Safer Deposits: Beating the Cyber-threats Targeting Banks
By Gadi Naveh, Threat Prevention Evangelist, Check Point Software Technologies, Ltd
When the prolific career criminal Willie Sutton was asked why he specifically targeted banks, he reportedly replied: “Because that’s where the money is.” So it’s no surprise that cyberattacks against banks have increased over the past two years. However, just like legitimate businesses, criminals must occasionally change their model when their methods and processes are not as effective, or profitable, as they once were. Over 2015 and into 2016, Check Point’s researchers found that criminals have been ramping up ransomware attacks, while scaling back on the use of banking Trojans and phishing emails. It’s easy to understand why: ransomware is enabling criminals to steal smarter, not harder.
Raiding online bank accounts used to be as easy as 1-2-3: drive customers to an authentic-looking fake copy of an online banking website, capture users’ login credentials, and then log onto the real websites to transfer funds to a mule account. Now, attackers must contend with 2-factor authentication for connecting to the bank’s website from users’ recognized devices. Additionally, funds transfers can trigger fraud systems that block transfers and freeze accounts. Threat actors must also customize content to spoof each target bank’s website – all of which is making theft using these approaches harder for criminals. So instead, criminals have turned their attention to attacking banks’ core systems and networks, as we’ve seen in three attacks this year.
One of the most notorious incidents occurred earlier this year, when a massive $81 million was stolen from the Bangladesh Bank via an attack on the SWIFT financial messaging system. The attack was actually only identified when Deutsche Bank spotted a suspicious typo in a transfer request and raised an alert: otherwise the criminals might have made off with $951 million. This sophisticated attack, which used a combination of inside knowledge and purpose-designed malware, underlines just how insidious and patient the hackers were. And this was only the largest of a series of attacks targeting vulnerabilities in the SWIFT network during 2016.
More recently, Tesco Bank was forced to pay out £2.5 million to customers, after money was stolen from around 20,000 accounts. Initial analysis suggested that this was an ‘inside job’, in which an employee or contractor with the appropriate credentials stole customers’ details en masse. Again, rather than targeting individual account holders for their login credentials, the attackers went straight to the source.
"With this mix of comprehensive protection against new malware and threats, and employee awareness of cyber risks, there’s the best possible chance that cybercriminal’s future heist attempts will not pay"
And in November 2016, new ATM-targeting malware was discovered that causes cash machines to deliver money on demand: it is thought the malware propagates across banks' central systems from a central command and control server to infect communities of ATMs simultaneously. Banks across Europe have been affected.
Advanced threat prevention: three principles
The nature of these attacks highlight the need for advanced threat prevention – to stop malware and related attacks taking hold in the first place – reinforced by automated attack forensics on users’ endpoints, which gives security teams visibility into incidents as they are happening, and provides actionable intelligence to help resolve them before they can spread widely. Verizon’s 2016 Data Breach Investigations Report found that in over 80 percent of incidents, the initial compromise took just a few minutes to happen, but days or weeks to detect. As such, it’s critical to stop infections from taking hold on networks in the first place.
Next-generation threat prevention
Next-generation threat prevention solutions can stop new, unknown malware, using advanced sandboxing. This provides a safe environment outside your network that mimics an endpoint device, and tests traffic so that files containing malware are blocked before they enter the network. Document sanitization solutions further reinforce defenses by removing active code, such as macros, from all incoming files and documents, defusing any hidden malicious actions. This sanitization technique is particularly important in blocking the latest generation of ransomware, which uses macros to bypass conventional defences and download the file-encrypting payload, before it can reach and infect the host PC and spread to the network. These techniques add vital reinforcements to existing signature-based defenses, equipping organizations to prevent attacks from constantly-evolving unknown malware – instead of trying to deal with attacks after they have already started.
Smart device defences
A prevention, rather than detection approach to security is particularly relevant to IoT devices, as highlighted by the recent large-scale DDoS attacks using infected smart devices. Given the sheer number of non-IT related devices on corporate networks, including cameras, printers and fax machines, a detection approach simply doesn’t provide the ability to effectively secure a network. For example, a detection strategy could allow an infection to enter networks from a device such as a smart TV, whereas a preventative approach stops the malware before it can pass to the network, by carefully segmenting these devices from core networks using firewalling. This stops lateral movement of infections, helps to cut out infection sources, and blocks smart devices from participating in distributed denial of service (DDoS) attacks.
Education and training
Many of the biggest, most damaging recent cyberattacks against enterprises begin with social engineering – such as the recent whaling attack which cost a European manufacturer over $45M. Sophisticated spear phishing attacks can be extremely convincing, tricking employees into giving up login credentials or personal data. Armed with these legitimate credentials, cybercriminals can have a free run of much of the corporate network – all while leaving little to no sign of malicious activity. This happens at all levels of organizations, with ‘whaling’ attacks against C-level executives on the rise. While accidents and mistakes can never be eliminated entirely, regularly-updated employee education at all levels within the organization, about social engineering tactics can dramatically reduce the risk of an attack being successful.
These principles of advanced, next-generation threat prevention supported by a comprehensive, dynamic program of education and training can help to block the new wave of attacks that are targeting banks’ core systems and networks. With this mix of comprehensive protection against new malware and threats, and employee awareness of cyber risks, there’s the best possible chance that cybercriminal’s future heist attempts will not pay.