comparatively, the financial services industry ranks third overall for targeted typosquatting. The report also indicated that malware authors, in some respect, are like chameleons. When one of their methods fails or is blocked, they are able to seamlessly switch to a different one.
Financial institutions handle loads of sensitive personal data daily, and it’s up to them to ensure that it’s kept locked in the vault. But if the door is accidentally left open, hackers will waste no time on pouncing on this opportunity to drain people’s bank accounts for their own personal gain.
To put the results of this report in perspective, IT in Canada spoke to Websense Principal Security Analyst Carl Leonard.
IT in Canada: Why is now the time for this report?
Leonard: When we were having conversations with some of our customers, we saw that they were having unique experiences. We really wanted to capture those and issue this report so that various industries could be better positioned to more proactively protect themselves.
This is actually the first industry breakdown that we’ve done since a report on healthcare stats in 2014. We saw a 600 per cent increase in attacks against hospitals, so we then applied that same sort of conviction to get some more details on other industries. This is one of our most detailed industry-specific reports to date.
ITIC: The report shows that a third of all lower-stage attacks target financial services. Why is that?
CL: The financial service sectors are well known for having large amounts of confidential information on their clients, and millions of transactions are conducted on a daily basis. We really have invested a lot of time and energy into the early stages of the life cycle in order to better penetrate those organizations.
Once the law had been crafted, the malware authors then set up this platform to then deploy the malicious payloads into those organizations. So it’s really the malware authors taking the first stab at penetrating the defenses of the organizations.
ITIC: What types of malware are usually used to carry out these functions?
CL: One example that we’ve found particularly prevalent within financial services is Geodo. Geodo is a typical sort of banking intrusion, but it’s also got wormlike capabilities. Once it has successfully stolen the credentials, it can then spread itself by sending out further forms of malware.
With Geodo, we’ve observed that occurring 400 per cent more often than any other industries. It starts with particular variance, and then spreads itself to other financial sectors through the use of that victim’s credentials. Obviously they’d have then contacts with other financial service. Systemically, around credential-stealing attacks that we’ve observed, they have focused on financial services, as well as data theft.
Another example is Vawtrak, which we’ve observed to be a backdoor to a network that streams full access to the compromised machine. It also steals personal information which again can be used to further additional attacks within that same industry.
ITIC: The report also states that financial services rank third for targeted typosquatting. Why is this?
CL: This particular type of attack represents a development to the traditional typosquatting method, whereby, ordinarily malware authors will set up a domain that has a character in that domain slightly different on the keyboard. For example, it might replace T with an R, or an M with an N.
As we mistype on the keyboard, we might encounter those domains. We’ve found the malware authors actually going to the next step along that attack. They’re actually registering, those mistyped domains that have very close relationships with their target domain. So if I was running colesbank.com, the malware author might register colesbank.co. It’s just one letter off, or he might replace the L with a T.
Once he’s registered that domain, he then sends mails from that domain into the legitimate colesbank.com. The end users there can be duped into engaging in conversation, thinking it’s an internal employee. We’ve actually seen PDF instructions being sent that detail how to transmit data and actions such as conducting an employee’s payment, or needing to do an urgent wire transfer. So it’s combing the traditional typosquatting with a targeted element where domains are specifically in close relation to the target organization.
Emails are then sent in to that target organization from that typo domain, and we’ve actually seen these cases of phishing incidents averaging around to a loss of $130,000 per incident, as the engineering hack is successful. The actions described are actually performed by the target’s employee.
The reason why financial services ranks third is because we know that within this industry, the employees are familiar with these types of transactions. They’re used to processing invoices and dealing with money transfers, so it would be no surprise to them should an additional request come in. It might ask them to use a particular system they’re already familiar with, so it’s fairly relevant to the recipient. It could also be part of their daily business and operations. That’s why malware authors are really focusing on financial services employees with this attack.
ITIC: Malware authors are using a bait-and-switch method to try to outfox banking security measures. What exactly are they doing to skirt around these barriers?
CL: We’re actually seeing attack trends differ dramatically from month to month and week to week. As soon as a member of a security operations center within the financial services sector has learned how to handle and mitigate a particular attack, the malware author then tries something new.
In one example seen in March of this year, over 50 per cent of all attacks used some type of officiated code. That makes analysis difficult by disguising the malicious payload code, as it’s unreadable by humans. We saw that half of all occasions in March and then in April that certainly dropped to less than 5 per cent of all attacks, instead to be replaced by redirection.
Some distance is put between that initial law that we know is popular in financial services and the dangerous payload, such as Geodo. As a result, the malware authors are changing their styles and methods of delivery of the malware regularly in a very dynamic fashion. This makes life difficult for those defenders who are trying to understand the attack, learn from the threat telemetry they’ve gained from their systems, and then defend against it. But instead, the malware officers just change the tactic and present them with something new.
ITIC: What does the future hold for attacks on financial services?
CL: We’ve been tracking threat volumes for some years now, and we’ve actually seen that the volume of threats, globally and across industries, has plateaued over the past year. That’s not to say the volumes are manageable.
We’ve identified 4 billion threats in 2014 and another 4 billion in 2013. These are very large numbers, and we know that financial services are hit three times more than other industries. So the volumes are going to remain high, and that it is a problem because there’s this background noise of threats trickling in, some of which might be a greater risk to your business than others, especially the likes of Geodo and Vawtrack which are opening backdoors and stealing your confidential data.
Malware authors have also proven that they are operating with a more complex and developed toolkit. We’ve found that advanced tools are now the new baseline, and malware authors are not afraid to change their tactics so that they can constantly evolve their own methods and also attempt to stay a step or two ahead of those who are seeking defend operations.
What we’re observing is that financial services are really getting involved in sharing of threats telemetry across their industry so they can collectively better understand the types of threats coming in. This will help them to consider build out capabilities to move to a more proactive stance for vicious management within their organizations by really and truly understanding the threat types they’re observing.
We hope that this report will go some way into building a picture of exactly what members of that industry can look to face in the next year. History tells us attacks are becoming more complex, and the volumes are not getting to such a level where it’s becoming so easily manageable right now.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…