Financial institutions are vulnerable to attacks. Most don’t advertise the fact, but with threat after zero-day threat emerging, it’s impossible to avoid the obvious. In a recent Washington Post article, Kaspersky Lab Managing Director Christopher B. Doggett describes how during an IT security penetration test, his team hacked a large, publicly traded financial company in less than 15 minutes. However, this isn’t the only attack vector. A new IBM study dives into the world of financial malware and uncovers the truth: It’s everywhere.

Effective Protection Against Financial Malware?

To deal with the malware problem, most financial institutions use a combination of authentication protocols, anomaly detection and device ID approaches to catch fraudsters in the act. The problem? These techniques are hit-or-miss. The Trusteer study points out that “today’s cybercriminals are aware of the fraud prevention technologies deployed by most financial institutions, and they design attacks to circumvent these controls.”

Authentication can be bypassed with social engineering tools, which supply malware creators with legitimate login information, while transaction detection and device ID solutions often lack accuracy and create thousands of false-positives that must be cleared by IT staff. At best, this means wasted resources are used to check legitimate transactions. At worst, this kind of overflow negatively affects the customer experience.

Perks of Being a Wallflower

To bypass bank security and obtain login credentials, cybercriminals rely on social engineering. Put simply, they need a way to convince users that downloading malicious attachments or infecting their own computer is a good idea. Doing so is actually quite simple. For example, fraudsters might create emails that appear to be from a user’s bank and include everything from actual logos to contact information. The email typically asks customers to confirm their identity as a way to avoid fraud, when, in fact, “confirming” ID precipitates this fraud. In effect, malware creators rely on human sociability as a way to effectively undermine common sense. The bottom line? Login credentials should never be given when replying to any email, no matter how legitimate it looks.

You’re Infected!

Cybercriminals also use a number of other methods to infect computers. For example, they may create emails with fake attachments that include a malware payload, or pay for advertising space on social media or popular websites, and then infect these ads with malicious JavaScript. Some create infection services or downloaders, which they sell to other malware users as a way to infect multiple machines. Finally, certain applications or Internet browsers contain vulnerabilities that let fraudsters introduce a malware payload that infects a machine without any user action. For example, a recent ZDNet article notes that supposedly secure Google Chrome variant Aviator was recently hacked by Google engineers.

Taking What’s Yours

After infecting victims, malware creators still need to grab information that matters. According to Trusteer, this happens in one of several ways. Perhaps the simplest method is taking screenshots of customers’ login screens and then emailing this information to a malware command-and-control server. Some malware relies on keylogging to obtain usernames and passwords, while other variants prefer to hijack session cookies and create legitimate-looking copies.

It is also possible to redirect browsers to supposedly secure websites by altering Domain Name System configurations. This lets fraudsters grab credentials from multiple users at once rather than infecting machines one at a time. More recent variants include financial malware targeting ICS/SCADA networks disguised as human machine interface device drivers and other files. Dark Reading notes that while ICS/SCADA networks are always on the alert for a new Stuxnet or similar Trojan, they are “soft targets” when it comes to financial fraud.

The Execution

The final step in the process is the execution, which falls under several broad categories. In account takeover attacks, cybercriminals use their own devices to access customers’ accounts and perform fraudulent transactions. These attacks are often short-lived since financial institutions are now on the lookout for the systematic movement of money in large volumes or to strange locations. It is also possible for malicious actors to use automated transaction systems to alter legitimate transactions on the fly.

These criminal acts are harder to detect because the original transaction was initiated by the user and changed in the middle of the approval process. In most cases, funds are diverted to mule accounts and then transferred again to put distance between fraudsters and their victims. Those with mule accounts often believe they are receiving payment after being recruited online for “legitimate” work such as mystery shopping or evaluating the service of money transfer companies.

Bank On It?

Ultimately, financial malware creates a disconnect between banks and consumers. Banks are held responsible for the safety of customer accounts, but in many cases, customers are tricked into giving up their information. Solving the problem requires a two-pronged effort. Banks must invest in multilayered protection that can track the entire fraud life cycle, while users must be careful to safeguard their credentials and report any suspicious activity they encounter online. Malware threats are on the rise, and the financial fraud life cycle is growing.

Breaking the bank has become common practice — but it isn’t an inevitability.]

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…