Hackers steal money from banks more often than from their clients

Threats are improving, malware is becoming more complex, and attack techniques are becoming more sophisticated. The victims are no longer chosen by chance, the attacks have become directed, coordinated and using different directions. The motive has also changed: it is no longer associated with recognition — only economic profit.

Cyber ​​crime is a very profitable and attractive business. Today, hackers have become more professional, they have more advanced technical tools and economic resources that allow them to make their attacks more sophisticated. Therefore, they are no longer afraid to attack the banks directly, which was unthinkable a few years ago.
')
For maximum strengthening of the financial system, the European Union for the first time plans to check the entire European banking system for the presence of the necessary systems to protect against the most advanced cyber attacks. These checks will be similar to the so-called "stress tests." The European Banking Organization (EBA) also wants to launch a number of initiatives to secure digital banking.

And let's not forget the more traditional attacks that haunt the financial sector and are aimed at the end users of banking institutions, such as phishing attacks or banking Trojans. They continue to spread and adapt to new realities, for example, they use malware for Android.

Introduction

For years, accumulating money has been the main target of cyber criminals. It is logical that this fact puts financial systems "under the gun." For more than a decade, the attacks were directed at the weakest link in the chain - the end users of online banking services.

Technological innovation has become a means to offer users a higher quality and ease of maintenance. However, these user-friendly transparency and accessibility made possible through online banking services must go hand in hand with financial prudence in order to achieve success in the financial sector.

This is due to the fact that modern banking technologies offer some advantages for cyber-criminals, because the insufficient level of security from the end-user gives them the opportunity to steal in small amounts, and this may go unnoticed for a certain period of time, etc.

However, for them there are certain disadvantages, because it is necessary to search and infect potential victims who are the clients of the attacked banks, and to overcome anti-virus solutions.

And now the million dollar question: where are the large sums of money? Without a doubt, they are in financial organizations, for example, banks.

Recent events have placed issues of system vulnerabilities in the spotlight. A new phase of cyber theft has begun, which involves stealing money directly from banks, and not from their clients, using phishing attacks to infect the computers of bank employees.

Tactics directly attack these organizations can significantly increase the income of hackers, although it will require from them much more effort and more careful planning. Overcoming banking security systems is a very difficult task. In addition, it is complicated by the fact that it is necessary to study the internal systems of the bank in order to understand how they work - after all, it is necessary to carry out a virtual robbery without leaving any traces.

To collect all the required data to carry out such an attack requires a serious investment. Although, of course, all these efforts will pay off, if the hacker can successfully conduct his attack "for a million dollars."

It is not easy for the financial sector to perform priority functions, such as ensuring the efficient allocation of financial resources, promoting the development of a country and its financial stability, and managing savings and investments. And it's also not easy to protect customer data and their accounts.

Despite the fact that the financial sector is equipped with the most advanced anti-malware solutions both on the perimeter of the network and on the end devices, advanced attacks can compromise huge amounts of critical data in financial organizations.

Legislation

Cloud technologies with great difficulty make their way in Russia due to a number of legislative restrictions, which have already been written about many times. However, it is interesting that, for example, in Europe the situation is somewhat similar.

New rules in Europe: GDPR

The current European legislation is not adapted to the new cyber crimes, nor to the needs arising from the use of new technologies and IT management systems.

European Commission General Data Protection Regulation (General Data Protection
Regulation, GDPR) comes into force on May 25, 2018, and it will regulate how companies collect and process personal data from residents of the entire European Union.

The impact on the financial sector will be significant, since any organization operating in the European Union and using the personal data of its clients for marketing and commercial purposes will have to bring its work in accordance with the GPDR rules in less than one year. If the financial institution does not meet the requirements of the GDPR, then it can be fined 20 million euros or 4% of its annual turnover on all transactions in the world, depending on which amount is higher. Therefore, if IT professionals do not have enough knowledge about these new requirements, then this can ultimately be costly for banks, which will leave their preparations for the GDPR at the last minute .

To operate safely, the security of banking systems requires constant maintenance. It should be borne in mind that one of the biggest problems facing the financial sector today is the protection of personal data from security breaches, so it is extremely important to have a well-planned and worked out action plan in case of cyber attack. GDPR requires transparency, and Panda Security recommends that European organizations align their business operations with new requirements as quickly as possible.

Cloud migration

The financial sector is a complex industry with a huge number of players, regulated from several different angles. It is necessary to take into account the network coverage of security systems and information specified in various regulatory documents (for example, NIST - National Institute of Standards and Technology), as well as obligations arising from the requirements of local legislation.

Cloud computing is gradually adapting within the EU financial sector. However, the process of migration to the clouds has not yet reached its maturity. And although financial institutions and relevant supervisors seem to have a clear vision of the economic and technical benefits of clouds, they still remain very cautious about the risk of losing control of the data. Therefore, most of them still rely on their own infrastructure.

One of the main constraints is based on the arguments of the European Central Bank and its national representative offices, as well as regulatory acts (such as NITS), since These structures are required to tightly control the location of the data and their traceability, especially when it comes to sensitive data.

Although the most common approach used by financial institutions is a hybrid of private and public cloud services, regulatory documents state that a private cloud is required when dealing with critical data. This mechanism is generally considered the most suitable for data processing, and it is supported by national financial supervisors, as it provides a higher level of control over information and operations.

The lack of formal guidelines for cloud services is an obstacle to the adaptation of cloud computing as a “driver” for innovation, although they are widely promoted by the European Commission as such when forming a single digital market.

Cases of millions of cyber thefts

When cyber criminals first set their sights on the financial sector, they knew that the client should be their main target. Clients have fewer resources for security, and therefore it will be enough just to steal their data and make financial transactions on their behalf. So the client is the weak link.

However, over the past two years, professional and ambitious groups of hackers have emerged, which have gone further. Now their goal is to penetrate banks and steal millions of dollars from them.

Bank of Bangladesh

One of the most striking examples of this was the theft in the Central Bank of Bangladesh , when a group of hackers successfully infected the bank’s systems using a malicious program specifically created for this attack, and tried to perform a series of operations totaling $ 951 million. This amount could be found on the Bank of Bangladesh account with the Federal Reserve Bank of New York. Fortunately, most operations were blocked, but hackers were able to steal "only" $ 81 million. But this is not the only case.

Tien Phong Bank

The Vietnamese commercial bank Tien Phon Bank experienced a similar attack in the fourth quarter of 2015. Hackers again tried to make operations through the SWIFT network, but the bank noticed these operations in time and managed to block operations worth more than $ 1 million.

Banco del austro

Earlier, in January 2015, the Ecuadorian Banco del Austro also faced a similar attack, as a result of which about 9 million US dollars were stolen from the bank.



In all these cases, malicious programs were used to execute the attack, and financial operations were carried out through the SWIFT network. Direct attacks against this network, which provides secure transfers throughout the world, can be very destructive. Fortunately, it seems that SWIFT did not fall victim to these successful attacks, as stated in the press release of this organization: “First of all, we would like to assure you again that the SWIFT network, the main messaging services and software were not hacked.”

However, it depends on your point of view: in fact, cyber-criminals have successfully used the SWIFT network to commit these thefts. Again, they chose the weakest link for their attacks. SWIFT provides banks with a secure system for communicating with each other, but at the end of this chain, the bank itself has its own internal system for communicating with this global network. Just as hackers attacked bank customers with banking Trojans, now instead of attacking SWIFT itself, they attack banks that are connected to this network.

This group of hackers is responsible for all these three thefts, and to date all the evidence points to the DPRK. In December 2016, it became known that SWIFT sent a warning to its customers that new incidents of attacks began to occur. According to SWIFT Users Security Program Manager Stefan Gilderdale, as he stated at Reuters, banks using the SWIFT network, whether they are central banks of countries or commercial banks, were repeatedly attacked after a cyber theft incident at Bank Bangladesh. And in 20% of cases, hackers were able to successfully steal money.

Another tactic that has recently become increasingly used is the attack on payment terminals (POS-terminals) to steal information from bank cards. In our analysis of the hotel sector, we saw how the majority of attacks against this sector were associated with malware that was sent to POS terminals in order to steal customer data from their credit and debit cards. But this practice affects all areas of trade, from small restaurants to large hypermarket chains.

We in the PandaLabs anti-virus lab analyzed various attacks made by specially designed malware for them, such as PunkeyPOS , when hackers compromised institutions in the United States.

POS terminals affected by PunkeyPOS



Information about other POS-oriented malware , such as Multigrain or PosCardStealer.

Trends in financial cyber crime

The first attacks against the financial sector occurred in 2003. At that time, online banking was gaining popularity, and the number of online banking operations was growing rapidly. The steps taken to identify customers by banks were quite simple: with only a username and password, you could access all your data and do any kind of operation.

The first attacks were mainly related to phishing - e-mails that allegedly came from the bank with a warning about security problems with the registration data of the recipient of the letter. According to these letters, the bank account was frozen until the client navigated to the page indicated in the letter. When clicking on the link, the client got on a fake website. Thinking that he / she is on the bank's website, the client entered his registration data, which immediately fell into the hands of cyber criminals.

After about a year, the first banker Trojans appeared on the scene. These trojans pursued the same goal as phishing attacks: theft of customer registration data to deceive the bank when transferring money to the required accounts. But these threats also became more complex, and these new Trojans could already overcome protection techniques.

The techniques used to steal data have become better, although banks, realizing the threats posed by these Trojans, have greatly enhanced the security of their websites.
For example, banks introduced virtual keyboards to enter customer registration data, which was a big step in improving the security of online banks.
Due to this, it has become pointless to use keyloggers to intercept user credentials.

However, the creators of malicious programs have developed new functionality for banking Trojans, giving them the ability to record mouse movements and even intercept and record images from the monitor screen, as was the case with Trj / Banbra.DCY.



Some samples, such as those related to the BankoLimb family, had a file with a list of URLs of the banks under attack. When a user infected with BankoLimb connected to any site whose address coincided with the website in this list, the trojan was activated, after which he injected an additional html-code on the bank's website. In addition to the usual fields that the user had to fill out during authorization, he should also provide additional information. It turns out that the user was on the real page of his bank, but slightly modified. For this reason, if you connect to the website of your bank and you are asked to enter additional information, it is better not to do this and check with the bank, because you may be infected with a special trojan and all your actions will be intercepted.

In other cases, the Trojans imposed a false page on top of the original, as a result of which the user did not even imagine that he was dealing with imitation. After the user entered his registration data on a false login page, he could receive an error message or be redirected to a real web site so that the client could not be suspicious.
Some variants of the Sinowal Trojan family are really very complex, and they can modify the data on the fly.

For example, if a user provides a transfer through the website of his bank, then these variants of Trojans could change the recipient of this money transfer. Moreover, the original confirmation of the successful implementation of the operation was also forged, so that the user remains completely in the dark about his having been deceived.

Other options were contacted by the server to see if they needed to perform any actions in accordance with the website they visited. Thus, the malicious program did not depend on the configuration file, and therefore cyber criminals could at any time expand or change the list of websites where they would like to inject malicious code, or whose information they would like to steal, etc.

The more we connect to online banking systems from our smartphones, the more hackers are willing to allocate funds to develop banking malware for Android, pursuing the same goals as in the case of PCs. The smartphone has an operating system, applications, etc., so in fact it is just another computer.

The number of banking malware families is staggering. For simplicity, we divide them into two main groups:

1. Brazilian
(Banbra, Banker, Bancos, etc.)

They are focused on customers of Brazilian, South American and partly Spanish and Portuguese banks. Technologically speaking, they are not revolutionary creations. But they are among the most creative in terms of using social engineering techniques to deceive their victims.

2. Russians
(Bankolimb, Zeus, Sinowal, SpyEye, Citadel, Dyreza, etc.)

They target customers from European and US banks. They have always been and are the most difficult from a technical point of view.

Many of them have a lot of similarities, because the source code Zeus was published during their heyday, from which many other families later emerged: SpyEye, Citadel, Ice IX, Ramnit, Zberp, Kins, Murofet, GameOver (Zeus P2P) and others .



However, in recent years we have seen criminal groups diversifying their areas of work, looking for new places to get money:

Computer controlled POS terminals

As mentioned above, there are malicious programs specifically designed for such terminals, and they are used to steal information from bank cards through payment terminals in restaurants, hotels, supermarkets, etc.

ATMs

These are also practically the same computers, only with a very specific purpose. There were cases when hackers entered into them in order to withdraw money directly from an ATM. This can be achieved by manipulating directly with the ATM itself (for example, by installing skimmer cards) or by hacking into the internal network of the bank, from where their ATMs are accessible.

Banks

Of all the possible victims, who has the most money? Of course, the banks themselves. Such complex attacks require large resources and ingenuity, but the ability to steal millions of dollars strongly attracts cyber criminals.

Recommendations to banks to avoid cyber theft

One of the most embarrassing things for victims is their lack of information about the attack. For example, after an attack on the Bank of Bangladesh, three malware samples were discovered - and that’s all that is left.

The attackers, of course, used many other tools that were removed after they were used and which the victims would never know about. Knowledge is power, and therefore knowledge of how the incident occurred is the key to correcting security breaches and working to anticipate future attacks.

Having unlimited visibility behind everything that happens in your IT infrastructure allows you to exercise careful control and avoid potential attacks before they can occur.

The absence of a common cyber space, legislation, certification, interchangeability and legal protection is one of the biggest obstacles banks face to make the transition to cloud computing - a system that allows financial institutions to benefit from the required software: reducing costs, increasing system costs. performance, higher data accuracy, ensuring universal access to documents, etc.

So, how should the software for ensuring information security relate to data that is stored in the cloud in order to most effectively comply with legal regulations?

Information classified as “secret”: the cloud service should not have access to confidential personal information or information that has a high level of security in accordance with the legislation on the protection of personal data, or classified by banks as “secret information”. The only possible nuance is the indirect collection of data related to the use of IT resources by the company as a result of user activity. This information may be included as a restriction in the internal rules of conduct, and be accessible only to a limited number of persons (protection operators and bank personnel).

Information classified as “confidential”: the service has access to user information with lower levels of security. For example, user login data (but not a password that should never be collected), the device name and its IP address, if they uniquely identify the user. This data is necessary for the correct operation of the cloud service, and therefore it is clear that the service providers can be authorized to access such data.

These two qualities underlie the Adaptive Defense 360 security model, the first information security cloud service with advanced protection features combining next-generation device protection (NG EPP) and attack detection and response technology (EDR) with the ability to classify 100% of the running processes.

With this model, banks will be able to protect their core assets (data and critical information about their customers) with a solution that can detect data leakage regardless of whether it occurred as a result of using a malicious program or because of actions taken by bank employees.

This is one of the most valuable functions in the financial sector. Adaptive Defense 360 ​​receives data and transmits it to the SIEM system, which allows you to get full visibility of all the processes on each end device.

In addition to this, as well as the ability to detect and block all types of attacks (including unknown ones) against the system, Adaptive Defense 360 allows you to detect and close vulnerabilities in the system and its applications, as well as prevent the use of unwanted programs such as navigation bars, adware or add-ons and extensions.

Panda Security's corporate solution is part of a platform that uses contextual logic, which analyzes, classifies and compares data on cyber threats to perform prevention, detection, response and recovery operations.

The effectiveness of this information security solution with advanced protection against unknown threats has been confirmed by the independent test lab AV-Comparatives .