Cybercriminals have always been inclined to follow the money. But according to a recent security bulletin jointly issued by the Federal Bureau of Investigation (FBI), Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), hackers have started directly targeting individual bank employees to serve as their unwitting accomplices in financial data breaches.
During the past few months, FBI investigators have observed a marked increase in the amount of spam, phishing emails, keylogging programs and remote access Trojans (RATs) used to obtain employee credentials and infiltrate financial institution networks. Although the victims have primarily been smaller banks and credit unions, the consequences have been no less significant.
According to the report, stolen credentials have routinely been used to initiate and approve overseas wire transfers ranging in values from $400,000 to $900,000. In at least one case, cybercriminals were even able to raise the wire transfer limit on a customer's account to secure a larger windfall. And in the event that the transaction failed, it was most often attributed to a clerical error made when inputting account information as opposed to bank administrators rooting out threats.
"The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours using the stolen financial institution employees' credentials," the brief stated. "These logins allowed the actor(s) to obtain account transaction history, modify or learn institution-specific wire transfer settings and read manuals providing information and training on the use of U.S. payment systems."
Investigators also noted that these intrusions were typically preceded or followed by dedicated denial of service (DDoS) attacks intended to distract network administrators from the true threat. The vast financial incentive available to motivated hackers was underscored by the fact that the commercial crimeware kits most often used to trigger the Internet security diversion can be purchased for approximately $200 via criminal forums.
With frontline bank employees now standing in cybercriminal crosshairs, it may be more important than ever for financial institutions to educate staff on the threats they may face and how to respond. The first recommendation outlined in the report was a discussion of the dangers that may await in the documents attached and links embedded within unsolicited emails. Although avoiding these basic traps has been a matter of best practice for some time, the emergence of social engineering attacks has made this vector as viable as ever for cybercriminals.
Additionally, experts preached a policy of isolation regarding payment processing systems. Managers were encouraged to ban access to email accounts, and the open Internet, on the computers used to initiate wire transfers. By the same token, banks maintaining BYOD (Bring your own Device) programs were discouraged from allowing remote workers full administrative privileges on key banking systems.
Well-informed workers are a vital asset for any financial institution, but banks will also have to fight fire with fire and deploy advanced technological resources to keep hackers at bay.
"Some of the ploys are so good they could fool almost anyone – very sophisticated schemes like web injections and email from friends that lead you to open an attachment," Trusteer senior security strategist George Tubin explained in a related interview with CSO Magazine. "The real answer comes in automated technology, to make sure people don't respond to those things."
As a first step, FBI investigators recommended a systematic review of all reputation-based defense systems, application whitelists and employee credentials. Moving forward, administrators would also be wise to implement a continuous monitoring solution that keys in on after-hours employee logins and any changes made to wire transfer settings. This same technology will also be useful in highlighting a rapid influx of web traffic that could be indicative of a forthcoming DDoS attack.
Security News from SimplySecurity.com by Trend Micro