Threats target financial institutions, fintech, and cryptocurrencies

Threats target financial institutions, fintech, and cryptocurrencies

With news of a malware attack on accounting firm Wolters Kluwer causing a “quiet panic” in the accounting world this week, our assertion that financial institutions—from banks to brokers—are part of the vital infrastructure of society has been solidified.

According to its website, Wolters Kluwer provides software and services to all of the top 100 accounting firms in the United States, 90 percent of the top global banks, and 93 percent of Fortune 500 companies. With many of its tax, accounting, and vital storage services down since Monday, employees and customers have been unable to access data during a busy filing period (taxes for non-profits are due May 15.

It is unknown at this time if personally identifiable information was taken in the attack, or if the infection spread to any of Kluwer’s customers. The company released a statement saying they had no reason to believe either were true, but that the investigation is still ongoing.

In the meantime, communication with the firm is spotty and day-to-day work operations have been impeded. Up against a deadline, some accountants are having to complete tax returns for their clients by hand.

And that’s just one attack on one firm.

When we lose trust in our financial institutions, it turns our society upside down. When the paper is no longer worth the number printed on it, or you cannot withdraw money from your account, that rattles the bases of our economy. And in the capitalist society we live in, that means literally everything changes.

Whether attacks empty our accounts or expose our data, how can we feel comfortable investing in the future? And if everyone turned their back on financial institutions because of lack of security, what would happen? Would we have to turn back the clocks to a more primitive age when currency was forged from precious metals or we bartered for goods?

Financial institutions

For further discussion, it makes sense to define what we consider to be financial institutions. Also called financials or banking institutions, they are the corporations that act as intermediaries of financial markets or money management. These businesses can be:

  • Banks
  • Insurance companies
  • Stock traders and other brokers
  • Pension funds
  • Mortgage companies
  • Digital currency markets
  • Accounting firms

The digital era

Not only has the digital world introduced new financial institutions, it has also changed the way existing financial institutions work. The hardware and software used in the financial world is generally referred to as fintech. Needless to say, fintech has a special interest from the malware community at large. In fact, as we’ve already mentioned on Labs, 25 percent of all malware target financial institutions.

Banks were more or less forced to develop new standards and new technologies to keep up with modern demands. It is no longer acceptable having to wait for days for a money transfer to come through when we can purchase goods online and receive them at home a day later.

An important role has been taken up by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to establish quick and secure money transfers. SWIFT does not only aim to enable speedy identification, but also to eliminate errors and omissions in payment data, such as missing or incorrect beneficiary information or incomplete regulatory information.

In addition, there are banks that only exist online and use no brick-and-mortar branches at all. These banks use websites and apps only to provide their customers with the means to make transactions. This makes them and their customers possible targets for fake malicious websites or malware that takes advantage of vulnerabilities in apps. But the same is true nowadays for most older, established banks. They have all set up a digital infrastructure to keep up with the competition—and all of that infrastructure is open to attack.

Old school malware

Some of the oldest malware around the block was created to target financial institutions. However, calling it old school does not mean this malware is no longer effective. While many families have been around for years, they are under constant development to keep up with the latest methods of distribution and gathering financial data.

Banking Trojans are one of the first forms of malware that come to mind when considering which threats target our financial institutions. Nothing frightens us more than threat actors who can get ahold of enough personal information to clean out our bank account. Famous banking Trojan families are as follows:

  • Emotet was originally designed as a banking Trojan that attempted to sneak onto computers and steal sensitive, private information. Later versions of this malicious software saw the addition of spamming and malware delivery services—including other banking Trojans and cryptowallet stealers.
  • Ursnif is one of the most popular forms of information-stealing malware targeting Windows PCs, and it has existed in one form or another since at least 2007.
  • Zeus has been around in many forms for a long time as well and has a wide variety of offspring. This is because the code was published in 2011, and many other threat actors have build it out from there.
  • Kronos was first discovered in 2014 and quickly made a name for itself as an adept malware capable of stealing credentials and using web injects for banking websites. It is also believed to be marketed and rebranded as Osiris.

But PCs are not the only target modern threat actors are after. Odinaff is the name generally in use for a malware strain that performs targeted attacks on SWIFT software to inject fraudulent money transactions. In February 2016, attackers were successful in stealing $81 million from Bangladesh Bank using custom malware that allowed them to hack into the bank’s SWIFT software, transfer money into their accounts, and hide their tracks.

Also, with the introduction of banking apps, we saw the simultaneous introduction of Android banking malware. For example, take Gustuff, a Trojan equipped with web fakes designed to target Android app users of many top international banks. This mobile malware is also after crypto services, fintech companies’ Android programs, marketplace apps, online stores, payment systems, and messengers.

Cryptocurrencies

It’s not just consumers who are wary of being robbed by malware authors. So are many traders in digital currencies—and for good reason. Many of them have been robbed. Other trading platforms have been accused of exit scams, where the transactions are frozen in the platforms’ intermediate account under false pretenses, and eventually all the funds are funneled into the account of the perpetrator(s).

Cryptocurrencies have also introduced new types of crime. Blockchain technology allows for threat actors to perform a Sybil attack, which is like overwhelming the system by majority vote so you can influence any decision to be taken by the blockchain. Some networks make this easier than others because they are small or because they only use selected nodes as public peers. Electrum, for example, was confronted with malicious versions of their wallets that DDoS’ed legitimate nodes so that older clients were forced to connect to malicious ones.

Exploit kits

Banking malware and exploit kits have a long-standing relationship. Traditionally, exploit kits like RIG have been involved in the distribution of banking Trojans and other information stealers. EKs make their way onto machines via malvertising, malspam, drive-by-downloads, or as part of a Trojan-turned downloader such as Emotet, helping to spread malware laterally throughout networks.

Banks are not only a target for malware dropped by exploit kits because they are the shortest route to the money, but disrupting the financial sector of a country or region could be a useful card to play in a game of cyberwar.

APTs against banks

It is rare that an APT attack against a bank is discovered, but Carbanak is probably the most famous—and successful—one. However, even Carbanak was not particularly advanced, as no zero-days were used, although it was rather persistent.

The threat actors behind Carbanak managed to steal over $1 billion from a single bank. They did this by infecting the bank’s systems with spyware using spear phishing techniques. Analyzing the data sent to them by the spyware consisting of screenshots and keylogger logs, they learned enough to overtake the bank’s systems in such a way that they were able to create fake rich accounts, manipulate SWIFT transactions, and manipulate ATM payouts. An attack could last a few months and involved the use of many money mules.

Phishing

The type of phishing we see most is an email supposedly from a bank, asking us to log in to perform some an urgent action—reset passwords and verify account information are comment requests. Only the links provided in the email go to a malicious copy of the bank’s website that was set up by the threat actor. If the victim logs in there, the threat actor can use the provided credentials to perform unauthorized withdrawals to an account under their control.

Users should also be aware of the dangers of phishing attempts on mobile devices, and of spoofed banking apps. In fact, even legitimate banking apps are quite vulnerable to attack.

Countermeasures

As we have seen, financial institutions are targeted in many ways. What consumers can do to protect themselves and their financial accounts is both obvious and difficult to adhere to:

  • Don’t fall for the temptation to become a money mule.
  • Think before you click a link in an email. Better yet, bookmark the website for your bank and only use that site to log in.
  • Use a clean and protected device to make any financial transactions.
  • Use a safe and protected browser or banking app to check your accounts, deposit, or transfer money.
  • Be careful when you choose your cryptocurrency trading platform.

Financial institutions can follow a few ground rules to avoid attacks on their infrastructure:

  • Implement an anti-phishing plan.
  • Use specialized cybersecurity techniques to detect and thwart attacks, including a comprehensive cybersecurity solution, a well-trained IT staff, and an extensive cybersecurity policy/plan.
  • Limit permissions over the network to the minimum that is necessary to function.
  • Have an emergency plan in place for data breaches. Financial institutions traditionally store a lot of personal and sensitive information about their customers. Needless to say, these should be stored and handled with care (encrypted end-to-end).
  • Use trusted third-party or in-house developers to create secure banking apps and websites.

Money makes the world go round

As much as the landscape for financial institutions has changed, their importance to our functioning infrastructure remains intact. Where once bank robbers and con artists could rip off individuals and institutions, now cybercriminals, too, target our banks and other financial systems. It is key that our financial institutions protect our dollars and our data so that we can keep investing our money and our trust in them.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.