IBM Security researchers have combed through the threats impacting the financial industry in 2015 and found that cybercriminals are still phishing where the money is — and their tactics might surprise you.

Hollywood has often portrayed bank robbers as villains wearing a mask. They walk into a bank, hand the teller a note demanding large sums of money and hope to get away before the police show up. Today’s bank robber is an online criminal who will essentially execute a virtual version of a note that says: “Give me all the money in the safe but don’t put it in a bag. Exchange it for bitcoin and deposit it to this offshore account.”

According to IBM X-Force research, nearly 20 million financial records were breached in 2015. The impact of these data breaches in finance is significant, costing financial institutions $215 per stolen record on average.

So how are attackers continuing to evade the defenses of the financial industry?

The Digital Holdup

Cybercriminals are after money — lots of money. In fact, IBM research suggested actors are increasingly focused on stealing money directly from the financial industry rather than data theft or sabotage.

IBM X-Force data shows that breaches involving extortion tactics or theft of currency from financial institutions have increased in 2015, up 55 percent from the previous year.

Hottest Tactics in the Banking Thief Playbook

In a review of the IBM Managed Security Services (MSS) attack data, malicious attachments or links that deliver malware and Shellshock were the top two attack vectors for 2015.

Taking the Bait

Convincing users to click on dangerous links or open files represents 18 percent of total attacks in 2015. Cybercriminals are now leveraging advanced social engineering to trick users into clicking links that redirect to malicious sites or opening attachments such as Word documents or media files that download malware. Because social engineering via spear phishing is often an attacker’s first step in a successful compromise, education is key to thwarting this type of attack.

Shellshock

This infamous vulnerability, discovered in 2014, impacted a massive number of systems across industries, tying for the top attack vector in finance at 18 percent of attacks. Shellshock is a malware-less attack that exploits a vulnerability in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems. It is well-documented by the “IBM 2015 Cyber Security Intelligence Index.”

Denial-of-Service (DoS) Attacks

DoS is the No. 3 attack vector in the financial industry in 2015, according to IBM MSS data. It represented 8 percent of attacks. Attackers using DoS may be politically motivated, looking to shut down a bank’s online operations, or they may use DoS as a ransom technique, looking for a big payout to stop the attack.

Battle of the Banking Trojans

Malware with the specific intent of targeting bank account information is commonly referred to as a banking Trojan. These Trojans are operated by gangs of cybercriminals that are becoming increasingly innovative, evolving the malware with new iterations of code and expanding their geographies.

2015 saw a major milestone as Zeus, which has led in the banking Trojan arena for years, fell from first place to fourth behind the Trojan known as Dyre. Dyre has rapidly and aggressively evolved since it first arose in 2014, with constant updates designed to evade detection by antivirus and static security mechanisms. These quick changes and feature-rich capabilities have no doubt contributed to its rise to the No. 1 spot.

Despite Dyre’s rapid climb to the top, IBM data shows a massive drop in activity in the Dyre Trojan starting in November 2015, and recent reports suggested that authorities may have intervened.

Some additional findings and dynamics at play in the banking Trojan war include:

  • Dyre attacks increased 19 percent, catapulting it to first place from sixth. Zeus fell a precipitous 23 percent to land in fourth.
  • Neverquest held its No. 2 spot year-over-year, while Bugat moved into third and Shylock dropped from third all the way out of the top 10.
  • IBM discovered two new Trojans targeting Japanese financial institutions, Tsukuba and Shifu, plus a new variant of Rovnix.
  • IBM also identified a malware to watch in the Tinba Trojan at No. 6, which was not in the top 10 in 2014. This Trojan was the first of its kind dedicated to Romanian banks.

Finance is an area where security intelligence is a must, and recent research highlighted in this report should be a call to arms for institutions to understand the attack vectors they are most vulnerable to. Having this knowledge can help financial companies stay one step ahead of criminals and bolster detection and protection mechanisms.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today