This week, the FBI warned financial institutions about malware attacks that are targeting their employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising employee bank accounts is relatively new. We are not surprised by this development. Last year, IBM Security predicted that 2012 would be the year financial malware would be used to attack enterprises.

So, why is this happening?

Web Fraud Detection Investments Starting to Pay Off

According to the 2012 Web Fraud Detection (WFD) Magic Quadrant report, many WFD customers reported fraud reduction rates of 80 percent or more. Banks are simply doing a better job of protecting against malware today than they did in the past. With their livelihood at stake, criminal gangs are now looking to get a foothold deep inside financial institutions to bypass controls that are standing in the way of their financial fraud schemes. They are now attacking bank employees with the same advanced malware and extensive mule and money laundering processes used to commit fraud against online banking users.

Enterprise Security Is Not Effective Against Malware Attacks

Most financial institutions implement controls such as antivirus protection on endpoint devices and intrusion prevention systems on networks. Both are evaded by malware kits that are readily available in the underground market. IBM Security intelligence has found that the infection rate of enterprise endpoints can reach up to 4 percent, as calculated on an annual basis. Over the past 12 months, one large U.S. bank has removed or blocked more than 20 different financial malware families from enterprise endpoints using IBM Security Trusteer Rapport.

Financial Malware Is ‘Maturing’

Earlier this year, we published several blogs on malware attacks targeting enterprise endpoints, including point-of-sale computers, payroll systems and employee VPN access. What did these attacks have in common? They all used garden-variety financial malware Trojans such as Zeus (or one of its many derivatives) and SpyEye.

This FBI report specifically mentions two types of malware attacks: keylogging and remote access tools (RATs). While key-logging has existed for many years, RATs are a relatively new addition to financial malware (e.g., Zeus) toolkits. They have been specifically added to enable pre-attack reconnaissance and attacks on non-browser-based applications on employee endpoints.

So, What Should Financial Organizations Do?

The FBI warning outlines a set of 16 security recommendations that, if followed, should protect against these attacks. However, few organizations can effectively implement all 16 recommendations in a timely manner without adversely affecting employee productivity and existing business processes. IBM recommends that organizations increase their focus on the root cause of these attacks: advanced malware. Organizations should implement security controls that prevent and remove malware infections and stop key-logging, screen-capturing and remote-acess Trojans’ activity.

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…