Attacks On Banks
by Roel Schouwenberg - Senior Anti-Virus Researcher, Kaspersky Lab BNL - Monday, 17 November 2008.
This article provides an overview of the methods currently used by cyber criminals to attack financial institutions and banks in particular. It reviews general trends and takes how malicious programs targeting financial institutions are designed to evade detection by antivirus solutions. The article also covers phishing, money mules, the technical steps which cyber criminals may take when launching an attack (such as redirecting traffic, man-in-the-middle and man-in-the-endpoint attacks). Finally, the article provides recommendations on how to tackle the insecurity inherent in online banking. The article is written with the aim of giving IT professionals a more detailed understanding of the ways in which financial institutions can be attacked by cyber criminals and what can be done to mitigate these attacks.

General trends

In 2007, antivirus vendors saw a huge increase in the number of malicious programs targeting banks (financial malware). In spite of a lack of clear information from the financial sector, this indicates a corresponding increase in the number of attacks on banks.

Fig. 1 - Percentage of financial malware among all malicious programs detected

Notwithstanding an increased number of attacks, as the graph above shows, the percentage of financial malware detected each month is dropping. The reasons for this are detailed next:
  • Malware authors constantly change their programs in order to evade detection by antivirus solutions. However, if the changes made are minor, AV vendors will still be able to detect new malware samples using signatures created for previous variants.
  • The graph above only covers financial malware. However, banking attacks are usually a multi-step process: social engineering, phishing, and the use of Trojan-Downloaders which then download the financial malware. It's easier for the criminals to modify the Trojan-Downloader programs (which are usually smaller in size, and generally less complex) than the financial malware itself.
In addition to an increasing number of malicious programs targeting financial institutions, there's also been an increase in malware which is capable of attacking more than one bank or institution at once. However, percentage-wise, the amount of malware attacking more than three financial institutions is also decreasing, as the following graph below:

Fig. 2 - Financial malware which attacks more than 3 financial organizations

This means that the vast majority of such malicious programs is designed to attack between one and three banks. The reason for this is that financial malware tends to be highly regional, with specific programs being designed to target specific banks or institutions within a single region. Individual pieces of malware will therefore be designed to attack the most widely used banks within a region such as the USA, Germany, Mexico or the UK. The vast majority of financial malware targets a relatively small number of banks, as the graph below shows. There are probably two reasons why these banks are such popular targets: first, because they have a large number of customers, and secondly, it is relatively easy to obtain credentials to access accounts held with these banks, due to lax security.

Fig. 3 - Percentage of malware attacking top ten banks among all financial malware


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th