Dark Web data points to a digital blitzkrieg against banks

Financial institutions (FIs) are among the biggest spenders when it comes to cyber security – the financial sector has the second highest investment in security in the UK.  However, there is a key area of continued weakness for FIs, and that is advanced email attacks that bypass traditional cyber security technologies and target employees and customers.

Earlier this year reports uncovered an 80% increase in cyber-attacks against FIs, and now intelligence gathered from 50 top banks and FIs in the US and Europe shows a massive increase in Dark Web activity linked to targeted attacks on these institutions. While such attacks take different forms, they almost always start with an email – in fact 93% of successful breaches begin this way.

The most dangerous  form of email attack, Business Email Compromise (BEC), occurs when criminals impersonate a trusted contact in order to persuade an employee, customer, or partner to transfer funds or divulge sensitive information. According to the FBI, BEC has led to more than $12.5bn in losses for US businesses since October 2013. Beyond the direct financial losses, BEC has resulted in the dark web being flooded with stolen data including account details, logins, credit card numbers and other vital PII.

This increase in dark web activity suggests that banks and FIs are in for a digital blitzkrieg over the next year. Despite the mounting evidence of the coming storm, 80% of FIs lack the proper technologies to detect and block sophisticated BEC attacks.

Most financial organizations still rely on traditional anti-spam/anti-malware/anti-virus systems, which were never intended to stop modern email-based social engineering attacks. Meanwhile, the attackers have learned to evade these traditional defences by utilizing low-volume highly targeted attacks rather than the spray-and-pray techniques the defences were designed to prevent. It’s as though financial institutions are still relying on barbed wire, while the attackers have traded their horses for tanks.

Social engineering isn’t new. The famous hacker and social engineer Kevin Mitnick used to go diving in the rubbish bin to prepare for his exploits. Armed with just enough credible information, Mitnick could walk into just about any company and get access to their computers and phone systems.

Today it’s much easier and far less risky, due to the wealth of information available on our corporate websites and social networks just as LinkedIn and Facebook. Add to that the enormous volume of PII aggregated from hundreds of high-profile data breaches, and suddenly attackers from every corner of the globe can target an individual, department, or corporation.

Using tactics such as display-name fraud, domain spoofing, lookalike domains and, when possible, previously hijacked email accounts, a typical BEC campaign has a success rate of 3.7%. The most successful attackers will spend weeks or even months to gain the trust of an unsuspecting mark before going in for the kill. Patience is clearly a virtue for attackers, as a successful BEC attack can score $130,000 or more, according to CNBC.

Million-dollar heists

In 2016 hackers pulled off an $81m heist against the Central Bank of Bangladesh. It is believed that hackers infiltrated the systems needed to transfer funds through BEC attacks against low- and mid-level officials. Crime syndicates such as the Carbanak crime network, armed with  $1.2bn in loot from malware and phishing attacks, continue to hone their techniques to increase their success rate.

When it comes to customer targeting by the fraudsters, fake fraud alerts, account confirmations and suspension emails are among the top 10 most effective lures scammers use to hook their prey.

Like the Carbanak operation, many cybercriminals use ‘work from home’ scams to recruit money mules to help them launder money. Others use the victims of online romance scams to help them move money. Despite some recent headlines touting multinational law enforcement actions against organized cyber criminal gangs, cyber crime continues to be a  $2trn scourge on the global economy, amounting to a whopping 2%-5% of global GDP.

Disrupting deception

Traditional approaches to fighting BEC and other email threats haven’t proven effective at countering schemes that use identity impersonation and social engineering.

Machine learning is nothing new in the anti-spam space. Traditional solutions are trained to find a needle in a haystack by understanding what a needle looks like. It’s pretty easy to design a needle that doesn’t match the machine’s definition.

Some financial institutions are finding success using modern machine learning technologies that assess people, relationships and behaviours in order to prevent malicious messages from reaching their targets. To continue the analogy, these modern machine learning algorithms learn what hay looks like so they can ignore it to find the needles.

Every company that receives mail also sends mail to their customers, partners, and employees. Protecting external parties presents its own set of challenges, as you have zero control over the protections in place outside your own organisation.

Fortunately, there’s a standard known as Domain-based Message Authentication Reporting and Conformance (DMARC) that can prevent exact-domain spoofing. While it’s heartening that most financial services organisations have deployed a DMARC policy, only 20% of financial institutions have published a strong policy that goes beyond monitoring to actually prevent spoofing.

Will any of this help? There are certainly signs of progress. In fact, organisations seeking solutions to advanced email threats can take a cue from companies that are blazing trails against these and other emerging challenges.

With Dark Web activities pointing to increased attacks on major banking system transfer platforms such as SWIFT, as well as stepped-up assaults on consumers, FIs need to heed the warnings and deploy effective solutions against email-borne social engineering attacks.

With 30% of UK companies reporting that they have sacked an employee for negligence around data breach, it is not just money and reputation on the line. It is careers too.

About the author

John Wilson is field CTO at Agari.