It has taken the financial world a matter of months to get over the Silicon Valley Bank bankruptcy—an event that just over a decade ago would have ground the world’s economy to a halt (from which we have still not entirely recovered). What was the sixteenth largest bank in the US suffered from the double prongs of discounted bonds and post-Covid inflation, which forced its big-tech clients to pull their money to fund loans financed at over-valued share prices. The result—the second largest bank failure in US history.

For clients, though, this meant a new kind of threat—phishing scammers offering support packages, assistance in transferring funds, legal advice, loans, and whatever else someone may need in transferring a major bank account. Suddenly, the internet was awash with fake banks that claimed they had arranged account transfers with SVB. Another scam purported to be distributing crypto-coins as part of SVB’s “payback” program.

Meanwhile, in Ireland, Jess began receiving text messages from her online Revolut banking app saying that her email address needed updating and asking she click on a link to log in. Banking scams, she reportedly said, are more believable—it’s no longer a foreign prince wanting to give you a million Euros for a tiny investment.

Table of Contents

Phinancial disservice

As we have repeatedly stressed, phishing is big business. It has its corporate structure, ethical codes, and even a dedicated recruitment strategy. As such, it seeks to earn the highest possible income on its investment. Consequently, it strikes where the waters are deepest and the catch most abundant. And where better to cash in, but the financial sector—banks, investment funds, brokerages, and the rest of that money-making industry.

Flashpoint’s Year in Review for 2022 states that the financial sector is the second-most attacked sector targeted by cyberthugs on the internet. For that year, finance and insurance had registered nearly 600 major breaches and over 254 m leaked records.1 Well over half of those were major hacking events, including ransomware leaks, and only 6.5% were attributed to smaller ATM-based skimming devices.

And within that sector, banks are prominent, making up a full third of the top-25 brands impersonated by phishing sites. Financial Brand mentions the phishing of credentials from Wells Fargo customers in 2020 and from Citibank customers in 2021, all using well-crafted graphics and convincing messages—events that launched the .bank domain suffix, which is harder to forge. Across the pond, Mark Branso, the director of FINMA (Switzerland’s financial markets regulator) has told the annual media conference of the Swiss Financial Market Supervisory Authority that two-thirds of attacks on critical infrastructure affect the financial sector.

Merry Men a’Stealin an a’Phishing

In this merry game of cops & robbers, the robbers have streamlined their operations to the point of providing online XaaS services, such as packaged malware kits (MaaS), freelance hacking (HaaS), and the notorious Robin Banks Phishing-as-a-Service (PaaS), a $50-a-month prescription service. SCMagazine names Bank of America, Wells Fargo, Capital One, and Citigroup as the latest targets of 2022, with Robin Banks even providing hackers access to an online dashboard for creating picture-perfect phishing pages.

In this crooked supply chain, RB provides the phishing kit, while other specialists provide access to legitimate bank networks using, for example, a compromised employee’s credentials. And thanks to the increasing synergy between big-tech companies (“log in using your Facebook account”, for example), once one account has been compromised, there is a good chance that the credentials for others have been, too.

Although Robin Banks ostensibly targets the little man (or woman–certainly not stealing from the rich and giving to the poor), the big money in financial phishing is without doubt spear phishing—targeting a specific individual, business, enterprise, or organization, as opposed to spreading breadcrumbs over a large area and waiting for a nibble. Valued at nearly a billion US dollars annually, spear phishing is expected to increase by 11.6% by the end of the decade.2

Here, of course, the profit is less immediate but certainly more attractive, leading to ransomware attacks, Denial-of-Service (DDoS) attacks, which saw a 30% increase in 2020, and supply chain attacks, of which–according to the EU’s cybersec agency, two-thirds were unacknowledged, unreported or not even felt by the victim.

Hedging bets

In 2019, spear phishers managed to breach the email accounts of the multi-million dollar Kansas University endowment and Community Foundation of Texas, convincing executives, who manage wire transfers and other activities, to download malware. Luckily, in both cases, the victims managed to regain control over their accounts before major damage was done.

That same year, Bleeping Computer reported that the Beyond the Grave virus had infected the Elliot Advisors hedge fund, Capital Fund Management, AQR Citadel, the Baupost Group, and Marshall Wace—companies with hundreds of billions of dollars under management. Investment advice was being sent to major executives, potentially affecting trading within minutes of receipt. Understandably, the results of these attacks are kept under wraps for fear of reputational damage that could—in itself—cause markets to fluctuate severely.

Last year, brokerages were attacked by scammers pretending to be FINRA (the US Financial Industry Regulatory Authority), which regulates all US-based exchanges and securities firms, including over 624 brokers throughout the nation. Emails contained attachments that “required” downloading, threats of penalties if not responded to, and the rest of the usual suspects. Even more at risk are the multitude of online brokers servicing retail clients to a fiercely growing extent.

Coming to a cellphone near you

Ever since the Nasdaq introduced electronic stock trading over half a century ago, the financial world has gradually shifted from the crowded and noisy exchange floor to computerized systems. Now, retail banking is catching up with a host of services, some pure banking, some simple financial services, such as online payment services, accounting and financial planning apps, and more.

The first retail activity to take hold has been online brokerage services, which include online trading applications and the ability to participate in financial markets—once restricted only to the monied few. But the risks were soon to follow. The latest major hiccup occurred in 2020, when FBS, a major forex (foreign exchange) broker, lost 20TB of customer information to a misconfigured cloud database, containing customer information that then made its way into phishing hands.

And now, the fintech world is flourishing with online payment, banking, and other financial services that were once handled solely by those bricks & mortar banks whose branches seem to be disappearing faster than the next Microsoft patch. Revolut is doubtlessly the leader in phone-app banking. Clearly, the temptation to send phishing messages to fake interfaces, upload fake look-alike apps, and so forth must be irresistible.

Watson, in 2019, described one such attack in which fake verification messages resulted in the victim sending his/her access data to fraudsters—this despite Revolut’s 3-stage verification process (Handy-Nummer, Pin-Code, and SMS Code). This is often done by scammers hijacking a victim’s cellphone number to intercept Revolut verification codes, then tail-ending their own phishing messages into authentic Revolut message chains.

Fortunately, traditional banks have lately been adopting those same platforms used by budding fintech service providers (more services with less staff—a win-win for the bank, less so for less computer-savvy seniors who looked forward to their weekly jaunt to the friendly bank clerk). Unfortunately, these banks are now also prone to the Trojans attacking the online banking industry. For traditional bank customers, the news is good: these larger organizations cannot afford the reputational damage of not reimbursing their customers for online fraud; for the budding disruptor sector—smaller, more agile but less established—customers may suffer for their provider’s support-lacking adolescence.

As the year ended, news readers became aware of just how far the fintech industry had advanced, when the crypto hedge fund and crypto exchange company, FTX went bankrupt, its founder, aptly named Sam Bankman-Fried, accused of securities fraud—among others. The vultures were not far behind, phishing scammers pretending to be US Justice Department agents offering help to customers in recovering their funds.

Your Money – Yourself!

Financial companies, PayPal, MTB, Crédit Agricole, and La Banaque Postale, account for seven out of the top ten phishing targets cited in the 2022 Vade Report. Besides plain money, the financial sector is the linchpin upon which the economy and–consequently–a nation’s well-being rests. As it moves online, customers enjoy increased convenience, accessibility to, and variety of financial services at their fingertips. Conversely, 41% of financial institutions are subject to Trojans at any given moment. Add to that the rapidly increasing introduction of AI and machine learning to both sides of the supplier/customer paradigm, and the attack surface widens to cosmic proportions.

And we should make no mistake: gone are the days when a phishing mail from a Nigerian hacker seemed to be written by a 5-year old illiterate. Today’s cyberattacks are sophisticated! They are backed by well-funded crime syndicates and rogues states, so much so that the FBI’s current prize for helping disrupt North Korean hackers is at the $5m mark. No industry is safe, and no VPN, anti-virus, AI, or other technological wonders will protect you.

Phishing targets human fear and greed, and it requires self-control not to provide what the scammer wants. Clearly, there is little the individual can do in a Magecart attack, where the hacker compromises a bank’s website using malicious code, skimming the victim’s data as it is entered. What he/she can do is ensure that the webpage accessed is the one intended and take care what information is entered.

Upguard offers five security controls that you should ensure your financial services provider abides with:

  • Third-Party Risk Management (TPRM) – to identify 3rd-party cloud security vulnerabilities

  • Multi-Factor Authentication – to make user credential compromise a bit more difficult

  • Firewall – to detect and prevent malware injection attempts.

  • Attack Surface Management – to detect data leaks and reduce the chances of an internal or external (through vendors) breach

  • Learn TTP (Tactics, Techniques, & Procedures) – to help identify already identified and employed strategies and vulnerability employment from across the industry (information sharing).

But without doubt, the most important measure you should implement is to install novoShield on your mobile phone—especially if you access financial services using mobile apps. Safeguard your well-earned cash and your financial security against phishing now!

 

Notes

1 The most prominent actor in this field is the LockBit organization, which was responsible for about 40% of major attacks.

2 Notable examples include the RSA breach in 2011, in which the company’s secret 2FA codes were stolen, the 2014 Sony hack, in which Guardians of Peace released confidential details about company employees, and the 2020 US Department of Energy Attack, in which the agency’s systems were breached. More examples here: https://securityboulevard.com/2022/11/seven-examples-of-spear-phishing-attacks/

Share: