IBM Security researchers have combed through the threats impacting the financial industry in 2015 and found that cybercriminals are still phishing where the money is — and their tactics might surprise you.

Hollywood has often portrayed bank robbers as villains wearing a mask. They walk into a bank, hand the teller a note demanding large sums of money and hope to get away before the police show up. Today’s bank robber is an online criminal who will essentially execute a virtual version of a note that says: “Give me all the money in the safe but don’t put it in a bag. Exchange it for bitcoin and deposit it to this offshore account.”

According to IBM X-Force research, nearly 20 million financial records were breached in 2015. The impact of these data breaches in finance is significant, costing financial institutions $215 per stolen record on average.

So how are attackers continuing to evade the defenses of the financial industry?

The Digital Holdup

Cybercriminals are after money — lots of money. In fact, IBM research suggested actors are increasingly focused on stealing money directly from the financial industry rather than data theft or sabotage.

IBM X-Force data shows that breaches involving extortion tactics or theft of currency from financial institutions have increased in 2015, up 55 percent from the previous year.

Hottest Tactics in the Banking Thief Playbook

In a review of the IBM Managed Security Services (MSS) attack data, malicious attachments or links that deliver malware and Shellshock were the top two attack vectors for 2015.

Taking the Bait

Convincing users to click on dangerous links or open files represents 18 percent of total attacks in 2015. Cybercriminals are now leveraging advanced social engineering to trick users into clicking links that redirect to malicious sites or opening attachments such as Word documents or media files that download malware. Because social engineering via spear phishing is often an attacker’s first step in a successful compromise, education is key to thwarting this type of attack.


This infamous vulnerability, discovered in 2014, impacted a massive number of systems across industries, tying for the top attack vector in finance at 18 percent of attacks. Shellshock is a malware-less attack that exploits a vulnerability in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems. It is well-documented by the “IBM 2015 Cyber Security Intelligence Index.”

Denial-of-Service (DoS) Attacks

DoS is the No. 3 attack vector in the financial industry in 2015, according to IBM MSS data. It represented 8 percent of attacks. Attackers using DoS may be politically motivated, looking to shut down a bank’s online operations, or they may use DoS as a ransom technique, looking for a big payout to stop the attack.

Battle of the Banking Trojans

Malware with the specific intent of targeting bank account information is commonly referred to as a banking Trojan. These Trojans are operated by gangs of cybercriminals that are becoming increasingly innovative, evolving the malware with new iterations of code and expanding their geographies.

2015 saw a major milestone as Zeus, which has led in the banking Trojan arena for years, fell from first place to fourth behind the Trojan known as Dyre. Dyre has rapidly and aggressively evolved since it first arose in 2014, with constant updates designed to evade detection by antivirus and static security mechanisms. These quick changes and feature-rich capabilities have no doubt contributed to its rise to the No. 1 spot.

Despite Dyre’s rapid climb to the top, IBM data shows a massive drop in activity in the Dyre Trojan starting in November 2015, and recent reports suggested that authorities may have intervened.

Some additional findings and dynamics at play in the banking Trojan war include:

  • Dyre attacks increased 19 percent, catapulting it to first place from sixth. Zeus fell a precipitous 23 percent to land in fourth.
  • Neverquest held its No. 2 spot year-over-year, while Bugat moved into third and Shylock dropped from third all the way out of the top 10.
  • IBM discovered two new Trojans targeting Japanese financial institutions, Tsukuba and Shifu, plus a new variant of Rovnix.
  • IBM also identified a malware to watch in the Tinba Trojan at No. 6, which was not in the top 10 in 2014. This Trojan was the first of its kind dedicated to Romanian banks.

Finance is an area where security intelligence is a must, and recent research highlighted in this report should be a call to arms for institutions to understand the attack vectors they are most vulnerable to. Having this knowledge can help financial companies stay one step ahead of criminals and bolster detection and protection mechanisms.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today