The cost to address and contain cyberattacks in financial services companies is now greater than any other industry, according to a recent Ponemon Institute report. The average annualized cost of cybercrime for financial services companies globally now stands at $18.5 million. The time needed to resolve issues has a significant impact on business. It takes around 34 days to contend with a ransomware attack and 26 days for a web-based attack.
Cybercriminals attacking financial services companies leverage various attack services, including people, processes, networks and infrastructures.
The goal of cybercriminals is always money, as Akamai’s 2019 State of the Internet / Security Financial Services Attack Economy Report points out. “Whether it is phishing, credential abuse, distributed denial of service (DDoS) or another type of tool, money is the goal – and the entire ecosystem is built around it,” says Steve Ragan, Senior Technical Writer on the report.
“Some of the groups link and layer attacks to stay under the radar; others smash and grab when they can. A lot of attacks over time do go by the wayside once proper defenses are deployed against them. The criminals then need to come up with new ways to avoid the mousetrap,” he adds.
Credential stuffing still out in front
While financial organizations have become better at dealing with credential stuffing, it is still a very popular method of attack. Credential stuffing is basically the automated injection of breached usernames and password combinations to gain fraudulent access to users’ accounts.
Attackers use all-In-one (AIO) applications to automate credential stuffing at scale. AIO applications are easy to get and inexpensive. Ragan says that popular SNIPR tools can be picked up for as little as $20. Cybercriminals also require a combination list to carry out the attack. Leaked password lists and unsecured database lists that have been copied are traded on the dark web, for example. The price of lists depends on how well they have been stripped of junk. For example, a list of 50,000 email addresses and passwords that have been sorted by mail provider and location, could go for about $5.50, according to Martin McKay, Security Researcher and Senior Editor on the Akamai report. A list focused on a local bank, for example, could be triple this amount.
“These lists are taken and blasted against every Internet property you can think of, including financial services,” explains Ragan. Akaimi’s research found that credential stuffing attacks hit a colossal 3.5 billion attempts during an 18-month period.
Phishing continues to be a problem
Alongside credential stuffing, phishing remains a top threat to the financial services industry and its customers, despite investment being made in awareness campaigns.
Akamai’s report found that half of all unique organizations impacted by observed phishing domains were from the financial services industry. In addition, between December 2, 2018 and May 4, 2019 nearly 200,000 phishing domains were discovered. Half of these were targeting customers directly.
“Criminals supplement existing stolen credential data through phishing, and then one way to make money is by hijacking or reselling the list they create. We are seeing a whole economy developing to target financial services organizations and their consumers,” says McKay.
Both Ragan and McKay stress the importance of fighting against phishing. Not only do such attacks dent the reputation of a financial institution, but they also put the identities and financial security of customers at risk every time such an attack happens. Some sophisticated phishing kits don’t just collect names and passwords, they also collect credit card information, for example. All this data can be sold on the dark web or used to carry out fraudulent schemes.
Another type of phishing attack that is having a serious impact on financial institutions is known as a business email compromise (BEC). It is basically designed to dupe victims into transferring funds directly or releasing personal financial records. According to FBI figures, BEC attacks resulted in $1.2 billion of losses in 2018.
Hiding behind DDoS attacks
DDoS attacks may not be the most common attacks in the financial services sector, but they are important because they are used as a distraction mechanism by cybercriminals.
DDoS attacks are launched as a smokescreen either to conduct credential stuffing attacks or to exploit a web-based vulnerability. During the 18-month window between November 2017 and April 2019, Akamai found that 40% of unique DDoS targets were in the financial services sector.
Cybercriminals are using a number of DDoS attack types, so Ragan and McKay recommend that financial institutions stay ahead of the curve and focus on a range of defenses, instead of one or two common attack types.
Following a successful campaign, cyber criminals need to process their stolen data and funds. One way of doing this is via “bank drops.” These are basically packages of data that can be used to fraudulently open accounts. Secure access to these fraudulent accounts takes place via remote desktop servers, which are matched to the geographic location of the bank and the person’s stolen identity. Bank drops sell on the black market for $150 upwards, depending on the personal data in the bundle.
Financial institutions are working overtime to track these fraudulent accounts and close them. Cashing out, however, is labor intensive for cybercriminals and comes with a very high degree of risk, which is why they are increasingly using “money mules” to do the job, according to the Akamai report. Others are using digital currencies to buy physical goods and sell them on the open market to cash out their ill-gotten funds.
There is a ring of fire between financial institutions and cybercriminals that is only going to get bigger. The financial institutions that cybercriminals target are the very organizations that they need to cash out their stolen funds.
Due to heightened security and tighter global regulatory controls, financial institutions are making headway in their fight against cyberattacks, and they are no longer seen as easy targets – but they are still targets just the same.
Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.