Hackers Make Financial Services Firms Top Target
Hackers target financial services firms 300 percent more than companies in other verticals, says Websense Security Labs.
Hackers target financial service firms 300 percent more than businesses in other industries, according to a new report from Websense Security Labs that examines hacker attack patterns from January through May of 2015. In addition, such firms account for a third of two of the most popular cybersecurity attacks, the report found.
Criminals seek out financial services firms because they control large amounts of money and, along with businesses in the health care industry, collect and store the greatest amount of personal information about their customers, said Carl Leonard, Websense principal data security analyst.
In what Websense terms "the recon stage," cybercriminals research their intended victims using personal, professional and social media websites. They’re looking for information to help them create seemingly trustworthy "lures" that contain links to compromised websites under their control. Some lures use recent disasters, social drama or celebrity deaths to draw on human curiosity.
The lures are dangled via email, social media posts or other content that appears to come from trustworthy sources. Subject lines and content matter in email lures commonly tend to be professional in nature and frequently involve specifics around invoices, ACH and BACS payments, or third-party vendors. During income tax filing season, lures referring to the Internal Revenue Service are quite common.
How Hackers Steal Credentials
Geodo, Rerdom and Vawtrack are the most common types of credential stealing attacks, according to the report.
Geodo, a new version of the Cridex attack, is used in financial services 400 percent more than in any other industry. The malware uses email in attempts to steal credentials and self-perpetuate, which initiates more lure attacks. According to the report, Geodo is typically embedded in automated scripts, with repeating tasks into the macros of Microsoft Office, continuing the recent pattern of attacks using macros in documents.
Geodo's self-replicating feature accesses a financial institution’s database of legitimate SMTP credentials from the Cridex botnet, sending small batches of infected emails from compromised hosts while also adding newly compromised credentials to the legitimate SMTP credentials.
Rerdom, a spam generator affiliated with the Asprox malware family, can result in spamming, sending malicious email attacks, click fraud, harvesting credentials and other malicious activity.
Vawtrak is a Trojan designed to steal credentials by taking over passwords, digital certificates, browser histories and cookies.
Mixing up the Menace
Financial institutions need to be nimble to stay on top of these attacks because the patterns tend to shift on a monthly basis, according to the report. Sometimes attacks even vary on a weekly basis, Leonard said.
Cybercriminals also maintain a constant barrage of low-level attacks. While these are not difficult to stop, the time to do so occupies security professionals with "background noise," deflecting them from concentrating on newer and more targeted attacks.
"Even though these are low-level attacks, you still have to defend against them," Leonard said, adding that there’s been an emphasis by hackers on evasion techniques, disguising malware code within transmissions.
Even though it has been around far longer than some of the newer attacks, typosquatting or URL hijacking has continued to evolve, making it much more dangerous. According to the Websense report, typosquatting has resulted in millions of dollars of financial institution losses and operational overhead. Typosquatting attacks rely on targets glancing at emails quickly, so they miss subtle changes in a webmail address, Leonard said.
One of the most effective targeted typosquatting attacks uses .co domains rather than .com domains, sometimes in conjunction with social engineering. People typically will quickly read through emails, so they will overlook such a small change in the URL address. Among other popular typosquatting techniques, according to Websense:
- Single character insertion using small width letters like i, l or t in the middle or the beginning of a word. The word isn’t significantly lengthened, making the subtle change hard to notice.
- Character replacement, such as I for l, a for g or o for 0. The changes are so subtle, they are easily overlooked. Again, these changes are typically at the beginning or in the middle of a word, with the width of the word being virtually unchanged.
- Character transposition, usually in the middle of the word.
- Character deletion, which isn’t always noticeable and is very easy to do.
- Double character insertion, particularly with ll, ss, ii and tt, typically in the middle of the word.
The report also cites a few common security oversights of financial services companies:
- While 90 percent of banks encrypt transmitted data, only 38 percent encrypt data at rest
- Thirty percent of banks surveyed do not require multi-factor authentication for third-party vendors – even though such vendors are becoming an increasingly common point of entry for hackers
Information Sharing and Cybersecurity Insurance
It's important for banks to target the areas in which they need to improve, Leonard said. "You have to have the right amount of trained security staff that makes sense for your organization," he said. "You need to understand your weaknesses and prioritize those."
In addition, although financial services firms often don’t like to share information for competitive reasons, such sharing is essential when it comes to cybersecurity, Leonard said.
Eighty percent of financial institutions surveyed have cybersecurity insurance policies. However, Websense cautioned against relying too heavily on them, noting that as cyberattacks grow the cost of this insurance will continue to escalate and could include certain restrictions -- with certain industries being deemed uninsurable.
Phillip J. Britt's work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.
By Jeff Goldman
May 26, 2015
The bank says its domain name servers were hijacked last month.