Following reports that malware activity is increasing in direct relation to the ongoing uncertainty in the U.S. banking and stock markets, Kaspersky has issued a new research note that outlines the continued and evolving targeting of banks by cybercriminals.
According to an online paper on the topic authored by Roel Schouwenberg, a senior AV researcher with the Russia-based endpoint security vendor, the percentage of financial malware it has detected each month in 2008 is actually dropping, compared to an explosion of such programs in 2007.
However, this may not specifically indicate a real drop in banking-oriented attacks, as malware authors continue to distribute their threats in smaller batches to evade detection, and many such schemes are multi-staged and driven by harder-to-detect social engineering ploys these days, the researcher said.
And, rather than spamming out mass attacks on large banking entities, “the vast majority of such malicious programs is designed to attack between one and three banks,” and that “financial malware tends to be highly regional, with specific programs being designed to target specific banks or institutions within a single region,” characteristics that are making them more difficult to track from afar, Schouwenberg said.
Overall, financial malware is following many of the same attack techniques and distribution patterns of other types of malware, with Web-based threats closely followed by e-mail-driven campaigns in terms of popularity, the company notes.
Banking attacks are also more likely to employ virtual money mules these days, according to Kaspersky.
“Banks have responded to the increased number of attacks by investing more time, money and effort into developing mechanisms for detecting fraud and illegal activity. One safeguard is for an alert to be triggered if a large amount of money is transferred to a ‘suspicious’ region of the world,” the researcher writes. “In order to sidestep this, cyber criminals have taken to using money mules.”
In addition to further insulating malware distributors from the direct siphoning of the funds stolen via malware schemes, the mule approach also allows attackers to align their schemes regionally to defer suspicion related to international transactions, which may be more likely to raise flags inside the institutions being hacked, Schouwenberg said.
Phishing scams involving banks remain another popular attack model, according to the report. Poor security policies connected to online banking applications have made it easy for the technique continue to flourish, the experts maintain.
“A quick review of the security measures taken by a number of banks in the U.S., U.K. and elsewhere showed that they employ a simple static username and password to access the online banking system. All a cybercriminal has to do is obtain the username and password and s/he is free to perform almost any transaction. Another disadvantage of using a static username and password is that data can be stored and this means that unauthorized users or cybercriminals don’t have to process the data in real time; this job can be done later,” the researcher writes.
Banks which have better security policies use at least one dynamic password: a single-time password that is only valid during a specific session, he contends.
Automated threats, man-in-the-middle attacks and newly-emerging techniques specifically targeting banks also continue to feed the fire.
In general, banks do seem to be trying harder to secure their operations, Schouwenberg said, however they still have a long way to go.
And of course, users need to step up their overall awareness as well.
“Any security solution and process is as strong as the weakest link: in this case, it’s the customer. Will s/he click on a link or an attachment? Is his/ her system up-to-date, with all patches applied? Financial institutions are already taking such factors into account, and some organizations are already stating they will not provide restitution for losses if the attacked system was not fully patched,” the researcher said.
“Unfortunately, the experience of the anti-virus industry shows that user education has a limited effect, and that security measures taken by institutions can be somewhat hit-and-miss. It therefore seems that when the subject comes down to attacks on banks, the anti-virus industry is still in the front line in terms of protecting both users and financial institutions against losses.”
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.