Attackers reel in cash rewards from large financial firms, but small fish aren’t safe either

Financial phishing becomes more widespread as criminals tap into increased online activity, easier-to-use malware

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The mas­sive data breach­es of the past cou­ple of years are evi­dence that cyber attack­ers are going after the big­ger fish. The more sophis­ti­cat­ed ones are shift­ing their tac­tics from ran­dom “spray and pray” attacks on indi­vid­u­als to tar­get­ing busi­ness­es that have mas­sive amounts of data.

This trend also is reflect­ed in finan­cial phish­ing. Cyber crim­i­nals are aim­ing more for the finan­cial infra­struc­ture, from banks and pay­ment sys­tems to inter­na­tion­al mon­ey-trans­fer sys­tems, rather than for individuals.

Relat­ed: Sophis­ti­cat­ed spear phish­ing attacks becom­ing more common

Last year, the share of finan­cial phish­ing increased 13 per­cent­age points to reach an all-time high, accord­ing to a recent­ly released report by Kasper­sky Lab. Among oth­er things, Kasper­sky Lab — an anti-mal­ware and inter­net secu­ri­ty ven­dor — found that in 2016:

  • One in every four attempts to load a phish­ing page that was blocked by Kasper­sky relat­ed to finan­cial phishing
  • The num­ber of users attacked by bank­ing Tro­jans grew by 31 percent
  • 17 per­cent of users attacked by bank­ing mal­ware were corporate
  • Phish­ing attacks against pay­ment sys­tems (like Pay­Pal and West­ern Union) and e-com­merce sites also grew (lead­ing e-shop­ping sites attacked were Ama­zon, Apple, pop­u­lar video-gam­ing site Steam and eBay)
  • Phish­ing pages mim­ic­k­ing legit­i­mate finan­cial web­sites were the top vector
  • The Unit­ed States was one of the six coun­tries attacked most by bank­ing mal­ware. Oth­ers were Rus­sia, Ger­many, Japan, India and Vietnam
  • 31 per­cent of phish­ing attacks against Mac users were attempts to steal finan­cial data.

Lever­ag­ing data for cash

Andrey Pozhogin, cyber­se­cu­ri­ty expert at Kasper­sky Lab North Amer­i­ca, explains that finan­cial phish­ing attacks are not the same as those that are after cred­it card num­bers and oth­er infor­ma­tion. These attacks may start the same way—by obtain­ing user cre­den­tials through phish­ing. But they have a dif­fer­ent end game: exfil­tra­tion of mon­ey from banks and oth­er finan­cial services.

The cyber crim­i­nals have to make the leap from just own­ing the user cre­den­tials or hav­ing con­trol over their machine to get­ting away with the mon­ey,” he says. “They need to know how the sys­tems work to be able to issue that com­mand to send mon­ey some­where, and be able to receive the mon­ey wher­ev­er they sent it.”

Almost 48 per­cent of all the phish­ing activ­i­ties detect­ed in 2016 were relat­ed to finan­cial phish­ing. Pozhogin esti­mates that as much as anoth­er 48 per­cent was for ran­somware attacks. The crim­i­nals, he says, are going where there’s less risk but big­ger mon­e­tary returns.

There’s con­stant opti­miza­tion hap­pen­ing in the way cyber crim­i­nals per­form their activ­i­ties,” he says.

Com­mand and control

One exam­ple is the Car­banak scheme, car­ried out by a multi­na­tion­al gang that stole as much as $1 bil­lion from as many as a hun­dred finan­cial insti­tu­tions around the world. The orig­i­nal infec­tion, dis­cov­ered by Kasper­sky Lab at a bank in Ukraine, was traced back to a spear phish­ing email sent to an employee.

After obtain­ing user cre­den­tials, the thieves attacked web­cams to record dai­ly activ­i­ties at the tar­get­ed banks for a month or longer so they could copy­cat legit­i­mate activ­i­ty. They would then “hijack the mon­ey from the accounts with­out users and the bank secu­ri­ty team notic­ing,” Pozhogin says.

Obvi­ous­ly this was a way high­er invest­ment of resources com­pared to a lone wolf going into an under­ground forum to buy mod­ules and assem­ble a ‘spray and pray’ type of attack tar­get­ing indi­vid­ual users,” Pozhogin says.

The attack­ers were clear­ly very sophis­ti­cat­ed, as they didn’t only attack one bank — or only one country’s banks, for that matter.

They exploit­ed the very back­bone of the whole finan­cial sys­tem,” Pozhogin says. “They were able to ana­lyze the inter­na­tion­al agree­ments on how mon­ey changes hands and iden­ti­fy and exploit that vulnerability.”

Crim­i­nals’ job gets easier

Kasper­sky attrib­ut­es part of the growth in finan­cial phish­ing to the rise in online bank­ing and shop­ping, in general—it’s a nat­ur­al con­clu­sion that as those trends grow, so will phish­ing attacks against those types of companies.

There’s also a sec­ond expla­na­tion. One notable find­ing from the Kasper­sky Lab report was the evo­lu­tion of mal­ware, which is typ­i­cal­ly deployed in a phish­ing attack. The num­ber of mal­ware fam­i­lies is growing—but what’s real­ly tip­ping the scales is the con­tin­u­ous improve­ments in the usability.

Andrey Pozhogin, Kasper­sky Lab North Amer­i­ca cyber­se­cu­ri­ty expert

It becomes more easy for a crim­i­nal mind-set, with­out know­ing how to code or how the sys­tems oper­ate, with a cred­it card or a few bit­coins to go online and order mod­ules to assem­ble and launch an attack,” Pozhogin says.

On the black mar­ket, the pur­chase of mal­ware comes with user edu­ca­tion, live tech­ni­cal sup­port and even step-by-step instruc­tions. The bar­ri­er of entry into this type of crime is low and is becom­ing less expen­sive to invest in the mali­cious tools.

Fight­ing tech­nol­o­gy with technology

Pozhogin says that as a form of social engi­neer­ing, phish­ing typ­i­cal­ly aims at the user rather than at tech­nol­o­gy. Tech­nol­o­gy is more resilient to decep­tion, he says—where a user is more like­ly to be deceived by some­thing like legit­i­mate-look­ing brand­ing and design on a spoofed website.

Tech­nol­o­gy is very prag­mat­ic,” he says. “It looks for mali­cious stuff on the web­site and in the code and it’s real­ly strong against these types of attacks.”

It’s espe­cial­ly impor­tant for small­er, com­mu­ni­ty banks and cred­it unions to have lay­ered pro­tec­tion against phish­ing. User edu­ca­tion alone is not effec­tive, he says.

You want to out­man the human ele­ment with the right tech­nol­o­gy,” Pozhogin says. “If you become a lit­tle bet­ter at pre­vent­ing phish­ing, you would sig­nif­i­cant­ly increase the secu­ri­ty of the organization.”

More sto­ries relat­ed to phish­ing, attacks on finan­cial institutions:
Look to human nature for con­tin­ued suc­cess of phish­ing attacks
How orga­ni­za­tions can avoid get­ting hooked by phish­ing scams
Small banks, cred­it unions on front lines of cyber­se­cu­ri­ty war