No industry is safe when it comes to cyberattacks, but the financial services sector is increasingly becoming a primary target for cybercriminals. According to Boston Consulting Group research, financial services firms experience up to 300 times as many cyberattacks per year compared to those in other industries.
This unique challenge that financial firms face is now exacerbated especially as cybercriminals become more determined and sophisticated in their attack methods. In Singapore, 64% of financial services organisations witnessed significantly more sophisticated cyberattacks over the last 12 months, while 62% had seen more than a 50% increase in attack frequency, based on recent research we conducted at VMware Carbon Black.
The dramatic advancement of attacks against the financial industry can be attributed to three key factors: First, the Covid-19 pandemic has forced many employees to work remotely, further widening the attack surface and making them easier targets. Second, cybercrime syndicates have in recent years been adopting newer attack methodologies, which traditional cybersecurity controls cannot defend against. Lastly, cybercriminals are, in some cases, being seen as patriots by their respective nations and acting as nefarious “cyber Robin Hoods”.
Banking on Covid-19
According to recent data, cyberattacks against the financial sector increased by 238% from February to April, amid the Covid-19 surge. Cybercriminals often work to exploit fear and uncertainty during major world events through cyberattacks, and the pandemic is no exception.
In fact, notable spikes in attacks can also be correlated to key days in the Covid-19 news cycle. On Feb 29, there was a 66% spike in attacks over baseline levels when multiple states in the US declared Covid-19 a public health emergency. When the World Health Organization declared Covid-19 a pandemic on March 11, there was a 22% spike in attacks. This suggests attackers are being opportunistic and leverage breaking news to take advantage of vulnerable populations.
Attackers have been using Covid-19 to launch watering hole attacks, spear-phishing attacks, application attacks and ransomware. This can be increasingly damaging to the economic landscape as unemployment rates increase and a recession begins. It is clear the attackers are not slowing down, making it more important to understand their behaviours.
Following the money: Understanding attacker tactics
Financial institutions have reported that cybercriminals are becoming more sophisticated, leveraging highly targeted social engineering attacks and advanced procedures for hiding malicious activity. The criminals’ goal is to exploit weaknesses in people, processes and technology in order to infiltrate the network and gain the ability to transfer funds and withdraw sensitive data.
While social engineering is still very prevalent, there has been a shift away from spear phishing toward island-hopping — a tactic where attackers try to gain a foothold of one organisation to then jump to additional targets in their network.
The modern cybercriminal understands that it is more lucrative to island-hop from the bank’s environment in order to attack its customers, which is why there are a variety of island-hopping attacks seen today. In fact, island-hopping has more than tripled in attack frequency and is now the most commonly experienced attack for 10% of Singaporean business, causing 12% of breaches in the last 12 months.
The most common attacks seen in the financial sector is reverse business email compromise. These attacks occur when a hacker successfully takes over a victim’s email server and executes fileless malware attacks against members of the organisation as well as the board. This has become much easier for attackers to execute successfully as more employees are working from home, where network security can be more easily compromised.
Another common tactic seen among cybercriminals today is watering-hole attacks, which today make up one in every five attacks on financial institutions. In these cases, hackers target and hijack a website frequently visited by partners or customers of the organisation they are trying to breach. This tactic is increasing as cybercriminals recognize the implicit trust consumers have in bank brands.
Hackers aim to identify popular websites where people are looking to gain information from. In today’s economic uncertainty, many people are looking to financial institutions to help them through trying times, and unfortunately hackers are taking advantage of that.
Escalating a bank heist to a hostage situation
Cybercriminals are escalating their attacks as they fight back to maintain persistence. If it cannot be stolen, it will be destroyed — similar to burning a house down versus robbing it. Increasingly, destructive attacks are also being leveraged as counter incident response techniques. Trust and confidence can be undermined as cybercriminals appreciate that it is more valuable to commandeer the digital transformation efforts of the financial institution than to target its customers directly.
To battle against this, financial institutions must conduct regular cyber threat hunting exercises to root out any persistent attacker that might already be in the organisation. A shift to an intrinsic security model must occur, one where security is built in and not bolted onto the enterprise. Security teams must integrate security controls, microsegment, employ just-in-time authentication and modernize their endpoint security controls to mitigate the modern bank heist.
As the public health crisis continues, it is clear attackers will continue to target vulnerable populations and organisations, with an eye on finance. Increased vigilance and visibility into enterprise-wide endpoint activity are more paramount than ever. Cybersecurity is now a brand protection imperative, and the trust and confidence in the safety and soundness of a financial institution will depend on it.
Tom Kellermann is head of cybersecurity strategy at VMware Carbon Black
