Attackers reel in cash rewards from large financial firms, but small fish aren’t safe either
Financial phishing becomes more widespread as criminals tap into increased online activity, easier-to-use malware
By Rodika Tollefson, ThirdCertainty
The massive data breaches of the past couple of years are evidence that cyber attackers are going after the bigger fish. The more sophisticated ones are shifting their tactics from random “spray and pray” attacks on individuals to targeting businesses that have massive amounts of data.
This trend also is reflected in financial phishing. Cyber criminals are aiming more for the financial infrastructure, from banks and payment systems to international money-transfer systems, rather than for individuals.
Last year, the share of financial phishing increased 13 percentage points to reach an all-time high, according to a recently released report by Kaspersky Lab. Among other things, Kaspersky Lab — an anti-malware and internet security vendor — found that in 2016:
- One in every four attempts to load a phishing page that was blocked by Kaspersky related to financial phishing
- The number of users attacked by banking Trojans grew by 31 percent
- 17 percent of users attacked by banking malware were corporate
- Phishing attacks against payment systems (like PayPal and Western Union) and e-commerce sites also grew (leading e-shopping sites attacked were Amazon, Apple, popular video-gaming site Steam and eBay)
- Phishing pages mimicking legitimate financial websites were the top vector
- The United States was one of the six countries attacked most by banking malware. Others were Russia, Germany, Japan, India and Vietnam
- 31 percent of phishing attacks against Mac users were attempts to steal financial data.
Leveraging data for cash
Andrey Pozhogin, cybersecurity expert at Kaspersky Lab North America, explains that financial phishing attacks are not the same as those that are after credit card numbers and other information. These attacks may start the same way—by obtaining user credentials through phishing. But they have a different end game: exfiltration of money from banks and other financial services.
“The cyber criminals have to make the leap from just owning the user credentials or having control over their machine to getting away with the money,” he says. “They need to know how the systems work to be able to issue that command to send money somewhere, and be able to receive the money wherever they sent it.”
Almost 48 percent of all the phishing activities detected in 2016 were related to financial phishing. Pozhogin estimates that as much as another 48 percent was for ransomware attacks. The criminals, he says, are going where there’s less risk but bigger monetary returns.
“There’s constant optimization happening in the way cyber criminals perform their activities,” he says.
Command and control
One example is the Carbanak scheme, carried out by a multinational gang that stole as much as $1 billion from as many as a hundred financial institutions around the world. The original infection, discovered by Kaspersky Lab at a bank in Ukraine, was traced back to a spear phishing email sent to an employee.
After obtaining user credentials, the thieves attacked webcams to record daily activities at the targeted banks for a month or longer so they could copycat legitimate activity. They would then “hijack the money from the accounts without users and the bank security team noticing,” Pozhogin says.
“Obviously this was a way higher investment of resources compared to a lone wolf going into an underground forum to buy modules and assemble a ‘spray and pray’ type of attack targeting individual users,” Pozhogin says.
The attackers were clearly very sophisticated, as they didn’t only attack one bank — or only one country’s banks, for that matter.
“They exploited the very backbone of the whole financial system,” Pozhogin says. “They were able to analyze the international agreements on how money changes hands and identify and exploit that vulnerability.”
Criminals’ job gets easier
Kaspersky attributes part of the growth in financial phishing to the rise in online banking and shopping, in general—it’s a natural conclusion that as those trends grow, so will phishing attacks against those types of companies.
There’s also a second explanation. One notable finding from the Kaspersky Lab report was the evolution of malware, which is typically deployed in a phishing attack. The number of malware families is growing—but what’s really tipping the scales is the continuous improvements in the usability.
“It becomes more easy for a criminal mind-set, without knowing how to code or how the systems operate, with a credit card or a few bitcoins to go online and order modules to assemble and launch an attack,” Pozhogin says.
On the black market, the purchase of malware comes with user education, live technical support and even step-by-step instructions. The barrier of entry into this type of crime is low and is becoming less expensive to invest in the malicious tools.
Fighting technology with technology
Pozhogin says that as a form of social engineering, phishing typically aims at the user rather than at technology. Technology is more resilient to deception, he says—where a user is more likely to be deceived by something like legitimate-looking branding and design on a spoofed website.
“Technology is very pragmatic,” he says. “It looks for malicious stuff on the website and in the code and it’s really strong against these types of attacks.”
It’s especially important for smaller, community banks and credit unions to have layered protection against phishing. User education alone is not effective, he says.
“You want to outman the human element with the right technology,” Pozhogin says. “If you become a little better at preventing phishing, you would significantly increase the security of the organization.”
More stories related to phishing, attacks on financial institutions:
Look to human nature for continued success of phishing attacks
How organizations can avoid getting hooked by phishing scams
Small banks, credit unions on front lines of cybersecurity war