As cybercriminal methods become ever more smart and sophisticated, protecting financial services and other organisations is a major undertaking, writes Paul Anderson.
Due to the sensitive nature of the data they store, and the monetary motivations of cybercriminals, organisations within the financial services (FS) sector are a high-value target and are at high risk of cyber attacks.
This growing risk comes at a time when FS firms are turning their focus to innovating new technologies and features to meet evolving consumer demands. Providing regular updates and new online products is a necessary key differentiator in the competitive financial market. However, rolling out new features at such a fast pace also increases the attack surface and potential vulnerabilities.
The risk of going mobile
With the rise in mobile usage, financial firms are focusing on developing digital wallets and innovative peer-to-peer (P2P) solutions. As mobile payments grow in popularity, FS and fintech firms have to be increasingly wary of related cyber risks. Vulnerabilities lurking in payment applications, mobile phones and point of sale (POS) systems can become entry-ways into customer accounts and even broader financial networks. In fact, according to Fortinet’s Threat Landscape Report, more than a quarter of organisations have experienced a mobile malware attack, with the vast majority of those threats targeting or originating from devices running the Android operating system.
Compromising mobile devices not only allows attackers to steal data stored on that device, it can also be used to collect personal banking information using phishing apps, intercept data moving between a user and their online bank, and monitor financial transactions when purchasing goods or services online. The ‘Android.banker.A2f8a’ malware, for example, targeted more than 200 different banking apps to steal login credentials, hijack short message services, and upload contact lists and other data onto a malicious server.
Worryingly, these apps aren’t just being downloaded from risky sites. Between August and October of 2018, 29 banking Trojans masquerading as legitimate apps were removed from the Google Play store, but only after they had been installed by over 30,000 users. Yet even this is only part of the exposure. Compromised devices are also becoming a gateway through which the larger financial services network can be exploited.
New threats challenging FS
In addition to mobile threats, Fortinet has documented four additional attack strategies that financial security teams need to pay special attention to.
The first is cryptojacking which, in many industries including FS, has jumped ahead of ransomware as the malware of choice. While ransomware continues to be a serious concern for financial networks, the number of unique cryptojacking signatures nearly doubled in 2018. The number of platforms compromised by cryptojacking jumped 38 per cent. Perpetrators included advanced attackers using customised malware, as well as ‘as-a-service’ options available on the dark web for novice criminals.
Although cryptojacking is often considered to be a nuisance threat that only hijacks unused central processing unit cycles, a growing number of new attack techniques include disabling essential security functions on devices, thereby enabling cryptojacking to become a gateway for additional attacks.
Encrypted traffic is a second area of concern. This staple of financial organisations now represents an unprecedented 72 per cent of all network traffic, up from 55 per cent in 2017. While encryption can certainly help protect data and transactions, it also represents a challenge for traditional security solutions. The critical firewall and intrusion prevention system performance limitations of most legacy security technologies continue to hinder organisations’ ability to inspect encrypted data at network speeds. Rather than attempting to slow down time-sensitive financial transactions, a growing percentage of this traffic is simply not being adequately analysed for malicious activity, making it an ideal mechanism for criminals to spread malware or exfiltrate data.
Additionally, botnets are getting smarter. The number of days that a botnet infection was able to persist inside an organisation has increased from 7.6 to 10.2 days, indicating that botnets are becoming harder to detect and remove. This is also the result of many organisations still failing to practice good cyber hygiene, including patching and updating vulnerable devices, protecting the Internet of Things (IoT), and thoroughly scrubbing a network after an attack has been detected.
Last but not least, a new form of spear phishing is enabling threat actors like Silence Group to compromise banks via email in order to gather financial data and remotely withdraw money from ATMs, also known as “jackpotting”. By leveraging pre-installed and publicly available tools, such as PowerShell – an automation engine and scripting language designed to help information technology professionals configure systems and automate administrative tasks – they can accelerate lateral movement across a network while enhancing evasiveness by leveraging processes already identified as legitimate.
Implementing cohesive security
To successfully address today’s challenges, FS organisations need to rethink their strategy, from automating their security hygiene measures to replacing isolated security devices with an integrated security fabric architecture that can seamlessly span the growing attack surface.
In order to address the latest attack vectors, organisations need to achieve greater control over their network, thereby limiting exposure if there is a breach.
To protect these customers, organisations should start by educating them about using legitimate banking applications. This includes constantly reminding them of what sorts of information they will – and won’t – be asked for, such as online “password validation” or “account validation” techniques used by phishers and scammers. Organisations should also regularly scan the internet for fraudulent applications, warn consumers when they are found, and apply pressure on application stores to remove them from their inventories.
Commercial banks, credit unions, stock brokerage firms, asset management firms, and insurance companies that support digital transactions through mobile apps are increasingly being targeted and exploited by malicious criminals.
At the same time, they suffer the same challenges as organisations in other sectors, including figuring out how to inspect and secure the growing volume of encrypted traffic, battling the persistence of botnets, and addressing new malware trends.
The use of automation and high-performance security resources will enable financial organisations to protect their distributed environments and keep pace with modern forms of cyberattacks.
Paul Anderson is head of UK and Ireland at Fortinet.