Throughout the years, banks have expanded their services by offering an ever-evolving set of online capabilities. As a result, financial institutions have become an obvious target for cybercrime and have been quick to deploy various layers of protection to keep their customers safe.

Cybercriminals are looking for online money to grab as a day job. Many operate like startup companies, consistently evolving methodologies and tools, and then measuring their return on investment (ROI). With banks adapting customer account protections and traditional cybercrime tools becoming less effective, we have observed a few key changes in criminal operation patterns.

Cybercrime Trends Are Shifting

In its “2016 Internet Crime Report,” the FBI’s Internet Crime Complaint Center (IC3) revealed that account takeover and identity theft claims had decreased by 23 percent since 2015, while the average loss per incident increased by 33 percent to $3,491.

This change can be attributed to fraudsters’ efforts to optimize their ROI by focusing more on attacking commercial and treasury banking customers. These customers are attacked using more targeted, well-planned methodologies such a remote-access Trojans (RATs), business email compromise (BEC) and email account compromise (EAC). The FBI IC3 report showed a 53 percent increase in BEC/EAC attacks from 2015 to 2016 and a 46 percent increase in the monetary losses associated with these incidents, scaling up to more than $360 million in 2016.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Repurposing Malware for Ransomware

Of course, cybercriminals have not forgotten retail banking users. They seem to have learned that it can be easier to extort money from victims directly rather than siphon funds from their bank accounts. To facilitate that, they have figured out ways to reuse some of the advanced malware capabilities they already have to act as ransomware.

Ransomware is a form of malicious malware that blocks system access or threatens to publish data until a sum of money is paid. Examples include Gameover Zeus, which distributed CryptoLocker ransomware, and the Gozi banking Trojan, which fraudsters combined with the Nymaim ransomware downloader to create the GozNym banking malware.

Another example is Svpeng, which was turned from a credential-stealing malware to a ransomware, impersonating the FBI and demanding a payoff to release the victims’ devices from lockdown.


Figure 1: Svpeng used to steal credentials and credit card information.


Figure 2: Svpeng used as ransomware with fake FBI allegations and payment demands.

The FBI IC3 reported a 63 percent year-over-year increase in the average ransom payment per incident from 2014 to 2016, peaking at $910 in 2016.

Loyalty Fraud on the Rise

Cybercriminals have been aiming for an even more accessible target. New virtual currencies such as airline miles and loyalty points, which allow fraudsters to cash out through gift cards, have been suffering from increasing levels of fraud.

According to the Loyalty Fraud Association, 72 percent of airline loyalty programs have issues with fraud. Furthermore, 30 percent of airline programs reported that the problem was growing rapidly each year. The FBI IC3 report also supported these cybercrime trends, showing a year-over-year average increase of 30 percent in phishing, vishing and smishing attacks from 2014 to 2016.

Stealing Identities to Break Accounts

Stealing credentials and circumventing two-factor authentication is complex. With the immense amount of personal information available on the Dark Web, it is easier to create fake accounts using synthetic identities based on stolen information. The account can be used to apply for new credit lines on the victim’s behalf, to gain access to pension funds for users who never established digital access or to accumulate loyalty points for users who shop exclusively in brick-and-mortar shops.

Scams such as these allow attackers to control authentication details to the account, since they were the ones to register it in the first place. Validating legitimate customer identities is a challenging and costly task for businesses in many industries, including banking, insurance, payment services and retail.

Fighting Fraud

Retail and banking institutions must adopt higher security measures to decrease fraud. Business and treasury managers should implement dual-authorization processes to help verify that any money transfer instructions are coming from the legitimate business counterpart, colleague or customer requesting it — not from fraudsters.

Airlines and loyalty programs are starting to adopt stricter security measures for account access, but are still mostly behind the curve in protecting accounts. Customers should demand better protection of their accounts, since, in many cases, they will not be reimbursed for lost miles or points.

With ransomware campaigns such as WannaCry and Petya on the rampage, businesses and individuals must have robust and continuous data backup solutions in place for both devices and storage servers. Customers should be diligent in checking their statement balances and tracking their points themselves. Even more importantly, both consumers and businesses must stay abreast of emerging cybercrime trends to stay one step ahead of fraudsters looking to monetize their sensitive data.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today