3 Advanced Ways Cybercriminals Execute Cyberattacks Against the Banking and Financial Sector

The banking sector is arguably the single most important target for cybercriminals. The frequency with which cybercriminals target banks and the countermeasures that banks deploy against them lead these attacks to evolve in a continuous game of cat and mouse. As a result, the cyber threat landscape of the banking sector is in constant flux and changes more significantly over time. Although this industry has been perhaps the most proactive in implementing advanced security protocols to thwart attempted cyberattacks, threat actors develop new tactics, techniques, and procedures (TTPs) with such volume and velocity that they are often able to succeed in their attempts.

With that in mind, let's explore a few of the most common newer attack vectors and methods we've seen cybercriminal deploy successfully against banks or financial institutions in recent years:

1. Advanced Techniques that Facilitate Fraud on a Larger Scale

Traditionally, cybercriminals have stolen from banks using compromised payment card information or online banking credentials to carry out fraudulent transactions. Fraudsters typically purchase them from the original attackers in underground black markets for a fraction of their face value.

A newer approach that has become more prevalent in recent years is targeting bank networks themselves in order to enable fraud on a much larger scale. The goal of these attacks is to breach bank networks and move laterally in order to gain access to systems, such as SWIFT terminals or servers that support ATMs. The Lazarus Group of North Korea, which engages in many different forms of cybercrime to raise revenue for the financially isolated North Korean government, was a pioneer of this more ambitious approach in its fraudulent use of compromised SWIFT access. Some of the more sophisticated Russian-speaking criminals have followed suit and targeted different internal banking systems in order to enable large-scale fraud in other ways.

Even the more traditional attacks that aim to enable smaller-scale fraud by compromising payment cards and online banking credentials have evolved as well. The emphasis of payment card fraud has shifted away from in-person fraud and toward online fraud. This shift began with the 2015 introduction of EMV chips into payment cards in the US, which is the single largest market for cyber fraudsters. These chips are an obstacle to successfully cloning compromised cards and have thus been a deterrent to in-person fraud operations. The COVID-19 pandemic will probably push the fraud market further in this direction, as consumers have primarily relied on ecommerce deliveries rather than in-person shopping.

2. Digital Card Skimmers that Ravage Ecommerce

The changes in approach by cybercriminals and consumers alike have favored online fraud. Ecommerce and the websites of brick-and-mortar businesses have become equally or perhaps even more important targets than in-person point-of-sale (PoS) systems, as their compromise enables the collection of card verification values (CVVs) and other data points needed for online fraud. PoS malware was once at the forefront of payment card breaches, but digital payment card skimmers have begun to supplant them as the tip of the spear in this market.

Digital payment card skimmers are the virtual counterpart of the hardware skimmers that criminals install on ATM readers and other payment card terminals in order to collect their data. Attackers install this malware, often in the form of JavaScript or some other script, on merchants' compromised websites and use them to collect the payment card details that customers input when making purchases. The Magecart skimmer was a pioneer in this field when it first began to grow. Magecart and its variants have remained leaders in this market niche since then, as Magecart has enabled some of the most noteworthy website card breaches.

3. New Banking Trojans with Expanded Functionalities

The banking Trojan market has also evolved in recent years, favoring more technically advanced Trojans that can inflict more damage upon the victims. Two of the most prolific Windows banking Trojans in recent years, Emotet and TrickBot, have expanded their functionality to the point that the compromise of online banking credentials is arguably no longer their core function. Among their many other features, Emotet and TrickBot can serve as downloaders for other types of criminal malware, particularly ransomware. Attackers may deploy ransomware after they have collected online banking credentials or whatever other information they can monetize.

Mobile banking Trojans have become an increasingly important segment of the banking Trojan market for two reasons. The widespread adoption of mobile banking apps makes mobile devices an equally or even more important target for attackers that seek to compromise online banking credentials. Furthermore, most 2FA for online banking logins relies on mobile devices, via either SMS or authentication apps. Compromising mobile devices with banking Trojans can thus facilitate attacks on online banking credentials by enabling 2FA bypasses. SMS intercept functionality is typical of mobile banking Trojans, and some now have the ability to collect 2FA codes from authentication apps.

What Can Security Teams Do to Protect Their Organizations?

As always, we recommend taking a proactive approach to threat detection and prevention. Cyber threat intelligence equips security practitioners with threat data unique to their organization and vertical at large, empowering them to act swiftly in response to emerging threats and shut them down before they evolve into full-fledged cyberattacks. IntSights identifies threats at the source, validates them, and offers remediation tools that can help security teams thwart hackers before they strike. Learn more about our advanced capabilities and vision to make threat intelligence accessible to organizations of all size and across all industries.

For a comprehensive breakdown of the cyber threat landscape pertaining to banks and financial institutions, read our new report, 2021 Banking and Financial Services Industry Cyber Threat Landscape Report.

Download Your Copy

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.