By Ali Sawyer   /   Jul 8th, 2015

Financial Cyberattacks and Why they Happen 300% More Often

Skeleton Key malware is one way attackers are attempting to gain access to financial systems | Wikimedia Commons

Skeleton Key malware enables attackers to bypass account passwords | Wikimedia Commons

The financial services industry bears the brunt of cyberattacks, according to a new report by Websense entitled “2015 Industry Drill-Down Report – Financial Services.” The report states that financial cyberattacks are 300% more often than organizations in other industries.

When considering the fact that most cyberattackers are motivated by money, it is no surprise that the financial industry is the most targeted. When targeting financial organizations, attackers can translate their efforts directly into money by initiating wire transfers to their accounts or stealing customer account data.

What strategies do attackers use to infiltrate financial organizations (even those as large as JPMorgan Chase, with a cybersecurity budget in the hundreds of millions of dollars)? According to the Websense report, attackers maintain an edge by frequently varying their attack strategies. Among financial attackers’ many tactics, here are a few of the most common:

  • Targeted spear phishing – Spear phishing emails are more insidious than the average spam email because attackers personalize them in order to make them convincing. Attackers first conduct research on their targets, both online and using social engineering techniques. This information is then used to compose spear phishing emails that appear to come from a legitimate contact, and include personal information about the target. The attacker’s goal is to trick the target into clicking on a malicious link or downloading an infected file in the email. Websense reports that the subject lines of financial spear phishing emails most commonly involve invoices, ACH and BACS payments, and third-party vendors.
    • Be on the lookout for emails involving these topics, and be extremely suspicious if you do not have a reason to receive such emails.
    • It is a good policy to never click on links in emails, if possible. If an email asks you to visit a webpage and you think it might be legitimate, manually type in the appropriate URL.
    • Hover your mouse over the sender’s name to see the email address the message was sent from.
  • Typosquatting – In conjunction with phishing emails, attackers use a strategy called typosquatting, or purchasing a domain very similar to an organization’s legitimate domain in order to trick employees into visiting it. For example, attackers may purchase a domain where a letter O is replaced with the number 0 or lowercase is replaced with the number 1.
    • Carefully inspect sending addresses and URLs in suspicious emails, looking out for typosquatting. If a link is obfuscated, hover your mouse over it to see where it redirects to.
  • Malware – One particularly menacing strain of financial malware, discovered in January 2015, is called Skeleton Key. Attackers must steal domain administrator credentials in order to deploy Skeleton Key, but then the malware allows them to bypass passwords, so they can log on as any user on systems using only single-factor authentication.
    • To protect against Skeleton Key malware, it is critical to implement two-factor authentication (2FA) whenever possible. 2FA means using a password in combination with another form of authentication, such as a one-time code sent to a mobile phone, to log on.
  • Smokescreening – In a strategy called “smokescreening,” attackers launch a constant stream of obnoxious but easy to orchestrate attacks to keep financial security professionals preoccupied. Their goal is to ensure security teams are distracted with lower-level issues while they launch major cyberattacks.
    • Do not commit the entire security team to handle an incident when it occurs. Always suspect that the incident is a “smokescreen,” and retain team members to monitor logs for unusual activity.

Defending against these attacks requires a combination of employee training and testing, and technical solutions as prioritized through penetration testing and vulnerability testing.

CONTACT US