Today’s organizations are plagued by a myriad of cyber threats designed to target their sensitive data and disrupt their business operations. Is your organization prepared in the event of a cyberattack? This article is designed to prepare you to survive the 10 most common threats. Read on to learn more.
Table of contents
Spear Phishing Attacks
Business Invoice Fraud
Watering Hole Attacks
The Three Keys to Surviving a Bank Robbery
Here’s a harsh reality in today’s always-on digital world: By the time you realize you’re vulnerable to a bank break-in, it’s too late. Today’s digital thieves leave long before you realize they were there.
This is a survival guide to help you before that happens.
Bank robbers are not the same today as they were 10 years ago, and neither are your banking customers. Gone are the days when bank robbers or even customers actually walked into your building. This makes it almost impossible to keep the bad guys out of your vaults. Almost.
If you want to win the game, you have to understand the players. If you know how to think like modern-day bank robbers, you’ll know how to protect yourself — before they break in and destroy your systems, finances and reputation. In short, to survive a 21st-century bank robbery, you need to think like a hacker.
The threat you can’t see
Today’s robbers are more covert. More nefarious. Imagine someone threatening you from 10,000 miles away. At least that’s what today’s thief wants you to think before spoofing an IP address across three continents and setting up crypto mining software around the globe while they’re at it. The only thing directly connecting the thief to your bank: cables and a password.
Say hello to the digital age when your biggest threats are often invisible and aren’t always motivated by money. These thieves secretly distribute malware that exploits critical vulnerabilities, and then steals financial data, intellectual property and other digital assets on the down-low — while also jeopardizing your compliance standing, and destroying your brand and reputation in the process.
Now advanced targeted attacks, such as the SWIFT attack in 2016, will forever raise the bar for how you defend yourself. In this unprecedented cyberassault, attackers sent fraudulent messages over the SWIFT system to the New York Federal Reserve trying to transfer nearly $1 billion from Bangladesh Bank’s account. The miscreants managed to successfully divert $81 million from the U.S. Federal Reserve to illicit accounts in the Philippines. Most of it was never recovered.
Today, these robbers account for nearly 43% of all cyberattacks.
Even though you put more time, money and effort into building bigger walls and deploying better cameras, cyberthreats have only become a more agonizing problem. A major multinational bank, for example, is still cleaning up after a massive breach that occurred when a former Amazon Web Services (AWS) employee managed to successfully steal a record 100 million customer accounts and credit card applications because of a misconfigured web application firewall.
And that’s just the tip of the iceberg. Countless other banks and credit unions are hit by thousands of breaches by cybercriminals every day. The attacks are invisible, destructive and often never reported — or even detected.
So the question is: Are you ready to survive a bank robbery
Know your enemy — and their tactics
Here are a few of the thieves you’ll almost certainly encounter:
- Organized, highly distributed financial crime syndicates
- Nation-state attackers and cyberspies
- Political hacktivists/saboteurs
- Amateur hackers with access to widely distributed malware toolkits
- Financially motivated attackers that leverage sophisticated, AI-driven attacks
While many of the major cybercrime syndicates and high-profile attacks have been tracked to China, Russi or northeastern Europe, these attackers also hail from countless other regions and have only become better at covering their tracks.
This article is designed to help you effectively survive 10 of the most significant threats, identified by Splunk’s research teams and industry experts, that you will likely face in this digital economy. But before you can survive an attack, you need to know who the attackers are, how you can prepare for them and what you can do to reduce the risk of being targeted by cybercriminals.
The anatomy of a phishing attack
A phishing attack tricks banking consumers or employees into clicking on a malicious link, often driving them to a bogus site to provide personally identifiable information such as banking account numbers, credit card information or passwords, delivered via email, IM or other communication.
- Who’s behind it: Because of the ease and availability of phishing toolkits, even hackers with minimal technical skills can launch phishing campaigns. The people behind these campaigns run the range from organized cyber criminals to individual hackers.
- Where they come from: Just a few decades ago, a large number of phishing attacks were sourced to Nigeria in what was known as 419 scams, due to their fraud designation in the Nigerian criminal code. Today, phishing attacks originate all over the world, with many occurring in BRIC countries — Brazil, Russia, India and China — according to the InfoSec Institute.
- Their mission: Be wary — while these bogus sites may look convincing, attackers will harvest any information you submit to them. Or they may launch malware aimed at stealing funds from your accounts, personally identifiable customer information or other critical assets.
- How they execute: Typically you’ll be lured by an email impersonating someone you know — a message that appears to be from a manager or coworker, for example — compelling you to open malicious attachments or click links that lead you to webpages practically identical to legitimate sites.
How to survive a phishing attack
- Make sure your security solution blocks phishing emails before they occur.
- Include anti-spamming and anti-phishing technology with advanced filters that rely on machine learning and natural language processing technologies.
- Ensure your team has good security training, awareness and best practices.
These steps practised together will prevent many phishing emails from ever hitting your inbox, dramatically increasing your chances of surviving a phishing attack.
The anatomy of bill fraud
Bill fraud, or payment fraud, is any type of bogus or illegal transaction in which the cybercriminal will divert funds away from your consumers. And these schemes work — according to the most recent data from the FTC, consumers reported losing about $1.48 billion to fraud in 2018, an increase of $406 million from 2017.
- Who’s behind it: Organized attackers with the resources, bandwidth and technology to create fraudulent bills that replicate the real thing. Like phishing, bill fraud generally targets abroad, random population of individuals.
- Where they come from: Like phishing attackers, fraud organizations originate all over the world, including the U.S.
- Their mission: To trick a large number of users into repeatedly paying small or reasonable amounts of money so they don’t notice the scam.
- How they execute: In this ploy, attackers send fraudulent but authentic-looking bills instructing your customers to transfer funds from their accounts. Knowing that many of your customers regularly use fee-based digital services, the attackers rely on the fact that their targets may mistakenly assume the fraudulent bill they receive is for a service they use. Your customers will then initiate a funds transfer or credit card payment to pay for the phony “bill.”
How to survive bill fraud
- Start by automating your bill processing and workflow.
- Implement a security solution that can detect and flag aberrations with your customers’ bills, alerting you if suspicious activity occurs.
Gaining visibility into your bill processing workflows, while also accounting for minor differences, will give you a big leg up when it comes to surviving bill fraud.
Spear Phishing Attacks
The anatomy of a spear-phishing attack
A subset of phishing, spear phishing is when cybercriminals selectively target you with a specific, personalized email message to trick you or your employees into giving away financial or proprietary data, or unlocking access to your network.
- Who’s behind it: Individuals and organizations alike. However, many high-profile spear phishing attempts are sourced to state-sponsored cybercrime organizations, which have the resources to research their targets and bypass strong security filters. The Russian cyber espionage group Fancy Bear, for example, used spear-phishing techniques to target email accounts connected to Hillary Clinton’s 2016 presidential campaign, John Podesta, and former U.S. Secretary of State, Colin Powell. The group‘s attack was detailed in Robert Mueller’s redacted 2019 “Report on the Investigation Into Russian Interference in the 2016 Presidential Election.”
- Where they come from: While spear phishers hail from all over the world, in the last few years many complex spear phishing attacks have been based in Eastern Europe. Last year U.S. federal officials arrested three Ukrainians involved in the cybercrime organization FIN7, linked to hacking more than 3,600 businesses across the U.S. and stealing more than 15 million credit and debit cards.
- Their mission: Spear phishers target individuals who either have access to sensitive information or are weak links to the network. If you’re a high-value target, such as a C-level executive or company board member, you might be especially vulnerable, because you have access to critical systems and proprietary information within a company.
- How they execute: Spear phishers do their research to identify you and your position at your financial institution with social media sites like LinkedIn. From there, they’ll spoof addresses to send highly personalized, authentic-looking messages, to infiltrate your infrastructure and systems. Once hackers gain access to your environment, they will attempt to carry out even more elaborate schemes.
How to survive a spear-phishing attack
- Start by deploying strong spam and phishing filters.
- Implement machine learning and natural language processing technologies to detect sophisticated and personalized spear-phishing messages.
Due to their personal and highly targeted nature, spear-phishing attacks are sometimes more difficult to detect and block. But sophisticated spear-phishing attacks contain vulnerabilities, and like regular phishing attacks, it’s a matter of knowing what to look for and being prepared to survive a spear-phishing attack.
Business Invoice Fraud
The anatomy of business invoice fraud
Business invoice fraud attempts to trick you into paying out on a bogus — but convincing — bill addressed to your financial institution. In reality, the funds you pay will go to fraudsters mimicking your suppliers.
- Who’s behind It: While there are also numerous individual scammers pulling off business invoice fraud, many are sourced to fraud rings that have the organization and the resources to research your banking institution and create a billing experience that feels real.
- Where they come from: Fraud rings conducting invoice scams can be found all over the world. Invoice fraud costs UK businesses £93 million (USD 122.8M) with 3,280 invoice and mandate scam cases last year, according to a recent report. There are also thousands of fraud rings in the U.S. located coast to coast — with Florida, Michigan and Nevada having the highest number of fraud reports in 2018, according to the U.S. Federal Trade Commission.
- Their mission: They are primarily after one thing: money. These hackers are often willing to bill you an amount that appears reasonable so as not to draw suspicion — like $1,500. But executing these scams hundreds or thousands of times will quickly add up.
- How they execute: In this attack, you’ll be sent fake invoices attempting to steal your money in the hopes that you’re not paying attention to your accounts payable processes. Hackers will target you based on the size of your business, location and the suppliers you use. Armed with this information, they create phony invoices that appear legitimate. And with the hopes that your accounts payable department is backlogged, they send false invoices with high demands like “90 days past due, pay now!”
How to survive business invoice fraud
- Stay on top of your accounts payable processes by maintaining comprehensive visibility.
- Find solutions that will immediately give you insights into any delinquent bills and other process glitches.
- Implement technologies that shine a light on any fraudulent or suspicious activities.
Business invoice fraudsters pull off this theft by counting on the fact that you lack visibility into your accounts payable workflow — or that you’re simply not paying attention. So don’t let them, and you will survive business invoice fraud.
Watering Hole Attacks
The anatomy of a watering hole attack
Like a literal watering hole, a watering hole attack is one in which you’re compromised by attackers who infect the websites you and your employees frequently visit with malware designed to infiltrate your network and steal data or financial assets. The specific technique cybercriminals often use is a zero-day attack.
- Who’s behind it: Often organized, and sometimes state-sponsored hacking organizations with the resources and ability to closely research your banking institution and determine the websites you visit.
- Where they come from: While they come from all over, many of the cybercriminals behind this attack originate where organized threat groups are flourishing, such as Russia and China. One famous example occurred in 2014 when a Chinese-based attack group exploited two zero-day vulnerabilities to display malicious code on the Forbes website, infecting anyone who visited Forbes.com.
- Their mission: The goal is to infect your computer system with a zero-day exploit to gain access to your network for financial gain or proprietary information.
- How they execute: The attackers will first profile you to determine the websites you frequently visit, and from there, they will look for weaknesses they can exploit. By exploiting these vulnerabilities, the attacker compromises these websites and then waits, knowing it’s only a matter of time before you visit. The compromised website will, in turn, infect your network, allowing attackers to gain entry and then the ability to move laterally to other systems.
How to survive a watering hole attack
- Have the ability to proactively inspect popular sites for malware, and detect and block compromised websites.
- Regularly update your website’s security, monitor for infiltration and scan for software illicitly placed on your website.
- Configure your browsers to provide automatic alerts for malware.
Watering hole attacks are especially treacherous, as they can exploit any vulnerability on a popular site to infect users. But regularly monitoring and updating your security systems will go a long way to help you survive watering hole attacks.
The anatomy of a cryptojacking attack
Cryptojacking is an attack where a hacker targets and hijacks your computer systems with malware that hides on your device and then exploits its processing power to mine for cryptocurrency — such as Bitcoin or Ethereum — all on your dime.
- Who’s behind it: These days, cryptojacking doesn’t require significant technical skills. Cryptojacking kits are available on the dark web for as little as $30. It’s a low bar for entry for hackers that want to make a quick buck because it’s a way to make a lot of money for relatively little risk. In one attack, a European bank experienced some unusual traffic patterns on its servers, slower than average night processes, and unexplained new servers that came online — all attributed to a rogue staffer who installed a crypto mining system.
- Where they come from: All over the world.
- Their mission: Create valuable cryptocurrency with your computing resources.
How to survive a cryptojacking attack
- Start by making sure you can comprehensively monitor your entire network for malicious activity.
- Ensure that you can distinguish malicious activity from other types of communications.
Ultimately, making sure you have visibility and insight will help keep crypto mining attackers off your networks — or prevent them from doing extensive damage so you can survive a cryptojacking attack.
The anatomy of identity theft
Identity theft is an attack where cybercriminals steal your identity and obtain all of your account privileges.
- Who’s behind it: Attackers who have their sights set on your financial institution will likely be larger syndicates that are more organized and targeted, with the ability to conduct research on specific high-value accounts and circumvent standard security defences.
- Where they come from: Cybercrime organizations are based all over the world, with hotspots in countries like Russia.
- Their mission: Cybercriminals want to access your accounts. With stolen credentials, they can reset your passwords, lock you out, gain access to your sensitive data and other computers in the network, or completely obliterate your critical information. What’s more, they can gain remote access to systems by using legitimate passwords to log into consumer cloud services used for business operations and communications.
- How they execute: To trick you and employees into unintentionally handing over their credentials, attackers will often rely on phishing techniques. But they can swipe your credentials in other ways, including via brute force attacks, or by purchasing your account information from the dark web, giving them the ability to easily conduct fraudulent transfers on your stolen accounts.
How to survive identity theft
- Start with a strong authentication system that detects suspicious phishing activity.
- Conduct regular password and security best practices training.
While identity thieves have countless methods of obtaining your personal information, making sure that you’re maintaining best practices will help put the odds in your favour for surviving identity theft.
The anatomy of credential stuffing
In credential stuffing, cybercriminals will use stolen account credentials — often usernames and passwords garnered from a data breach — to access additional accounts by automating thousands or millions of login requests directed against your web application.
- Who’s behind it: Individual and organized hackers with access to dedicated account-checking tools and numerous proxies that prevent their IP addresses from being blacklisted. Less sophisticated perpetrators may end up giving themselves away by attempting to infiltrate a large number of accounts via bots, which results in an unexpected denial-of-service- attack (DDoS) scenario.
- Where they come from: Proxies mask the location of credential stuffing attackers, making it challenging to detect their location. But you’ll find them all over the world, especially in organized cybercrime hotspots.
- Their mission: They want to access your sensitive accounts the easy way — by simply logging in. It works because they rely on you or your colleagues reusing the same usernames and passwords across multiple services. If they’re successful, one credential can unlock accounts that house financial and proprietary information, giving them the keys to the proverbial kingdom.
- How they execute: Hackers only need access to login credentials, an automated tool and proxies to carry out a credential stuffing attack. Attackers will take an enormous swath of usernames and passwords, gleaned from massive corporate breaches, and by using automated tools, essentially “stuff” those credentials into the logins of other sites.
How to survive credential stuffing
- Start by enabling multi-factor authentication on your critical, company-owned assets.
- Ensure you have password protection solutions.
- Conduct regular password best-practices training.
Credential stuffing is a numbers game for cybercriminals, so play it safe by rotating passwords and implementing strong authentication and password solutions to prevent them from getting the upper hand and to help you survive a credential stuffing attack.
The anatomy of an insider attack
An insider attack, also known as an insider threat, is a malicious assault carried out by insiders with authorized access to your bank’s computer system, network and resources.
- Who’s behind it: Insiders in your company with bad intentions, or cyberspies impersonating contractors, third parties or remote workers. They can work both autonomously or as part of nation-states, crime rings or competing organizations.
- Where they come from: Inside attackers come from within your organization. While they might also be remote third-party suppliers or contractors located all over the world, they have some level of legitimate access to your systems and data.
- Their mission: Inside attackers often aim to pilfer classified, proprietary or otherwise sensitive information and assets, either for personal gain or to provide information to competitors. They might also try to sabotage your organization with system disruptions that mean loss of productivity, profitability and reputation.
- How they execute: Malicious insiders have a distinct advantage in that they already have authorized access to your company’s network, information and assets. They may have accounts that give them access to critical systems or data, making it easy for them to locate it, circumvent security controls and send it outside of the organization.
How to survive an insider attack
- Implement solutions that open visibility into all network activity.
- Monitor user access.
- Regularly audit and update permissions, particularly for sensitive information and critical assets.
Because malicious insiders operate in the shadows, you’ll need to shine a light on their nefarious activities so you can survive an insider attack.
The anatomy of a wire attack
Wire attacks are sophisticated schemes that execute fraudulent high-value payments through the SWIFT international wire transfer network. Going beyond ordinary wire fraud, attackers often target banks in emerging markets with limited cybersecurity infrastructure or operational controls.
- Who’s behind it: Highly organized international and nation-state cybercrime groups, such as APT 38 and the Lazarus Group, have historically been behind wire attacks. These groups have the necessary infrastructure and resources to successfully carry out these complex and multi-faceted assaults. A note of caution: high-value wire attacks at institutions with more robust systems likely involve the use of insiders to gain access to systems.
- Where they come from: While it’s unclear who exactly is behind the Lazarus Group and APT38, some reports have indicated that they might have ties to North Korea.
- Their mission: These cybercrime syndicates are after one thing: money. And lots of it.
- How they execute: Attackers use sophisticated malware to bypass your local security systems. From there, they gain access to the SWIFT messaging network and send fraudulent messages to initiate cash transfers from accounts at larger banks.
How to survive a wire attack
- Start by anticipating and predictively mapping the numerous diverse paths attackers could potentially take to access your systems.
- Understand where to prioritize security detection and response infrastructure.
- Determine lateral movement routes within your network once perpetrators compromise a workstation or server.
In light of the technological sophistication of this adversary, you will need to make an effort to stay one step ahead of the attackers. Proactively anticipating the cyber thieves’ next moves, then placing appropriate security defences in their path, will be your best bet in avoiding a wire fraud attack that will put your financial institution on the front pages of the news. In short, your best defence will be to think like a bank robber to survive a wire attack.
The Three Keys to Surviving a Bank Robbery
Here are three rules of thumb that will help you survive rapidly evolving threats:
- Take a risk-based approach to cybersecurity. No matter how hard things get, you can’t simply put bigger locks on the doors to keep thieves out. To protect your network while continuing to do business, you need next-generation systems and operations that will catch cyber threats before they turn into a robbery. This approach will help you survive:
- Commoditized attacks: Robust endpoint security technology — including data protection, threat protection, network layer security and centralized analytics — will detect most commoditized, continuous attacks and take necessary action to prevent attackers from wreaking havoc on your systems. Much of this detection will be automated.
- Complex attacks: If anything, multi-stage threats will give you the time needed to detect anomalous activity or unwarranted access (you’ll be able to see intruders conducting reconnaissance). This may be several steps away from the digital thieves’ attack endgame, so you can get to them before they strike.
- Training is essential. This is where you can start thinking like a hacker and putting your knowledge to the test. This book is a good start. You can also launch an internal campaign that generates mock “phishing” emails as a way to train your employees to spot sophisticated schemes and report them to security admins. In addition to being an exercise in raising awareness, crowdsourcing detection will also help you achieve a quick and effective response to phishing and spear-phishing attacks.
- Don’t underestimate the importance of information sharing. When there is a widespread attack, you will need to respond quickly to prevent the incident from mushrooming. This makes cyber threat intelligence (CTI) sharing an essential tool for combatting attacks. Fortunately, you have access to a rich ecosystem of information-sharing mechanisms and organizations. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an industry consortium aimed at helping financial institutions anticipate, mitigate and respond to cyberthreats. Trusted industry peers and law enforcement are also your allies in your CTI sharing effort.
In addition to alerts that flag immediate and imminent threats, sharing tactics, techniques and procedures (TTPs) used by adversaries will become an important means of improving your security. By sharing intelligence on evolving threats and known-threat masterminds, you’ll be taking direct action to guard against these adversaries. CTI sharing is also an important tool for warning organizations about insider threats.
Impressive as they are, traditional point solutions that tackle specific threats (such as malware) are not enough to keep you safe in this brave new world of cyberattacks. Today, machine data holds the keys to detecting threats and protecting assets. To keep your digital assets safe, you’ll need to implement an orchestration and automation plan. This will help you adapt quicker, and with new cybersecurity weapons, to stop modern-day bank robbers and survive a bank robbery.