A broad range of cyber threats are facing the global finance industry, which represents a one-stop shop for attackers, providing essential funding for the underground economy, security reports reveals.
By targeting financial services institutions, criminals steal sensitive data that can be used to open fake accounts and lines of credit they need for survival.
The reports come in the same week as US financial services organisation Capital One revealed a breach affecting 106 million customers in North America, and just weeks after a freedom of information request revealed that the number of cyber incidents reported by UK financial services firms increased nearly 12-fold in 2018 from 2017, mainly due to third-party failures, highlighting several key areas that need improvement.
The threats facing organisations working directly and indirectly with the global finance sector go far beyond traditional theft, according the latest report by Finnish security firm F-Secure. Cyber threats facing banks, insurance companies, assets managers and similar organisations can range from common script-kiddies to organised criminals and state-sponsored actors.
These attackers have an equally diverse set of motivations for their actions, the report said, with many seeing the finance sector as a tempting target due to its importance in national economies.
The report breaks down these motivations into three groups: data theft, data integrity and sabotage, and direct financial theft. “This is a useful way to think about cyber threats, because it is easy to map attacker motivations across to specific businesses, and subsequently understand to what extent they apply,” said George Michael, senior research analyst at F-Secure.
“Once you understand why various threat actors might target you, then you can more accurately measure your cyber risk and implement appropriate mitigations,” he said.
Read more about cyber security for financial services
- Financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA) in 2018, up from just 69 incidents in 2017, an increase of more than 1,000%.
- Information security chiefs in the financial sector say cyber security awareness needs to be a top priority.
- UK finance sector cyber security pros admit shocking practices.
- Financial institutions need to rethink security, say analysts.
When it comes to theft in the financial sector, North Korea is having a global influence as the only nation state believed to be responsible for acts of direct financial theft because their tactics, techniques, and procedures (TTPs) have spread to other threat actors.
According to Michael, this is part of a larger trend that involves adversaries offering their customisable malware strains or services-for-hire on the dark web, contributing to a rise in the adoption of more modern TTPs by attackers.
“North Korea has been publicly implicated in financially motivated attacks in over 30 countries in the past three years, and their tactics are also being used by cyber criminals, particularly against banks,” said Michael. “This is symbolic of a wider trend that we’ve seen in which there is an increasing overlap in the techniques used by state-sponsored groups and cyber criminals.”
The study notes that state-sponsored attackers and cyber criminals steal financial data to monitor the activities of specific individuals, as well as large international deals in key industries.
Researchers found that techniques to steal funds via a range of systems, including Swift payment operators, inter-bank payment switch applications and automated teller machines (ATMs), are becoming accessible to a broader range of attackers.
Developments relevant to the finance sector
The report warns that general developments in the cyber threat landscape, including the use of distractive malware, supply chain compromises and customised TTPs specific to the target, are relevant for the finance sector.
According to Michael, understanding cyber threats relevant to specific organisations is crucial to being able to detect and respond to an attack when it occurs.
“Understanding the threat landscape is expensive and time-consuming,” he said. “If you don’t understand the threats to your business, you don’t stand a chance at defending yourself properly. Blindly throwing money at the problem doesn’t solve it either. We continue to see companies suffer from unsophisticated breaches despite having spent millions on security.”
A newly released report by security firm AttackIQ and the Ponemon Institute reveals that while companies are spending $18.4m on average a year on cyber security, 53% of more than 570 US IT security practitioners admit they do not know how well the cyber security tools they have deployed are working.
Nearly two-thirds (63%) of respondents said they have observed a security control reporting it blocked an attack when it actually failed to do so, while only 39% said they are getting full value from their security investments.
The report shows that nearly 200,000 phishing domains were discovered during an 18-month period from December 2018 and May 2019. Of those, 66% targeted consumers directly, with half impacting companies in the financial services industry.
In addition to the unique phishing attempts, there were also 3.5 billion attempts to carry out credential stuffing attacks, which make use of automated trial of stolen username and password pairs to gain control of user accounts, putting the personal data and banking information of customers at risk.
“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai.
“Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create,” she said. “We’re seeing a whole economy developing to target financial services organisations and their consumers.”
Criminals recycling old attack methods
In addition to underlining the need to move away from password-based access to online accounts, the Akamai report highlights that criminals continue to recycle old attack methods.
According to the report, 94% of observed attacks against the financial services sector came from one of just four well-known methods: SQL injection (SQLi), local file inclusion (LFI), cross-site scripting (XSS), and OGNL Java Injection, which was famous due to the Apache Struts vulnerability at the heart of the Equifax breach in 2017, and continues to be used by attackers years after patches were issued.
The report also warns that in the financial services industry, criminals have also started launching DDoS attacks as a distraction to conduct credential stuffing attacks or to exploit a web-based vulnerability. Over the course of 18 months, Akamai uncovered more than 800 DDoS attacks against the financial services industry alone.
“Attackers are targeting financial services organisations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay.
“Businesses are becoming better at detecting and defending against these attacks, but point defences are bound to fail,” he said. “It requires being able to detect, analyse and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”