A so-called “spear-phishing” attack was carried out on targeted staff at a number of financial institutions, who were sent emails that tricked them into opening software files. This allowed the cyber criminals to access the banks’ internal networks and learn how transfers were done. The gang also controlled ATMs remotely, to dispense money to awaiting accomplices.
“These attacks don’t happen over four or five hours, they’re not the whim of a lone teenager in a college bedroom,” says Oisín Fouere, K2 Intelligence’s UK managing director for cybersecurity. “There’s a distinct attack lifecycle which we identify as part of our pro-active monitoring: this begins with a reconnaissance phase which is repeated once they have accessed a company’s networks, to further identify the key systems they wish to target. At that point, the attacker either alters the system so it is no longer secure or finds a way to steal the supposedly secure data.
“Banks often only identify the security compromise once the frauds are being reported by customers. This identification process occurs at the end of the attack lifecycle. Banks need the ability to monitor and infiltrate the very underground groups which are planning and executing these attacks. Often however, they are still too reliant on pure technology-driven safeguards; they need to invest in intelligence-driven cybersecurity to supplement their technical controls.”
The groups carrying out cyber crime attacks “operate exactly like legitimate businesses—there’s an economic market model defining the attack strategy, maintaining resource costs, and ensuring margins for any profit generated,” says Fouere.
The limitations of technology alone in preventing cyber attacks on banks are clear, because there are numerous examples of financial institutions being compromised: another large cyber break-in affected banks in the UAE and Oman in 2013, when a criminal gang stole $45 million after being able to hack in to a database of pre-paid debit cards and over-ride withdrawal limits. In one 10-hour period, the gang and their accomplices around the world were able to withdraw $40 million in 36,000 transactions at cash machines in 24 countries.
“Anti-virus intrusion systems are looking for signatures of known activity, of previous attack methods—so when people design an attack from scratch, they can slip entirely under the radar,” says Fouere. “By gathering intelligence to keep abreast of new malware developments and trends, you’re more likely to identify that an attack will take place, or is taking place, because these groups operate within closed forums: they’re using the deep web, talking in closed groups or encrypted chatrooms. They need to communicate with each other and with whoever is funding the attack. And most importantly they outsource specific responsibilities when they don’t hold this skill in-house. It’s at this point we can pick up the indicators.”
K2 Intelligence’s intelligence analysts have the ability to monitor such communication in order to protect customers, and to warn them ahead of an attack taking place that they need to strengthen controls in a particular system, or close it down altogether.
However, intelligence is used very much in conjunction with technological security, not as an alternative.
“Sometimes we may not know who is being targeted, but we know somebody is working on a custom Trojan [a malicious computer program], and we can create signatures for customers to be able to identify it if reaches their systems,” says Fouere. “Maybe nothing happens for six months, but then suddenly it hits their system and they have the right controls and response procedures in place.
“The other advantage of this match-up is that it then tells us which customers are being targeted by that particular group—that’s the benefit of having intelligence support in place as well as technological support.”
Spear-phishing, or the sending of fake emails purporting to be from within the same company or another legitimate source, to trick staff or customers into handing over secure details such as passwords and account numbers is “the most popular form of attack at present,” says Fouere, because it does not even require hackers to get past security systems; they simply have to persuade someone to open the door and let them in.
“Even in really technically savvy companies, people get emails that look like they’re from the IT department telling them they need to change their password, and they go ahead and punch it in,” he says. “Organisations have a responsibility to educate their own employees as well as customers. We would stress that an email is like a phone call—you need to authenticate who you are ‘talking’ to before giving away any secure information.”
For all the technology and intelligence a bank can purchase to try stay one step ahead of highly professional cyber gangs, it may seem absurd that one of the biggest threats they face is an innocent member of staff effectively opening the front door and letting the criminals walk straight past its security systems. It is, however, something that can be avoided with decent training and adequate vigilance.
“Staff need both training and regular reminders,” says Fouere. “Ongoing measuring of the largest concentration of people in your business who are vulnerable to this, and keeping on top of their susceptibility, is vital.”