IBM Security researchers have combed through the threats impacting the financial industry in 2015 and found that cybercriminals are still phishing where the money is — and their tactics might surprise you.

Hollywood has often portrayed bank robbers as villains wearing a mask. They walk into a bank, hand the teller a note demanding large sums of money and hope to get away before the police show up. Today’s bank robber is an online criminal who will essentially execute a virtual version of a note that says: “Give me all the money in the safe but don’t put it in a bag. Exchange it for bitcoin and deposit it to this offshore account.”

According to IBM X-Force research, nearly 20 million financial records were breached in 2015. The impact of these data breaches in finance is significant, costing financial institutions $215 per stolen record on average.

So how are attackers continuing to evade the defenses of the financial industry?

The Digital Holdup

Cybercriminals are after money — lots of money. In fact, IBM research suggested actors are increasingly focused on stealing money directly from the financial industry rather than data theft or sabotage.

IBM X-Force data shows that breaches involving extortion tactics or theft of currency from financial institutions have increased in 2015, up 55 percent from the previous year.

Hottest Tactics in the Banking Thief Playbook

In a review of the IBM Managed Security Services (MSS) attack data, malicious attachments or links that deliver malware and Shellshock were the top two attack vectors for 2015.

Taking the Bait

Convincing users to click on dangerous links or open files represents 18 percent of total attacks in 2015. Cybercriminals are now leveraging advanced social engineering to trick users into clicking links that redirect to malicious sites or opening attachments such as Word documents or media files that download malware. Because social engineering via spear phishing is often an attacker’s first step in a successful compromise, education is key to thwarting this type of attack.


This infamous vulnerability, discovered in 2014, impacted a massive number of systems across industries, tying for the top attack vector in finance at 18 percent of attacks. Shellshock is a malware-less attack that exploits a vulnerability in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems. It is well-documented by the “IBM 2015 Cyber Security Intelligence Index.”

Denial-of-Service (DoS) Attacks

DoS is the No. 3 attack vector in the financial industry in 2015, according to IBM MSS data. It represented 8 percent of attacks. Attackers using DoS may be politically motivated, looking to shut down a bank’s online operations, or they may use DoS as a ransom technique, looking for a big payout to stop the attack.

Battle of the Banking Trojans

Malware with the specific intent of targeting bank account information is commonly referred to as a banking Trojan. These Trojans are operated by gangs of cybercriminals that are becoming increasingly innovative, evolving the malware with new iterations of code and expanding their geographies.

2015 saw a major milestone as Zeus, which has led in the banking Trojan arena for years, fell from first place to fourth behind the Trojan known as Dyre. Dyre has rapidly and aggressively evolved since it first arose in 2014, with constant updates designed to evade detection by antivirus and static security mechanisms. These quick changes and feature-rich capabilities have no doubt contributed to its rise to the No. 1 spot.

Despite Dyre’s rapid climb to the top, IBM data shows a massive drop in activity in the Dyre Trojan starting in November 2015, and recent reports suggested that authorities may have intervened.

Some additional findings and dynamics at play in the banking Trojan war include:

  • Dyre attacks increased 19 percent, catapulting it to first place from sixth. Zeus fell a precipitous 23 percent to land in fourth.
  • Neverquest held its No. 2 spot year-over-year, while Bugat moved into third and Shylock dropped from third all the way out of the top 10.
  • IBM discovered two new Trojans targeting Japanese financial institutions, Tsukuba and Shifu, plus a new variant of Rovnix.
  • IBM also identified a malware to watch in the Tinba Trojan at No. 6, which was not in the top 10 in 2014. This Trojan was the first of its kind dedicated to Romanian banks.

Finance is an area where security intelligence is a must, and recent research highlighted in this report should be a call to arms for institutions to understand the attack vectors they are most vulnerable to. Having this knowledge can help financial companies stay one step ahead of criminals and bolster detection and protection mechanisms.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read