IBM Security researchers have combed through the threats impacting the financial industry in 2015 and found that cybercriminals are still phishing where the money is — and their tactics might surprise you.

Hollywood has often portrayed bank robbers as villains wearing a mask. They walk into a bank, hand the teller a note demanding large sums of money and hope to get away before the police show up. Today’s bank robber is an online criminal who will essentially execute a virtual version of a note that says: “Give me all the money in the safe but don’t put it in a bag. Exchange it for bitcoin and deposit it to this offshore account.”

According to IBM X-Force research, nearly 20 million financial records were breached in 2015. The impact of these data breaches in finance is significant, costing financial institutions $215 per stolen record on average.

So how are attackers continuing to evade the defenses of the financial industry?

The Digital Holdup

Cybercriminals are after money — lots of money. In fact, IBM research suggested actors are increasingly focused on stealing money directly from the financial industry rather than data theft or sabotage.

IBM X-Force data shows that breaches involving extortion tactics or theft of currency from financial institutions have increased in 2015, up 55 percent from the previous year.

Hottest Tactics in the Banking Thief Playbook

In a review of the IBM Managed Security Services (MSS) attack data, malicious attachments or links that deliver malware and Shellshock were the top two attack vectors for 2015.

Taking the Bait

Convincing users to click on dangerous links or open files represents 18 percent of total attacks in 2015. Cybercriminals are now leveraging advanced social engineering to trick users into clicking links that redirect to malicious sites or opening attachments such as Word documents or media files that download malware. Because social engineering via spear phishing is often an attacker’s first step in a successful compromise, education is key to thwarting this type of attack.


This infamous vulnerability, discovered in 2014, impacted a massive number of systems across industries, tying for the top attack vector in finance at 18 percent of attacks. Shellshock is a malware-less attack that exploits a vulnerability in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems. It is well-documented by the “IBM 2015 Cyber Security Intelligence Index.”

Denial-of-Service (DoS) Attacks

DoS is the No. 3 attack vector in the financial industry in 2015, according to IBM MSS data. It represented 8 percent of attacks. Attackers using DoS may be politically motivated, looking to shut down a bank’s online operations, or they may use DoS as a ransom technique, looking for a big payout to stop the attack.

Battle of the Banking Trojans

Malware with the specific intent of targeting bank account information is commonly referred to as a banking Trojan. These Trojans are operated by gangs of cybercriminals that are becoming increasingly innovative, evolving the malware with new iterations of code and expanding their geographies.

2015 saw a major milestone as Zeus, which has led in the banking Trojan arena for years, fell from first place to fourth behind the Trojan known as Dyre. Dyre has rapidly and aggressively evolved since it first arose in 2014, with constant updates designed to evade detection by antivirus and static security mechanisms. These quick changes and feature-rich capabilities have no doubt contributed to its rise to the No. 1 spot.

Despite Dyre’s rapid climb to the top, IBM data shows a massive drop in activity in the Dyre Trojan starting in November 2015, and recent reports suggested that authorities may have intervened.

Some additional findings and dynamics at play in the banking Trojan war include:

  • Dyre attacks increased 19 percent, catapulting it to first place from sixth. Zeus fell a precipitous 23 percent to land in fourth.
  • Neverquest held its No. 2 spot year-over-year, while Bugat moved into third and Shylock dropped from third all the way out of the top 10.
  • IBM discovered two new Trojans targeting Japanese financial institutions, Tsukuba and Shifu, plus a new variant of Rovnix.
  • IBM also identified a malware to watch in the Tinba Trojan at No. 6, which was not in the top 10 in 2014. This Trojan was the first of its kind dedicated to Romanian banks.

Finance is an area where security intelligence is a must, and recent research highlighted in this report should be a call to arms for institutions to understand the attack vectors they are most vulnerable to. Having this knowledge can help financial companies stay one step ahead of criminals and bolster detection and protection mechanisms.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today