Adware | Used to throw advertisements on targets screens, disguises itself as legitimate, or will pair itself with legitimate program in order to trick users into installing it onto a PC or other device. |
Spyware | Secretly observes computer user’s activities without permission and reports to software author. |
Virus | Malware which attaches to another program and replicates itself by modifying other programs and infecting them with code. |
Trojan | Usually disguises itself as something useful in order to trick user, attackers who send the Trojan then gain unauthorised access to the affected computer, they can then steal financial information or install threats like viruses/ransomware. |
Malicious Code | Term used to describe any code in any part of a software system or script that is intended to cause adverse effects, security breaches or damage to a system. Whereas malware specifically refers to malicious software, malicious code includes website scripts that can exploit vulnerabilities in order to upload malware. A security threat that cannot be controlled by conventional antivirus software. Is an umbrella term in itself which encompasses the activities of: -attack scripts, -viruses, -worms, -trojan horses, -backdoors, and malicious active content. It can take on a number of forms including: -Java Applets -ActiveX Controls -Pushed content -Plug-Ins -Scripting Languages or other programming languages designed to enhance Web pages/e-mail. These enter network drives and disseminate, they can cause network/mail server overload by sending e-mail messages, stealing data and passwords, deleting document files, email files or passwords, and reformatting hard drives. |
The second addition to the series on cyber security and the financial system will outline for readers the key details relating to the major attack types faced by financial institutions and the terminology involved under each attack type. This should allow for some familiarity when investigating or seeking to understand these phenomenon when they appear in national news. Once seen in the context of the groups individuals involved in cyber attacks, professionals with interests in cyber security for banks will have a clear threat detection framework in view with which to analyse attacks on the financial system or simply that of their own organisations.
Malware is the main term needed to understand cyber threats to organisations. This is a term for any computer software with malicious intent, sometimes used as a generic term for all types of cyber threat or weapon used by cyber criminals to target data or money of users of digital devices such as PCs, Laptops, smartphones, tablets and enterprise networks. Its effects are to interfere with the basic functioning of those devices, and in this regard, it has the ability to invade, damage or completely disable the target device. Its main goal is the gain of illicit funds by the user, and although it does not have the ability to damage physical hardware, it can steal, encrypt, or delete data, alter and hijack core computer functions, or spy on computer activity without knowledge/ consent of the target.
Anti Malware Technology
Anti malware technologies are provided by various security vendors in order to serve customers facing security threats. According to malwarebytes.com, the terms anti-malware and anti-virus are not synonymous. Although their purpose is the same, to defend computer systems and digital devices against viruses and ‘malware’; anti-virus software does not only defend against viruses but a variety of malicious software; and anti-malware tech is the term given to software that identifies, defends against, removes and replaces/ restores files lost in a viral attack. Anti-virus software does not replace these files, and therein lies the main difference as described by malwarebytes.com. Soon, it is expected that ‘anti-malware’ products and services become the main terminology as they develop to meet more complex and hybrid challenges, so it will be accepted that all software designed by cyber security experts to combat different types of ‘malicious code’ of varying threat levels will fall under a broad and comprehensive definition of ‘anti-malware technology’. The types of processes for anti-malware around which technology has been designed:
1. Signatures/ Heuristics
By looking at a program’s structure/behaviour, it looks for signs of malicious intent. Heuristics goes further, by scanning executable files, it scrutinises the program’s overall structure, programming logic and data. Looking for unusual commands or junk data, it assesses the likelihood that the program contains malware. This software can detect malware in files and boot records before the malware has a chance to run and infect the computer. Some anti-malware products can also run the suspected malware in a controlled environment in which the software can determine whether a program is safe to deploy or not.
2. Behavioural Analysis
Monitors behaviour of each code and the way it interacts with computer, tracks its activities across different sessions, as well as looks at how it interacts with other processes on the computer.
3. Whitelisting
Lists and brands all known legitimate software and checks any new items against that list; those which are ambiguous are categorised into the ‘gray area’, which then gets analysed using above methods.
4. Vulnerability Scanning
Acts to detect flaws in legitimate software.
5. Reputation Services
Allows near real-time protection from newly discovered threats, providing metadata about any program operated on a protected computer which is uploaded to the vendor’s cloud-based computers where reputation is assessed.
When risk mapping the financial system for cyber threats, the key challenge is to identify forms of malware insertion techniques and match them with anti-malware technology and processes. A bank’s system could be considered secure as long as the weight age of anti-malware techniques outweigh the usage of malware insertion by hostile actors.
1. ATM Skimming
ATM skimmers are attached by cyber criminals to the front part of ATMs, and these devices appear as though they are part of the machine, making it difficult for users to discern which devices are compromised. The skimming device then saves the victim’s card information and pin number, which the thief can retrieve and use later on. While ATM skimming has been a common scam for a long time, data breaches are getting worse, and the tools are growing in complexity. Card skimmers can be attached to any POS machine, not just ATMs. According to Nathan Wenzler, senior director of cybersecurity at Moss Adams, an accounting firm headquartered in Seattle, skimming devices can be attached to any machine in which cards are inserted to make payments. Also, criminals can easily create skimming devices that sit on top of the real card swiping mechanism and look like the real thing. One of the points discussed by Wenzler is that 3D Printing has allowed criminals to easily and cheaply create skimming devices which are then planted onto ATMs and other POS devices. How they work is something which takes place in two parts: a) the skimmer, and b) the camera. By a skimmer, a plastic device is placed over the ATM readers’ card slot which then confuses the user into thinking it is part of the original machine. Then, the skimmer allows the thieves to store all the information stored on the cards’ magnetic strip. Still, in order to make use of card details, thieves require the users’ PIN number which involves usage of a camera device. Either hidden on or near the ATMs, tiny spy cameras are positioned to get a clear view of the keypad and record PIN activity. These could be identified through a pinhole or off-colour looking bits of plastic which could reveal the hiding place. Skimming keypads are another innovation which fit over the original ATM keypad.
2. Phishing Attacks
Phishing involves a criminal targeting the personal information of victims, including their login credentials and credit card details. It is a common form of usage of malware, the basis of all cyber attacks, and installs the malware onto the victims’ computer through the opening of emails, text or instant message. Clicking of a link could lead to immediate identification of sensitive information or could lead to a lengthier process such as ransomware cyber criminals are able to link and coordinate different forms of attack through variation of malware types, i.e. an APT [Advanced Persistent Threat]. Overall, its’ main purpose is the stealing of funds or theft of sensitive information. Phishing can take many forms, such as phone calls, e-mails or phoney websites. It could be from anyone claiming to be a bank, a credit card company, a debt collector, a charitable organisation, a healthcare provider, tax man, and so on. They use any means to trick the victim into handing over sensitive information over the phone. Through these scams, cyber criminals can launch an extensive attack on the client base of target organisations without any knowledge or awareness of the original receiver.
3. Vishing Calls
This is differentiated from phishing in that it only is launched through use of internet phone services [VoIP]. Vishing involves impersonating a person or legitimate business; the term originates from a combination of the words ‘voice’ and ‘phishing’. Phishing of course involves the use of deception to coerce targets into revealing personal, sensitive or confidential information. However, instead of using email, phone calls or fake websites, vishers use an internet telephone service [VoIP]. By impersonating a legitimate phone number, these scammers lead people to believe that their calls are legitimate, and once you respond; they extract the details desired. A key example of this in our context is that which targets bank customers with messages such as, ‘Your account has been compromised. Please call this number to reset your password’. The visher relies on the target panicking and then hand over the relevant information. Other vishing scams include things such as: unsolicited offers for credit and loans, exaggerated investment opportunities, charitable requests for urgent causes, extended car warranty scams. Vishing in banking includes a similar situation, with an employee stating there is a problem with the account, asking you to transfer money to a different account to correct the problem.
4. Advanced Persistent Malwares
Is a term used to describe cyber attacks which are prolonged and targeted, whereby intruders gain access to a network remaining undetected for an extended period of time. The goal is usually first to monitor and steal valuable information rather than to cause damage to a network or organisation. It is said that these attacks typically target organisations in sectors such as national defence, manufacturing and the financial services sector, as these companies deal with high value information, including intellectual property, military plans and other data from governments and commercial organisations. These are a hybrid method of attack as there is a complex amount of planning and variety of attack types as well as varied goals involved. Techniques involved include advanced exploits of ‘zero-day’ vulnerabilities, highly targeted ‘spear phishing’ and other social engineering techniques. The threat actors use a variety of techniques to maintain access to the targeted network without being discovered, this includes continuously rewriting malicious codes to avoid detection as well as other sophisticated evasion techniques. Some of these attack types are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network. In our context of hybrid warfare against critical infrastructure, the APT is the most likely scenario to be expected in terms of the line of attack deployed by either organised crime groups or state sponsored teams of threat actors. Cyber security professionals often focus on detecting anomalies in outbound data in order to check for presence of an APT attack.
5. Darkweb usage
A cyber security provider by the name of MarkMonitor provides anti-malware technology to protect against attacks from the Darkweb, from where it is held that a large number of the attacks planned on a large scale, i.e. APTs, etc. originate from. It is believed that the large attacks we are focusing on in this study, i.e. state sponsored collaborative groups of multiple actors planning large scale attacks against big business and critical national infrastructure are very often formed, planned and launched from the area of the internet known as the Dark Web.
Marketing material describes hostile activity emanating from the dark web as ‘advanced threats’ that specifically target public and private sector organisations, all of which are integral to the stable functioning of society in any nation. It is described that the organisations targeted often invest a large amount of resources to protect infrastructure data within the company’s firewall, but not those outside it. Through the dark web, it is said that cyber criminals can operate anonymously, easily exchanging large amounts of data, such as stolen credit card numbers and insurance information. Overall, there is great difficulty in detecting and anticipating attacks from this area, and companies are encouraged to gain real-time visibility into dark web attacks so that they can act decisively to protect their assets and customers.
The solution recommended by MarkMonitor involves a comprehensive, 24/7 security format, involving:
1- Visibility, intelligence and smart infiltration technology to protect against dark web threats:
This involves using comprehensive, real time threat intelligence around cyber-incidents, looking for information propagated via the dark/deep web, social media networks and chat rooms where these individuals usually communicate. Allowing visibility into these obscure areas of the internet, it is hoped, would provide clients with actionable intelligence to take necessary precaution before the attacks take place.
2- Smart technology to infiltrate criminal networks
Whereas traditionally, cyber security experts would have to monitor the dark web manually to look for indicators to an attack, this company has found a way to utilise robotics that mimics human behaviour to interact with cyber criminals and infiltrate their networks. This is more suitable for wide scale monitoring activities tailored for the large sized clients most at risk from APTs designed on the darkweb.
3- Deep visibility and threat monitoring
As part of the strategy to maintain vigilance for any future cyber attacks, Mark Monitor provides clients with a specific type of threat awareness that goes a few extra steps in identifying cyber threats by scoping for them in multiple ‘cybercrime zones’, such as the dark web, deep web, social networks, chat sites, forums, and other sites; allowing for deep visibility into potential attacks on an organisation.
4- Smart Technology and Actionable Intelligence
This involves looking deeply at the potential sources of threat and cyber crime zones using what they refer to as ‘smart automated technology’ in order to scale the process of threat identification using leading edge robot technology. They claim this operates to ‘minimise false positives’ and then mimics human behaviour in order to interact with cybercriminals and infiltrate their networks. They supplement these processes with some form of 24/7 customer service response to help implement intelligence gained by using their software.
The usage of smart search robots has been emphasised as part of their cyber defence methodology, and they insist that this alleviates the need for manual searching for threats by individual cyber analysts, but rather, prioritises the ability of machines to search for criminal behaviour on scale, targeting their investigation to specific cyber crime zones; using infiltration achieved by mimicking of human behaviour.
5- Overall network building
This particular service provider helps to strengthen its ability to detect threats from different zones of attack by maintaining partnerships and relationships with a variety of stakeholders including search engines, social media networks, online marketplaces, industry advocacy groups, registries and law enforcement agencies.
6- BIN [Bank Identification Number] Attacks
This is an advanced case where usage of credit card numbers is manipulated to withdraw money from financial institutions. There are specific attempts by scammers to steal customer identity details, and Bank Identification Number [BIN] attacks are some of the most complex. It is described that in these situations, criminals try to generate many fraudulent credit card numbers on the basis of actual/authentic numbers. During a BIN Attack, there is manipulation of the Bank Identification Number, also known as the ‘issuer identification number’, which represents the first 4-6 digits appearing on a credit card, which serves to identify and represent the credit card with the issuer bank. This numerical identification system is employed on a variety of banking cards, and ironically, was initially designed as a security measure to prevent the occurrence of cases of identity theft/security breach. In hindsight however, it is no wonder that this process took place, simply because any type of detail used as a verification factor can be replicated, and is only useful insofar as the piece of data used can be kept private or known only by a small party. The Bin Attack Process:
1. Usage of Technology:
Generating BIN Sequence Numbers
This involves usage of software applications which generate random credit card numbers, these numbers are then used along with a genuine credit card number to churn out new numbers; which allows them to generate new numbers using the same sequence of the genuine number.
2. Analysis:
Shortlisting Numbers Through Matching Expiry Dates
Numbers thus generated are scrutinised by using them on the websites of various online businesses. Scammers then try all the generated numbers with identical BIN sequences for these transactions, initially using very small amounts, usually less than $50, along with the expiry date of the original credit card.
3. Deployment:
Usage of Numbers for Fraudulent Transactions
During the final stages of BIN attacks, the fake credit card numbers shortlisted which match the same expiry date of the original genuine number are used on different online businesses for payments, and at this stage, the transaction amount goes up to around $10,000. Scammers are successful by the time banks find out about the transaction; the bank then reverses the transaction, and the weight is all on the merchant, who has to bear the brunt of charge backs
7. Supply Chain Attack
Cyber Security Online terms a supply chain attack, also called a ‘value chain’ or ‘third party attack’ as an incident where a system is infiltrated by an outside partner or provider who has access to your systems/data. This is similar in nature to some of the attack types mentioned before, and security analysts may wonder why this phenomenon merits a seperate term, since almost all cyber attacks are targeting an organisations’ information system by gaining access from an outside partner, who is either involved with collusion or unwittingly. Nonetheless, cyber security analysts have warranted it a seperate terminology, so we are going along with their method. The situation with regards to threats to organisations from supply chain attacks has been described by CSO as ‘a perfect storm’, as a result of factors such as new attack types, increased resources and tools owned by the attackers, growing public awareness of the threats, and increased oversight from regulators. The phenomenon of the supply chain attack is particularly bad news for third party IT services, as it is their access to large organisations which are exploited through the usage of malicious code, in the process of delivering Supply Chain attacks.
Threat actors use stolen credentials or compromised third party libraries in order to exploit software developers in their attacks. In its latest internet Security Threat Report, Symantec has described a variety of supply chain attacks, termed ‘form-jacking’ which have stemmed from compromised 3rd party services used by online retailers, including chatbots and customer review widgets. According to Symantec, stopping these attacks requires the use of advanced detection methods such as analytics and machine learning. According to CSO, any company utilising third party software is potentially at risk from this type of attack, since there is no guarantee of the safety of their programs or that they will not be manipulated by cyber criminals. This is particularly relevant in context of our banks, as the traditional banks are known for their heavy reliance on their legacy IT systems, which are entirely made up of external software and middle ware, and there is an opportunity for cyber criminals with basically every software patch or update installed onto their software and core banking system. Even more so, when we extend this analysis up to the digital apps or e-wallets provided by banks as part of a digital offering, we can see that any flaw in the product can be exploited as its operations depend on the usage of the main core banking system in the first place. The usage of a 3rd party’s core banking system to operate a digital banking service or as part of a standalone ‘neo-bank’ or ‘virtual-bank’s operating layout would technically carry the same risk of 3rd party software vulnerability faced by all users of IT software products. An app which is downloaded by millions of a bank’s customers could be fatal to the growth of digital banking services if its core technology is not secure from exploitation by cyber threats. Any bug or malicious code launched by the hostile actors can affect up to millions of devices and users through minor gaps in the service or product offered, and can reach throughout a banks’ wider stakeholders.
Resources and Links
https://searchsecurity.techtarget.com/definition/malware
Antimalware Technologies: terms explained
https://money.usnews.com/banking/articles/what-to-know-about-atm-skimming
https://fraudwatchinternational.com/vishing/what-is-vishing/
https://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
https://markmonitor.com/download/ds/dsMarkMonitor_Dark_Web_Cyber_Intelligence.pdf
https://investinuaefraud.com/blog/bin-attack-credit-card-fraud/1057/view
https://www.csoonline.com/article/3191947/what-is-a-supply-chain-attack-why-you-should-be-wary-of-third–party-providers.html
https://www.securityweek.com/supply-chain-attacks-nearly-doubled-2018-symantec
https://arstechnica.com/information-technology/2019/08/ransomware-wiper-malware-attacks-have-more-than-doubled-ibm-team-says/