Light Dark
January 20, 2015 By Douglas Bonderud 3 min read
Banking & Finance
Data Protection
Fraud Protection
Retail

Financial institutions are vulnerable to attacks. Most don’t advertise the fact, but with threat after zero-day threat emerging, it’s impossible to avoid the obvious. In a recent Washington Post article, Kaspersky Lab Managing Director Christopher B. Doggett describes how during an IT security penetration test, his team hacked a large, publicly traded financial company in less than 15 minutes. However, this isn’t the only attack vector. A new IBM study dives into the world of financial malware and uncovers the truth: It’s everywhere.

Effective Protection Against Financial Malware?

To deal with the malware problem, most financial institutions use a combination of authentication protocols, anomaly detection and device ID approaches to catch fraudsters in the act. The problem? These techniques are hit-or-miss. The Trusteer study points out that “today’s cybercriminals are aware of the fraud prevention technologies deployed by most financial institutions, and they design attacks to circumvent these controls.”

Authentication can be bypassed with social engineering tools, which supply malware creators with legitimate login information, while transaction detection and device ID solutions often lack accuracy and create thousands of false-positives that must be cleared by IT staff. At best, this means wasted resources are used to check legitimate transactions. At worst, this kind of overflow negatively affects the customer experience.

Perks of Being a Wallflower

To bypass bank security and obtain login credentials, cybercriminals rely on social engineering. Put simply, they need a way to convince users that downloading malicious attachments or infecting their own computer is a good idea. Doing so is actually quite simple. For example, fraudsters might create emails that appear to be from a user’s bank and include everything from actual logos to contact information. The email typically asks customers to confirm their identity as a way to avoid fraud, when, in fact, “confirming” ID precipitates this fraud. In effect, malware creators rely on human sociability as a way to effectively undermine common sense. The bottom line? Login credentials should never be given when replying to any email, no matter how legitimate it looks.

You’re Infected!

Cybercriminals also use a number of other methods to infect computers. For example, they may create emails with fake attachments that include a malware payload, or pay for advertising space on social media or popular websites, and then infect these ads with malicious JavaScript. Some create infection services or downloaders, which they sell to other malware users as a way to infect multiple machines. Finally, certain applications or Internet browsers contain vulnerabilities that let fraudsters introduce a malware payload that infects a machine without any user action. For example, a recent ZDNet article notes that supposedly secure Google Chrome variant Aviator was recently hacked by Google engineers.

Taking What’s Yours

After infecting victims, malware creators still need to grab information that matters. According to Trusteer, this happens in one of several ways. Perhaps the simplest method is taking screenshots of customers’ login screens and then emailing this information to a malware command-and-control server. Some malware relies on keylogging to obtain usernames and passwords, while other variants prefer to hijack session cookies and create legitimate-looking copies.

It is also possible to redirect browsers to supposedly secure websites by altering Domain Name System configurations. This lets fraudsters grab credentials from multiple users at once rather than infecting machines one at a time. More recent variants include financial malware targeting ICS/SCADA networks disguised as human machine interface device drivers and other files. Dark Reading notes that while ICS/SCADA networks are always on the alert for a new Stuxnet or similar Trojan, they are “soft targets” when it comes to financial fraud.

The Execution

The final step in the process is the execution, which falls under several broad categories. In account takeover attacks, cybercriminals use their own devices to access customers’ accounts and perform fraudulent transactions. These attacks are often short-lived since financial institutions are now on the lookout for the systematic movement of money in large volumes or to strange locations. It is also possible for malicious actors to use automated transaction systems to alter legitimate transactions on the fly.

These criminal acts are harder to detect because the original transaction was initiated by the user and changed in the middle of the approval process. In most cases, funds are diverted to mule accounts and then transferred again to put distance between fraudsters and their victims. Those with mule accounts often believe they are receiving payment after being recruited online for “legitimate” work such as mystery shopping or evaluating the service of money transfer companies.

Bank On It?

Ultimately, financial malware creates a disconnect between banks and consumers. Banks are held responsible for the safety of customer accounts, but in many cases, customers are tricked into giving up their information. Solving the problem requires a two-pronged effort. Banks must invest in multilayered protection that can track the entire fraud life cycle, while users must be careful to safeguard their credentials and report any suspicious activity they encounter online. Malware threats are on the rise, and the financial fraud life cycle is growing.

Breaking the bank has become common practice — but it isn’t an inevitability.]

 |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature