Ransomware, Trojans and Fraud, Oh My! Tracking Recent Cybercrime Trends and Patterns
Throughout the years, banks have expanded their services by offering an ever-evolving set of online capabilities. As a result, financial institutions have become an obvious target for cybercrime and have been quick to deploy various layers of protection to keep their customers safe.
Cybercriminals are looking for online money to grab as a day job. Many operate like startup companies, consistently evolving methodologies and tools, and then measuring their return on investment (ROI). With banks adapting customer account protections and traditional cybercrime tools becoming less effective, we have observed a few key changes in criminal operation patterns.
Cybercrime Trends Are Shifting
In its “2016 Internet Crime Report,” the FBI’s Internet Crime Complaint Center (IC3) revealed that account takeover and identity theft claims had decreased by 23 percent since 2015, while the average loss per incident increased by 33 percent to $3,491.
This change can be attributed to fraudsters’ efforts to optimize their ROI by focusing more on attacking commercial and treasury banking customers. These customers are attacked using more targeted, well-planned methodologies such a remote-access Trojans (RATs), business email compromise (BEC) and email account compromise (EAC). The FBI IC3 report showed a 53 percent increase in BEC/EAC attacks from 2015 to 2016 and a 46 percent increase in the monetary losses associated with these incidents, scaling up to more than $360 million in 2016.
Repurposing Malware for Ransomware
Of course, cybercriminals have not forgotten retail banking users. They seem to have learned that it can be easier to extort money from victims directly rather than siphon funds from their bank accounts. To facilitate that, they have figured out ways to reuse some of the advanced malware capabilities they already have to act as ransomware.
Ransomware is a form of malicious malware that blocks system access or threatens to publish data until a sum of money is paid. Examples include Gameover Zeus, which distributed CryptoLocker ransomware, and the Gozi banking Trojan, which fraudsters combined with the Nymaim ransomware downloader to create the GozNym banking malware.
Another example is Svpeng, which was turned from a credential-stealing malware to a ransomware, impersonating the FBI and demanding a payoff to release the victims’ devices from lockdown.
Figure 1: Svpeng used to steal credentials and credit card information.
Figure 2: Svpeng used as ransomware with fake FBI allegations and payment demands.
The FBI IC3 reported a 63 percent year-over-year increase in the average ransom payment per incident from 2014 to 2016, peaking at $910 in 2016.
Loyalty Fraud on the Rise
Cybercriminals have been aiming for an even more accessible target. New virtual currencies such as airline miles and loyalty points, which allow fraudsters to cash out through gift cards, have been suffering from increasing levels of fraud.
According to the Loyalty Fraud Association, 72 percent of airline loyalty programs have issues with fraud. Furthermore, 30 percent of airline programs reported that the problem was growing rapidly each year. The FBI IC3 report also supported these cybercrime trends, showing a year-over-year average increase of 30 percent in phishing, vishing and smishing attacks from 2014 to 2016.
Stealing Identities to Break Accounts
Stealing credentials and circumventing two-factor authentication is complex. With the immense amount of personal information available on the Dark Web, it is easier to create fake accounts using synthetic identities based on stolen information. The account can be used to apply for new credit lines on the victim’s behalf, to gain access to pension funds for users who never established digital access or to accumulate loyalty points for users who shop exclusively in brick-and-mortar shops.
Scams such as these allow attackers to control authentication details to the account, since they were the ones to register it in the first place. Validating legitimate customer identities is a challenging and costly task for businesses in many industries, including banking, insurance, payment services and retail.
Retail and banking institutions must adopt higher security measures to decrease fraud. Business and treasury managers should implement dual-authorization processes to help verify that any money transfer instructions are coming from the legitimate business counterpart, colleague or customer requesting it — not from fraudsters.
Airlines and loyalty programs are starting to adopt stricter security measures for account access, but are still mostly behind the curve in protecting accounts. Customers should demand better protection of their accounts, since, in many cases, they will not be reimbursed for lost miles or points.
With ransomware campaigns such as WannaCry and Petya on the rampage, businesses and individuals must have robust and continuous data backup solutions in place for both devices and storage servers. Customers should be diligent in checking their statement balances and tracking their points themselves. Even more importantly, both consumers and businesses must stay abreast of emerging cybercrime trends to stay one step ahead of fraudsters looking to monetize their sensitive data.