Amir Kanaan, Managing Director for the Middle East, Turkey and Africa at Kaspersky, discusses the development of cyberthreats in 2018, and what to expect
The year 2017 witnessed great changes in the world of cyberthreats facing financial organisations. We witnessed a continuation of cyberattacks targeting systems running SWIFT—a fundamental part of the world’s financial ecosystem. Attackers were able to use malware in financial institutions to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world, because SWIFT software is unified and used by almost all the major players in the financial market. Victims of these attacks included several banks in more than 10 countries around the world. We also saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups penetrated bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds; their main goal was to withdraw very large sums of money.
Attackers rely on proven schemes of monetising network access. In addition to their attacks on SWIFT systems, cybercriminals have been actively using ATM infections, including those on financial institution’s own networks, as well as wielding remote banking (RB) systems, PoS terminal networks, and making changes in banks’ databases to ‘play’ with card balances. Attacks on ATMs are worth mentioning separately.
This kind of robbery became so popular that 2017 saw the first ATM malware-as-a-service: with cybercriminals providing on underground forums all necessary malicious programmes and video instructions to gain access to ATMs. Those who bought a subscription only needed to choose an ATM, open it following the instructions, and pay the service organisers for activating the malicious programme on the ATM, after which the money withdrawal process started.
This type of scheme saw significantly increased numbers of cybercriminals, even making cybercrime accessible to non-professionals. We saw the interception of bank customers’ electronic operations through the hijacking of bank domains; customers did not have access to their bank’s real infrastructure, but to a fake one created by intruders. For several hours, criminals were able to perform phishing attacks, instal malicious code; and wield the operations of customers who were using online banking services at the time.
There are a number of predictions for 2018:
Attacks will occur via the underlying blockchain technologies of financial systems. Almost all the world’s large financial organisations are actively investing in systems based on blockchain technology. Any new technology has its advantages, but also several new risks. Financial systems based on blockchain do not exist autonomously, and any vulnerabilities and errors in blockchain implementation can enable attackers to earn money and disrupt the work of a financial institution.
For instance, in 2016-2017, a number of vulnerabilities and errors were discovered in smart contracts, on which a number of financial institution’s services have been built. More supply chain attacks will occur in the financial sphere. Large financial organisations invest considerable resources in cybersecurity, making penetrating their infrastructure no easy task. However, a threat vector that is likely to be actively used by cybercriminals in the coming year is attacks on software vendors supplying financial organisations. Such vendors, for the most part, have a weak level of protection compared to the financial organisations themselves.
Social media account hacks and manipulation will be used to acquire financial profit through stock/crypto exchange trade. 2017 will be remembered as the year of ‘fake news’. Besides the manipulation of public opinion, this phrase can also mean a dishonest way of earning money. While stock exchange trading is mostly carried out by robots manipulating source data, which is used to make certain transactions, it can also lead to enormous changes in the price of goods, financial instruments and cryptocurrencies.
In fact, just one tweet from an influencer, or a wave of messages on a social network created with the help of fake accounts, can drive the markets. And this method will certainly be used by intruders. With this approach, it’s almost impossible to find out which of the beneficiaries is the customer of the attack. ATM malware automation will become more prevalent. The first malware for ATMs appeared in 2009, and since then these devices have received constant attention from cyber-fraudsters. There has been a continuous evolution of this type of attack.
Following the emergence of ATM malware-as-a-service, the next step will be the full automation of such attacks—a minicomputer will be connected automatically to an ATM, leading to malware installation and jackpotting or card data collection. This will significantly shorten the time needed for intruders to commit their crime.
More attacks are likely on cryptoexchange platforms. For the past year, cryptocurrencies have attracted a huge number of investors, which in turn has led to a boom in new services for trading various coins and tokens. Traditional players in the financial market, with highly developed cybersecurity protection, have not rushed to enter this field. This situation provides attackers with an ideal opportunity to target cryptocurrency exchanges. On one hand, new companies have not managed to test their security systems properly. On the other hand, the entire cryptocurrency exchange business, technically speaking, is built on wellknown principles and technologies.
This means attackers know, and have access to, the necessary toolkit to penetrate the infrastructure of new sites and services working with cryptocurrencies. Traditional card fraud will spike due to the huge data breaches of the previous year. Big personal data leaks—including the Equifax case, which resulted in more than 140 million US residents’ data being leaked to cybercriminals, and the Uber case, which saw the data of another 57 million customers leaked—has created a situation where traditional banking security can seriously fail, because it’s based on the analysis of data about current or potential customers. For example, detailed knowledge of a victim’s personal data can allow attackers to pose as a banking customer, and extract their victim’s money or security information, while as far as the bank is concerned, their request looks legitimate.
More nation-state sponsored attacks are likely against financial organisations. The infamous Lazarus group, which is likely to be North-Korean state-sponsored, has attacked a number of banks in different parts of the world in the last few years. These have included banks in countries in Latin America, Europe, Asia and Oceania, with purpose of withdrawing large sums of money, amounting to hundreds of millions of dollars. It is very likely that, next year other APT groups from countries that have just joined the cyberspy game will follow this approach—both to earn money and to obtain information about customers, the flow of funds, and the internal procedures of financial organisations.
Fintechs’ inclusion and mobile-only users could mean a fall in the number of traditional PC-oriented internet banking Trojans, while novice mobile banking users will be a new prime target for criminals. Digital banks will continue revolutionising the financial sector on a global scale, especially in emerging markets. These banks are gaining more and more momentum and this, of course, has attracted cybercriminal attention. We are sure that the world of cybercrime will see increasing attacks against these types of banks and their customers.
Their main feature is the complete absence of branches and traditional customer service. All communication between the bank and its customers occur through a mobile application, which can have a couple of consequences. The first is a decrease in the number of Windows Trojans, aimed at stealing money through traditional internet banking. The second is that the growing number of digital financial institutions will lead to organic growth in the number of users that are easy targets for cybercriminals: people without any mobile banking experience, but with banking applications installed on their mobile devices.
During recent years, the number and quality of attacks aimed at organisations in the financial sector has grown continuously. These are attacks are on the infrastructure of an organisation and its employees, not its customers. The financial institutions that have not already thought about cybersecurity will soon face the consequences of hacker attacks, and these consequences will be incompatible with the continuation of these businesses—they will lead to a complete halt in operations as well as extreme losses. To prevent these situations from happening, it is necessary to constantly adapt security systems to new emerging threats, but this is impossible without analysing data and information about the most important and relevant cyberattacks aimed at financial organisations.
An effective approach to combating attacks will be for banks to choose the right security solutions, but also to use specialised intelligence reports on attacks as these contain information that must be implemented immediately into overall protection systems. For example, using YARA-rules and indicators of compromise (IOC), will become vital for financial organisations in the coming months.