Throughout the years, banks have expanded their services by offering an ever-evolving set of online capabilities. As a result, financial institutions have become an obvious target for cybercrime and have been quick to deploy various layers of protection to keep their customers safe.

Cybercriminals are looking for online money to grab as a day job. Many operate like startup companies, consistently evolving methodologies and tools, and then measuring their return on investment (ROI). With banks adapting customer account protections and traditional cybercrime tools becoming less effective, we have observed a few key changes in criminal operation patterns.

Cybercrime Trends Are Shifting

In its “2016 Internet Crime Report,” the FBI’s Internet Crime Complaint Center (IC3) revealed that account takeover and identity theft claims had decreased by 23 percent since 2015, while the average loss per incident increased by 33 percent to $3,491.

This change can be attributed to fraudsters’ efforts to optimize their ROI by focusing more on attacking commercial and treasury banking customers. These customers are attacked using more targeted, well-planned methodologies such a remote-access Trojans (RATs), business email compromise (BEC) and email account compromise (EAC). The FBI IC3 report showed a 53 percent increase in BEC/EAC attacks from 2015 to 2016 and a 46 percent increase in the monetary losses associated with these incidents, scaling up to more than $360 million in 2016.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Repurposing Malware for Ransomware

Of course, cybercriminals have not forgotten retail banking users. They seem to have learned that it can be easier to extort money from victims directly rather than siphon funds from their bank accounts. To facilitate that, they have figured out ways to reuse some of the advanced malware capabilities they already have to act as ransomware.

Ransomware is a form of malicious malware that blocks system access or threatens to publish data until a sum of money is paid. Examples include Gameover Zeus, which distributed CryptoLocker ransomware, and the Gozi banking Trojan, which fraudsters combined with the Nymaim ransomware downloader to create the GozNym banking malware.

Another example is Svpeng, which was turned from a credential-stealing malware to a ransomware, impersonating the FBI and demanding a payoff to release the victims’ devices from lockdown.


Figure 1: Svpeng used to steal credentials and credit card information.


Figure 2: Svpeng used as ransomware with fake FBI allegations and payment demands.

The FBI IC3 reported a 63 percent year-over-year increase in the average ransom payment per incident from 2014 to 2016, peaking at $910 in 2016.

Loyalty Fraud on the Rise

Cybercriminals have been aiming for an even more accessible target. New virtual currencies such as airline miles and loyalty points, which allow fraudsters to cash out through gift cards, have been suffering from increasing levels of fraud.

According to the Loyalty Fraud Association, 72 percent of airline loyalty programs have issues with fraud. Furthermore, 30 percent of airline programs reported that the problem was growing rapidly each year. The FBI IC3 report also supported these cybercrime trends, showing a year-over-year average increase of 30 percent in phishing, vishing and smishing attacks from 2014 to 2016.

Stealing Identities to Break Accounts

Stealing credentials and circumventing two-factor authentication is complex. With the immense amount of personal information available on the Dark Web, it is easier to create fake accounts using synthetic identities based on stolen information. The account can be used to apply for new credit lines on the victim’s behalf, to gain access to pension funds for users who never established digital access or to accumulate loyalty points for users who shop exclusively in brick-and-mortar shops.

Scams such as these allow attackers to control authentication details to the account, since they were the ones to register it in the first place. Validating legitimate customer identities is a challenging and costly task for businesses in many industries, including banking, insurance, payment services and retail.

Fighting Fraud

Retail and banking institutions must adopt higher security measures to decrease fraud. Business and treasury managers should implement dual-authorization processes to help verify that any money transfer instructions are coming from the legitimate business counterpart, colleague or customer requesting it — not from fraudsters.

Airlines and loyalty programs are starting to adopt stricter security measures for account access, but are still mostly behind the curve in protecting accounts. Customers should demand better protection of their accounts, since, in many cases, they will not be reimbursed for lost miles or points.

With ransomware campaigns such as WannaCry and Petya on the rampage, businesses and individuals must have robust and continuous data backup solutions in place for both devices and storage servers. Customers should be diligent in checking their statement balances and tracking their points themselves. Even more importantly, both consumers and businesses must stay abreast of emerging cybercrime trends to stay one step ahead of fraudsters looking to monetize their sensitive data.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today