The New Bank Heist: The Financial Industry’s Top Threats

IBM Security researchers have combed through the threats impacting the financial industry in 2015 and found that cybercriminals are still phishing where the money is — and their tactics might surprise you.

Hollywood has often portrayed bank robbers as villains wearing a mask. They walk into a bank, hand the teller a note demanding large sums of money and hope to get away before the police show up. Today’s bank robber is an online criminal who will essentially execute a virtual version of a note that says: “Give me all the money in the safe but don’t put it in a bag. Exchange it for bitcoin and deposit it to this offshore account.”

According to IBM X-Force research, nearly 20 million financial records were breached in 2015. The impact of these data breaches in finance is significant, costing financial institutions $215 per stolen record on average.

So how are attackers continuing to evade the defenses of the financial industry?

The Digital Holdup

Cybercriminals are after money — lots of money. In fact, IBM research suggested actors are increasingly focused on stealing money directly from the financial industry rather than data theft or sabotage.

IBM X-Force data shows that breaches involving extortion tactics or theft of currency from financial institutions have increased in 2015, up 55 percent from the previous year.

Hottest Tactics in the Banking Thief Playbook

In a review of the IBM Managed Security Services (MSS) attack data, malicious attachments or links that deliver malware and Shellshock were the top two attack vectors for 2015.

Taking the Bait

Convincing users to click on dangerous links or open files represents 18 percent of total attacks in 2015. Cybercriminals are now leveraging advanced social engineering to trick users into clicking links that redirect to malicious sites or opening attachments such as Word documents or media files that download malware. Because social engineering via spear phishing is often an attacker’s first step in a successful compromise, education is key to thwarting this type of attack.

Shellshock

This infamous vulnerability, discovered in 2014, impacted a massive number of systems across industries, tying for the top attack vector in finance at 18 percent of attacks. Shellshock is a malware-less attack that exploits a vulnerability in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems. It is well-documented by the “IBM 2015 Cyber Security Intelligence Index.”

Denial-of-Service (DoS) Attacks

DoS is the No. 3 attack vector in the financial industry in 2015, according to IBM MSS data. It represented 8 percent of attacks. Attackers using DoS may be politically motivated, looking to shut down a bank’s online operations, or they may use DoS as a ransom technique, looking for a big payout to stop the attack.

Read the complete research report on Security trends in the financial industry

Battle of the Banking Trojans

Malware with the specific intent of targeting bank account information is commonly referred to as a banking Trojan. These Trojans are operated by gangs of cybercriminals that are becoming increasingly innovative, evolving the malware with new iterations of code and expanding their geographies.

2015 saw a major milestone as Zeus, which has led in the banking Trojan arena for years, fell from first place to fourth behind the Trojan known as Dyre. Dyre has rapidly and aggressively evolved since it first arose in 2014, with constant updates designed to evade detection by antivirus and static security mechanisms. These quick changes and feature-rich capabilities have no doubt contributed to its rise to the No. 1 spot.

Despite Dyre’s rapid climb to the top, IBM data shows a massive drop in activity in the Dyre Trojan starting in November 2015, and recent reports suggested that authorities may have intervened.

Some additional findings and dynamics at play in the banking Trojan war include:

  • Dyre attacks increased 19 percent, catapulting it to first place from sixth. Zeus fell a precipitous 23 percent to land in fourth.
  • Neverquest held its No. 2 spot year-over-year, while Bugat moved into third and Shylock dropped from third all the way out of the top 10.
  • IBM discovered two new Trojans targeting Japanese financial institutions, Tsukuba and Shifu, plus a new variant of Rovnix.
  • IBM also identified a malware to watch in the Tinba Trojan at No. 6, which was not in the top 10 in 2014. This Trojan was the first of its kind dedicated to Romanian banks.

A look at the top banking Trojans in 2014 compared to where they stand in 2015.

Finance is an area where security intelligence is a must, and recent research highlighted in this report should be a call to arms for institutions to understand the attack vectors they are most vulnerable to. Having this knowledge can help financial companies stay one step ahead of criminals and bolster detection and protection mechanisms.

For more details and best practices for financial institutions, read the full research report, “Security Trends in the Financial Industry.”

Share this Article:
Scott Craig

Threat Researcher, IBM

Scott Craig is a Threat Researcher for IBM's Managed Security Services. Scott has worked in the IT field for more than 20 years, 17 of which were dedicated to computer security. Before being dedicated to computer security, Scott's work as an enterprise Unix system administrator and a systems architect helped him to understand the way security fits into overall systems. Scott's unique ability to find patterns of interest in security device logs is what helped him become successful in his last role in IBM Managed Security Services as a team lead of the Data Intelligence group. In his role as an IBM Threat Researcher, Scott mines through millions of rows of data in search of stories worth sharing with others. Through these efforts, he hopes to improve every entity's data security which, in turn, helps every person who has a file about them somewhere.