Financial institutions are vulnerable to attacks. Most don’t advertise the fact, but with threat after zero-day threat emerging, it’s impossible to avoid the obvious. In a recent Washington Post article, Kaspersky Lab Managing Director Christopher B. Doggett describes how during an IT security penetration test, his team hacked a large, publicly traded financial company in less than 15 minutes. However, this isn’t the only attack vector. A new IBM study dives into the world of financial malware and uncovers the truth: It’s everywhere.

Effective Protection Against Financial Malware?

To deal with the malware problem, most financial institutions use a combination of authentication protocols, anomaly detection and device ID approaches to catch fraudsters in the act. The problem? These techniques are hit-or-miss. The Trusteer study points out that “today’s cybercriminals are aware of the fraud prevention technologies deployed by most financial institutions, and they design attacks to circumvent these controls.”

Authentication can be bypassed with social engineering tools, which supply malware creators with legitimate login information, while transaction detection and device ID solutions often lack accuracy and create thousands of false-positives that must be cleared by IT staff. At best, this means wasted resources are used to check legitimate transactions. At worst, this kind of overflow negatively affects the customer experience.

Perks of Being a Wallflower

To bypass bank security and obtain login credentials, cybercriminals rely on social engineering. Put simply, they need a way to convince users that downloading malicious attachments or infecting their own computer is a good idea. Doing so is actually quite simple. For example, fraudsters might create emails that appear to be from a user’s bank and include everything from actual logos to contact information. The email typically asks customers to confirm their identity as a way to avoid fraud, when, in fact, “confirming” ID precipitates this fraud. In effect, malware creators rely on human sociability as a way to effectively undermine common sense. The bottom line? Login credentials should never be given when replying to any email, no matter how legitimate it looks.

You’re Infected!

Cybercriminals also use a number of other methods to infect computers. For example, they may create emails with fake attachments that include a malware payload, or pay for advertising space on social media or popular websites, and then infect these ads with malicious JavaScript. Some create infection services or downloaders, which they sell to other malware users as a way to infect multiple machines. Finally, certain applications or Internet browsers contain vulnerabilities that let fraudsters introduce a malware payload that infects a machine without any user action. For example, a recent ZDNet article notes that supposedly secure Google Chrome variant Aviator was recently hacked by Google engineers.

Taking What’s Yours

After infecting victims, malware creators still need to grab information that matters. According to Trusteer, this happens in one of several ways. Perhaps the simplest method is taking screenshots of customers’ login screens and then emailing this information to a malware command-and-control server. Some malware relies on keylogging to obtain usernames and passwords, while other variants prefer to hijack session cookies and create legitimate-looking copies.

It is also possible to redirect browsers to supposedly secure websites by altering Domain Name System configurations. This lets fraudsters grab credentials from multiple users at once rather than infecting machines one at a time. More recent variants include financial malware targeting ICS/SCADA networks disguised as human machine interface device drivers and other files. Dark Reading notes that while ICS/SCADA networks are always on the alert for a new Stuxnet or similar Trojan, they are “soft targets” when it comes to financial fraud.

The Execution

The final step in the process is the execution, which falls under several broad categories. In account takeover attacks, cybercriminals use their own devices to access customers’ accounts and perform fraudulent transactions. These attacks are often short-lived since financial institutions are now on the lookout for the systematic movement of money in large volumes or to strange locations. It is also possible for malicious actors to use automated transaction systems to alter legitimate transactions on the fly.

These criminal acts are harder to detect because the original transaction was initiated by the user and changed in the middle of the approval process. In most cases, funds are diverted to mule accounts and then transferred again to put distance between fraudsters and their victims. Those with mule accounts often believe they are receiving payment after being recruited online for “legitimate” work such as mystery shopping or evaluating the service of money transfer companies.

Bank On It?

Ultimately, financial malware creates a disconnect between banks and consumers. Banks are held responsible for the safety of customer accounts, but in many cases, customers are tricked into giving up their information. Solving the problem requires a two-pronged effort. Banks must invest in multilayered protection that can track the entire fraud life cycle, while users must be careful to safeguard their credentials and report any suspicious activity they encounter online. Malware threats are on the rise, and the financial fraud life cycle is growing.

Breaking the bank has become common practice — but it isn’t an inevitability.]

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today