Did you ever have the feeling you were being watched? Today, if you are a senior executive of a bank, chances are you will be, if you aren’t already—by hackers, malware attackers, and others bent on harming your bank.
Financial institutions offer the bad guys an open door, in some ways, and, to a degree, they can’t help it.
Open door for everybody
American banks and other businesses tend to be very open about who’s who in the hierarchy. It’s rare a bank doesn’t feature something on its “About us” page about officers and board members, and sometimes nearly every member of the staff, in a smaller institution. Of course, the intent is to show that the bank wants to hear from customers, to show that the bank is part of its markets.
This information is open to anyone with a web browser, including the bad guys.
“This gives them a pretty good idea of who they need to attack,” warned Jeffrey Korte, director for community institution and associations at FS-ISAC, a member-owned nonprofit organization that shares threats and potential responses to cyber attacks and related technology problems. (FS-ISAC stands for “Financial Services Information Sharing and Analysis Center.” More than 5,000 organizations now belong to the group.)
Korte, speaking at the annual convention of the Independent Community Bankers of America in March, said that cyber frauds will attack an organization’s network at its weakest point.
However, time is money for criminals, too, so they target their efforts. Executives and key staffers, as well as system and network administrators and third-party vendors represent high-priority opportunities.
Between a bank’s own website and public filings, plus other public online sources—think about the extensive information posted on LinkedIn—Korte said that a bank’s cyber adversary can become very familiar with its target before launching the various types of attacks.
Bad guys are organized
Furthermore, the bad guys share techniques, tips, and more on the internet themselves, Korte said. The “dark net” is their shared source of libraries of how-to information, markets for sale of illicit information, recruitment of “talent” and “business” partners; and worse. There is even at least one search engine for the dark net, called Grams.
Korte added that when attackers act, they do so quickly and quietly, so that they may be messing with a bank long before detection. It will take time for impacted organizations to realize there is a problem, and then the institution, or the entire industry, will take longer to react than the attackers did to infiltrate systems. Korte said attacks act 150 times faster than victim organizations respond.
Data can be stolen and sold “at the speed of lightning,” said Korte. Banks face exposure to “hacktivists,” people with an ax to grind against banks, such as WikiLeaks; professional cyber criminals; nation states targeting the western financial system, such as al-Qassam Cyber Fighters; and sheer opportunists looking for easy pickings because they’ve spotted a weakness.
Ways attackers hit banks
Korte outlined six of the potential ways that banks can be attacked with “malware”—software designed to infiltrate systems or cause damage—and “malcode”—malicous programming code that is considered malware’s “payload.”
1. Spearphishing: This is targeted email aimed at a few victims. Korte noted a 2012 scheme that used LinkedIn to infect victim’s computers.
2. Phishing: This is bad email sent “shotgun” style to many potential victims.
3. Fake anti-virus software: This phony warning is intended to scare the user into downloading code that will harm, not help.
4. Drive-by download: When merely visiting an infected but reputable site loads malicious software onto a computer. One example is the 2013 hijacking of NBC.com that invaded visitors’ computers, specifically to grab banking information.
5. Drive-by email: When bad code is imported to a user’s computer when a malicious email is opened—sometimes even just from the preview pane.
6. WebInject: When bad code is transferred in order to modify a host’s website. Korte said such malware could add a field to a company’s registration or other input page to gather information it wants about a victim.
Korte noted that attacks aren’t always direct. Sometimes a host is infiltrated as a steppingstone to another host. This is a technique used by criminals attempting to mine data from a system.