Bancsec Advisor



Banks Must Focus More on Cyber-Risk

(April 5, 2017)

Online financial transactions have become essential to everyday life, and banks are under increasing threats from cyberattacks. A short time ago, the Federal Reserve, FDIC, and OCC released Enhanced Cyber Risk Security Standards. This guidance for midsize and large banks is designed to increase their focus on cyberattack resilience and cyber-risk mitigation.

Relevant URL(s): http://www.darkreading.com/endpoint/banks-must-focus-more-on-cyber-risk/a/d-id/1328566


Cybercriminals Seized Control of Brazilian Bank for 5 Hours

(April 4, 2017)

In October of 2016, cybercriminals compromised 36 domains belonging to a Brazilian bank for a five hour period. This allowed the attackers to intercept all of the bank’s online and mobile banking, point-of-sale, and investment transactions. Experts estimate that possibly millions of the bank’s customers across the globe, including the US, were also victimized with malware designed to harvest their data. This attack was possible, after administrative access to the bank’s DNS account was obtained. Implementing multi-factor authentication on critical systems such as DNS management can help thwart attacks such as this.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-of-brazilian-bank-for-5-hours/d/d-id/1328549


Health Savings Account Fraud: The Rapidly Growing Threat

(April 14, 2017)

Health savings account (HSA) fraud, a serious threat with ties to healthcare breaches, has been increasing in frequency since 2016. Victims’ “fullz”, or full listing of personally identifiable information (PII) obtained from compromised healthcare institutions, are being used by malicious actors to gain illicit access to funds, transfer money from the accounts, and even transfer funds to prepaid cards opened in the victim’s name. Preventing this type of fraud can be difficult, but monitoring account balances and activity closely and reporting potential indicators of compromise can reduce the extent of the damages.


Relevant URL(s): http://www.darkreading.com/endpoint/health-savings-account-fraud-the-rapidly-growing-threat/a/d-id/1328633


Mobile Payment Card Cloning: Understanding the Risks

(April 12, 2017)

The use of mobile contactless payments has been growing quickly, as well as Host Card Emulation (HCE), or emulating payment cards on a mobile device. An IT Security Consultant with SecuRing has recently revealed that it’s possible to copy mobile contactless card data to another device, allowing an attacker to use it for payment transactions. Banks deploying HCE technology in their mobile payment applications should test against card cloning attacks and be sure server side fraud detection is in place.

Relevant URL(s): https://www.helpnetsecurity.com/2017/04/12/mobile-payment-card-cloning/


ATMitch: Remote Administration of ATMs

(April 4, 2017)

Investigation into several recent fileless attacks led researchers to the discovery of new ATM malware, dubbed ATMitch. This malware, which can empty an ATM of its cash before removing itself, is installed on ATMs via Remote Desktop Connection (RDP) access from within the bank. ATMitch works on all ATMs that support the XFS library, which allegedly is the vast majority. Application whitelisting should be utilized on ATMs to help prevent this and other types of malware.

Relevant URL(s): https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/


Banking Agencies Issue Joint Report to Congress

(March 21, 2017)

Members of the FFIEC issued a joint report to Congress regarding their review of rules affecting financial institutions. The Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) requires the federal banking agencies and FFIEC to conduct reviews of their rules at least every 10 years in order to identify outdated and unnecessary regulations. The banking agencies published requests for written comment and received over 250 comment letters. The report describes several joint actions taken or planned by the regulators.

Relevant URL(s): https://www.ffiec.gov/press/pr032117.htm


NY Breach Report Highlights Third-Party Risk

(March 29, 2017)

In 2016, New York had one of the highest data exposure rates in the state's history, with the annual number of reported security breaches increasing by 60%. 81 percent of the 1,300 reported breaches involved the loss of Social Security numbers or financial information. As banks consider their security controls, they also need to think about ensuring their third-party service provider's controls meet their requirements and expectations.

Relevant URL(s): http://www.csoonline.com/article/3185908/security/expert-ny-breach-report-highlights-third-party-risk.html


Over One Million Fraud Attacks on Financial Firms in 2016

(March 1, 2017)

After more than one million financial firms were targeted in 2016 by scammers trying to capitalize on anti-fraud gaps, experts warn that this year may be worse. ThreatMetrix, which recently released its Q4 2016 Cybercrime Report, blocked more than 80 million attacks using stolen or fake credentials during 2016 in the financial sector. They also claim the number of attacks jumped 150% from Q3 to Q4 in 2016. Although preventing this type of fraud can be difficult, analytics can be used by banks to help identify and mitigate the risk.

Relevant URL(s): https://www.infosecurity-magazine.com/news/over-one-million-fraud-attacks/


Dridex Trojan Gets AtomBombing Update

(March 1, 2017)

One of the most destructive banking Trojans, Dridex, has recently been updated with new features. The malware is now equipped with a new sophisticated injection technique, known as AtomBombing, which allows it to propagate and infect endpoints under the radar. This update shows how attackers keep up to date on new technologies. In order to protect endpoints, banks can incorporate products such as adaptive anti-malware and application whitelisting into their security programs.

Relevant URL(s): https://www.infosecurity-magazine.com/news/dridex-trojan-gets-atombombing


Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan

(March 22, 2017)

Researchers have discovered that Chinese criminals are using fake base transceiver stations (BTS) to carry out SMiShing attacks, or phishing messages sent via SMS. The malware being distributed is targeting Android users' banking credentials and can bypass two-factor authentication. Researchers have warned that although this threat has only been seen in China so far, it could quickly spread worldwide. As always, users should keep their mobile devices updated to the latest version and avoid installing apps from third-party app stores.

Relevant URL(s): http://thehackernews.com/2017/03/rogue-bts-android-malware.html


Banks Around the World Targeted in Watering Hole Attacks

(February 14, 2017)

Polish banks were recently the victim of malware that was inadvertently distributed to them by their own financial regulator, the Polish Financial Supervision Authority (KNF). As affected banks shared indicators of compromise, other banks around the globe found that they had been hit as well. The majority of affected institutions are banks in the US, Poland, Mexico, UK, and Chile. Banks should update their defense systems with the indicators of compromise provided by BAE and Symantec to help identify and block this attack.

Relevant URL(s): https://www.helpnetsecurity.com/2017/02/14/banks-watering-hole-attacks/


Fast Food Chain Arby’s Acknowledges Breach

(February 17, 2017)

A spokesman for Arby's confirmed rumors that they had recently remediated a breach that affected hundreds of their restaurant locations nationwide. The breach, which is estimated to have occurred between October 25, 2016, and January 19, 2017, involved malicious software installed on payment card systems at the restaurants. Consumers should always remember to watch their card statements closely and report suspicious or unauthorized transactions.

Relevant URL(s): https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/


A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe

(February 8, 2017)

Fileless malware is going mainstream. Researchers at Kaspersky Lab have discovered that at least 140 bank and other enterprise networks have been infected by malware that resides solely in the memory of the compromised computers. They claim the infections are difficult to detect, partially due to the use of legitimate administrative and security tools, such as PowerShell, Metasploit, and Mimikatz. Banks can help protect systems by ensuring PowerShell is disabled throughout the organization and network segregation is properly implemented.

Relevant URL(s): https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/


Zeus-Derived Flokibot Malware Invades PoS

(January 31, 2017)

Ever since the source code for Zeus leaked in 2011 via underground forums, malicious actors have continued to refine the banking Trojan to help them steal banking credentials and infect point-of-sale (POS) devices. The latest example, Flokibot, includes a redesigned stealth dropper that is used to install other malicious code and is designed to evade anti-virus scans. The malware captures payment card numbers, as well as the encrypted PINs. Monitoring POS systems for data exfiltration and unusual network connections can help block this attack vector.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/zeus-derived-malware-continues-to-pwn-pos-devices-p-2384


Infected Weather App's Forecast: Malware

(February 22, 2017)

A legitimate Android app, Good Weather, was recently discovered to contain a Trojan capable of delivering banking malware. The malware is capable of accessing the victim's banking credentials and can bypass some two-factor authentication. Android users should carefully review the permissions that apps request and mobile antivirus software should be used.

Relevant URL(s): https://www.scmagazine.com/infected-weather-apps-forecast-malware/article/639512/


ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions

(February 7, 2017)

The digital threat protection suite, Easy Solution, has been endorsed by the American Bankers Association through its subsidiary the Corporation for American Banking. The endorsement comes after ABA's extensive due diligence, oversight from ABA's Endorsed Solutions' Banker Advisory Council, and research support by the cybersecurity company Bancsec. The suite, which includes anti-phishing monitoring and brand protection services, is now the solution of choice to ABA members.


Relevant URL(s): http://www.aba.com/Press/Pages/020717EasySolutionsEndorsement.aspx


Stolen Passwords Fuel Cardless ATM Fraud

(January 17, 2017)

"Cardless ATM" transactions, a new offering from several financial institutions that allows customers to take out cash with their mobile phones, is opening up new opportunities for thieves. With this new technology, customers can enter an amount they'd like to withdraw into the mobile banking app, then use a numeric code at the ATM or present a QR code to complete the transaction. As reported by krebsonsecurity.com, criminals are already leveraging stolen customer online banking credentials to exploit this new service. If banks are looking to offer this new feature, behavioral analytics, low withdrawal limits, and new customer and mobile device validation can help identify and mitigate risks.

Relevant URL(s): https://krebsonsecurity.com/2017/01/stolen-passwords-fuel-cardless-atm-fraud/


Carbanak's Back And Using Google Services For Command-and-Control

(January 17, 2017)

The Carbanak group responsible for stealing $1 billion from banks in 2015 has resurfaced with a new approach, using Google services to command-and-control its malware. The use of a trusted third party service allows the attackers to hide in plain site. The malware is typically distributed via phishing emails, which can often be identified by employees that regularly receive adaptive information security awareness training and testing.

Relevant URL(s): http://www.darkreading.com/cloud/carbanaks-back-and-using-google-services-for-command-and-control/d/d-id/1327909


ATM Malware Retooled to Strike More Machines

(January 16, 2017)

FireEye Labs recently identified a previously unseen version of Ploutus, one of the most advanced ATM malware families first discovered in 2013. This new version, dubbed Ploutus-D, interacts with KAL's Kalignite ATM platform that runs on 40 different ATM vendors. If a criminal were to gain access to the ATM internals, thousands of dollars could be dispensed in minutes. Banks with ATMs running KAL's Kalignite can take advantage of its built in security features, such as application whitelisting, disabled USB ports, and BitLocker full-disk encryption.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/latin-american-atm-malware-set-to-strike-more-machines-p-2361


Bank Leaks 60,000 Account Details in Three Character Email Slip-up

(January 9, 2017)

One of Australia's largest banks recently sent an email containing data on 60,000 bank accounts to an unknown external recipient by accident. The problem stems from the fact that the bank owns the nab.com.au domain, but not the nab.com domain. The data was erroneously sent to an email account at the nab.com domain. It's likely that no harm was done; however, the bank nor its customers can be certain. A data loss prevention and email encryption solution can help banks ensure a similar mistake doesn't catch them off guard.

Relevant URL(s): https://nakedsecurity.sophos.com/2017/01/09/bank-leaks-60000-account-details-in-three-character-email-slip-up/



Source Code for Another Android Banking Malware Leaked

(January 22, 2017)

Source code for Android banking malware, as well as instructions for its use, have been leaked online and researchers with Dr. Web have already identified it in the wild. The new Trojan, BankBot, has the ability to intercept SMS messages, show phishing dialogs, steal sensitive information and credentials, as well as payment card details. Users can protect themselves by disabling the installation of unofficial apps in their phone settings, and avoiding attachments and links from suspicious sources.

Relevant URL(s): http://thehackernews.com/2017/01/android-banking-malware.html


Hacks at Russian Central Bank Have Cost 2 Billion Rubles

(December 3, 2016)

During 2016, malicious actors tried to nab 5 billion rubles from Russia's central bank. The central banking authority managed to redirect some of the funds but attackers still made off with 2 billion rubles, the equivalent of $31 million. Although it's unclear who is responsible for this attack, it bears some resemblance to a string of heists that gained access to SWIFT, the Society for Worldwide Interbank Financial Telecommunication. Banks should review every aspect of their information security program, including controls around their e-banking channels.

Relevant URL(s): http://money.cnn.com/2016/12/02/technology/russia-central-bank-hack/index.html


Ransomware as a Service Fuels Explosive Growth

(December 5, 2016)

Although ransomware attacks don't get much publicity, a white paper from Osterman Research indicates that nearly 50 percent of US companies fell victim to these attacks during the past year. Another report by Trend Micro found there was an increase of 172 percent of new ransomware families in the first half of 2016. Even more alarming, malware authors have a new Ransomware as a Service (RaaS) business model, where they enlist distributors to spread the software, with some packages costing as little as $100. Protection against this threat can be difficult, but knowing what to expect, and having layered security systems and a robust ransomware response plan in place can greatly help limit exposure.

Relevant URL(s): http://www.csoonline.com/article/3146537/security/ransomware-as-a-service-fuels-explosive-growth.html


InPage Zero Day Used in Attacks Against Banks

(November 23, 2016)

Researchers at Kaspersky Lab have identified a zero-day vulnerability in Inpage publishing software. Several attacks attempting to exploit it against banks have been recorded, as well as a few against government agencies. The exploit, which is delivered via phishing campaigns, can often be prevented with consistent staff education and testing, as well as strong email threat protection systems.

Relevant URL(s): https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/


'Alice' Malware Loots ATMs

(December 21, 2016)

A new bare-bones ATM malware family, dubbed 'Alice', has recently been discovered by Trend Micro. Alice has one simple function, empty the ATM of its cash. All a criminal would need to infect a system is access to the ATM's internals to install and interact with the malware. In this case, physical ATM security and persistent monitoring can help defend against the threat.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/alice-malware-loots-atms/d/d-id/1327773


'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

(December 2, 2016)

Researchers at Newcastle University have developed an extremely easy way to guess the card number, expiration date, and security code of any Visa credit or debit card in six seconds flat. The attack, named 'Distributed Guess Attack', exploits the lack of a mechanism to detect multiple invalid payment requests made from different online merchant sites. This allows an unlimited number of cracks at predicting payment information by distributing the guesses across multiple sites. The researchers believe this may be the tactic used in stealing $3 million from Tesco Bank customers recently. To mitigate this threat, banks can implement back-end analytics to help identify fraud.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/frighteningly-easy-hack-guesses-full-credit-card-details-in-6-seconds/d/d-id/1327632


Tesco Bank Hacked

(November 7, 2016)

Over $3 million was recently stolen from 9,000 customers of UK based Tesco Bank. The bank did not disclose how accounts had been compromised or any other details of the attack. Tesco Bank announced that they're working with authorities and regulators to address the breach. This is one instance where having a well thought out incident response plan can help greatly.

Relevant URL(s): http://thehackernews.com/2016/11/tesco-bank-hack.html


OCC Discloses Data Breach

(October 28, 2016)

As required by the Federal Information Security Modernization Act (FISMA), the OCC notified Congress and other federal agencies of a major information security incident several weeks ago. The incident involves a former employee that downloaded over 10,000 records that contained controlled, unclassified information onto removable drives that are now missing. The OCC claims that policies and technical safeguards have been implemented to prevent such an event from occurring in the future.

Relevant URL(s): https://www.occ.gov/news-issuances/news-releases/2016/nr-occ-2016-138.html


Fake Executive Social Media Accounts Threaten Enterprises

(November 16, 2016)

Research conducted by BrandProtect revealed that 19 percent of Fortune 500 CEO Twitter profiles, and 9 percent of LinkedIn accounts reviewed were represented by numerous duplicate accounts, which raises concerns about potential security vulnerabilities. These types of fake profiles are often used in spear phishing or whaling attacks, or to push malware and ransomware into enterprises. Banks can better protect themselves as well as their customers with the use of brand protection services.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/16/fake-executive-social-media-accounts/


Android Trojan Targets Customers of 94 Banks in US, Europe

(November 2, 2016)

A malicious Android app masquerading as Flash Player is targeting online banking credentials as well as payment card details. The app is purportedly focusing on banks in the US, Australia, Germany, and France. Users should avoid installing unofficial apps on their devices and app reviews and sources should be checked before installation.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/02/trojan-flash-player-android-app/


TrickBot Banking Trojan is the Next Big Threat

(November 9, 2016)

Personal and business bank accounts are being aggressively targeted by a new banking Trojan named TrickBot. Researchers believe TrickBot may have been built by part of the team that built the nefarious banking Trojan Dyre. As they see it, this Trojan is likely to become a major threat. Third-party software and operating system patches should be kept current and users should always follow safe web browsing practices, which includes the handling of email attachments and links.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/09/trickbot-banking-trojan/


Hackers Changing Tactics, Techniques, and Procedures

(October 24, 2016)

An NTT Security report reveals the financial industry has seen a significant increase in the sophistication and type of attacks in this most recent quarter. They identify finance as the most attacked industry, with 23 percent of all attacks, and 43 percent of these were web application attacks. Comprehensive penetration testing can help banks understand where and how these attacks could take place so that appropriate security solutions can be implemented.

Relevant URL(s): https://www.helpnetsecurity.com/2016/10/24/hackers-changing-tactics/


Ransomware Raises The Bar Again

(October 10, 2016)

Ransomware is now the top attack vector targeting financial organizations according to a recent survey by SANS. 55 percent of financial firms identify ransomware as the most prevalent attack, with some loss claims between $100,000 and $500,000. Banks should have ransomware response plans in place, along with offline backups, layered security systems, and end-user awareness to limit ransomware exposure.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/ransomware-raises-the-bar-again-/d/d-id/1327138


88% of Employees Lack Awareness to Stop Privacy or Security Incidents

(October 27, 2016)

A survey was recently conducted to test employees' cybersecurity awareness. The study revealed that 88 percent lacked sufficient awareness to stop preventable incidents. Other key findings cite that 16 percent of employees exhibit behaviors that put organizations at serious security risk and 25 percent failed to recognize sample phishing emails. Banks should ensure employees receive adaptive information security awareness training at regular intervals.

Relevant URL(s): https://www.helpnetsecurity.com/2016/10/27/employees-lack-awareness/


Attackers 'Hack' ATM Security with Explosives

(October 17, 2016)

Europe has seen a surge in attacks on ATMs, many using explosives to steal cash from the safes. In the first half of this year, police in Europe cataloged 492 of these attacks. On average, explosive attacks have netted criminals $18,300 each. Although these attacks have not yet made it to the United States, banks should have strong physical security in place at all ATM locations and they should be inspected regularly for tampering.

Relevant URL(s): http://www.bankinfosecurity.com/attackers-hack-atm-security-explosives-a-9457


Russian Criminals' Bank Attacks Go Global

(October 26, 2016)

Russian criminals have tested and perfected their techniques on local banks and are now taking them global. As stated by Moscow-based Group-IB, these criminals developed their attacks for the market they know best, then later go after banks in the U.S., Canada, and other countries. They also claim that another wave of attacks is building up in Russia, mobile banking Trojans, which have escalated 471 percent recently. U.S. based banks would be wise to stay abreast of international cyberattacks to help improve their security strategies.

Relevant URL(s): www.csoonline.com/article/3135364/security/russian-criminals-bank-attacks-go-global.html


FFIEC Rewrites the Information Security IT Examination Handbook

(September 27, 2016)

The FFIEC has recently updated their guidance for managing financial institutions' information systems, which is the first update in over 10 years. The updated handbook is almost 40% shorter; however, the expectations have increased. A more traditional approach to risk management is contained in the guidance, as well as an increased focus on cybersecurity controls, internal assessments, and third-party service providers.

Relevant URL(s): http://complianceguru.com/2016/09/ffiec-rewrites-it-handbook/


FDIC Updates IT Examination Procedures

(June 30, 2016)

FDIC-supervised institutions will be subject to new IT examination procedures starting immediately. This major overhaul, now dubbed InTREx (Information Technology Risk Examination), is the first considerable update since 2007. The new design has a simpler pre-examination phase but institutions should prepare for a more thorough examination phase. The new granular procedures require examiners to review and evaluate your documentation and determine if it sufficiently proves that you're doing what you say you'll do. Having necessary documentation available may make all the difference.

Relevant URL(s): https://www.fdic.gov/news/news/financial/2016/fil16043.html


SWIFT Sees New Hack Attacks Against Banks

(August 31, 2016)

Since the theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York, SWIFT has seen continued attacks against banks' local security controls to send fraudulent messages via the SWIFT network. In a private letter from SWIFT to its customers, the collective warns that some banks have lost money as a result. The letter also explains that targets have varied in size and geography, and have used diverse connectivity methods; however, they've all had weaknesses in their local security. Banks are urged to install the updated SWIFT software, which includes stronger password management rules, better user authentication, and better tools for detecting attacks.

Relevant URL(s): http://www.bankinfosecurity.com/swift-sees-new-hack-attacks-against-banks-a-9374


Secret Service Warns of ‘Periscope’ Skimmers

(September 16, 2016)

According to an alert by a financial task force, a new type of skimming technology known as "periscope skimming" has been found in at least two ATMs in Connecticut and Pennsylvania. This new skimmer connects directly to the ATM's internal circuitry to steal payment card information and can store up to 32,000 card numbers. In both of these cases the criminals installed the devices by gaining access to the insides of the ATMs with a key. ATMs should be physically secured, not exposed at the top if possible, and checked regularly for evidence of tampering.

Relevant URL(s): http://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/


Banking Trojan GozNym Botnet Sinkholed After Infecting Over 23,000 Victims in UK, US and Europe

(September 29, 2016)

Researchers with Cisco Talos were able to successfully bring down a very large botnets controlled by GozNym operators. GozNym, a powerful banking Trojan, is a combination of features from two families of malware, Gozi and Nymaim. The Trojan was found to have infected at least 23,000 victims in the US, the UK, and Europe. These types of threats, which are typically delivered via spear phishing, can often be mitigated with education campaigns, consistent social engineering testing of staff, and email security filtering.

Relevant URL(s): http://www.ibtimes.co.uk/banking-trojan-goznym-botnet-sinkholed-after-infecting-over-23000-victims-uk-us-europe-1583973


Data Breach At Oracle's MICROS Point-of-Sale Division

(August 16, 2016)

KrebsOnSecurity recently learned of a breach at Oracle Corp., which appears to have affected hundreds of systems, as well as a customer support portal for companies using MICROS point-of-sale (POS) payment systems. MICROS, one of the top three POS vendors, is used at more than 330,000 cash registers worldwide. Two anonymous security experts indicated that the breached customer support portal had been seen communicating with a server used by the Carbanak Gang, a group suspected of stealing more than $1 billion from banks and other organizations over the past few years. Oracle will be forcing password resets for all support accounts of the MICROS portal.

Relevant URL(s): http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/


Financial Malware Attacks Increase as Malware Creators Join Forces

(August 12, 2016)

According to Kaspersky Lab's most recent IT threat evolution report, a 15.6 percent increase in financial malware attacks on users was identified compared to the previous quarter. One reason for this may be due to a collaboration between the authors of two of the top banking Trojans, Gozi and Nymaim. The Nymaim Trojan, which was initially designed as ransomware, now includes banking Trojan functionality from Gozi. If criminals are unable to steal personal financial information, they will encrypt the users' files and demand a ransom. As always, up-to-date operating systems, third-party software patches, and antivirus definitions should be consistently applied to help users protect their systems.

Relevant URL(s): https://www.helpnetsecurity.com/2016/08/12/financial-malware-attacks-increase-malware-creators-join-forces/


New Banking Malware Touts Zeus-Like Capabilities

(August 15, 2016)

A new Zeus-like malware kit being promoted in the underground could bring more trouble to financial institutions. This new malware kit, Scylex, appears to be designed to enable financial crime on a large scale, including features such as user-mode root kit, secure reverse proxy, web injects, and even a Hidden Virtual Network Computing (HVNC) module that allows attackers to interact with the victim's bank account from the infected computer. Banks can better protect themselves by utilizing out-of-band two-factor authentication for account logins.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/new-banking-malware-touts-zeus-like-capabilities/d/d-id/1326612?


Stolen Devices to Blame for Many Breaches in the Financial Services Sector

(August 25, 2016)

A recent analysis by Bitglass of all financial service company breaches since 2006 indicates that leaks nearly doubled between 2014 and 2015. The first half of 2016 does not look any better, with 37 banks having disclosed a breach so far. The analysis shows that one in four breaches in the financial service sector is due to lost or stolen devices. By ensuring full disk encryption is in use on laptops and mobile devices, along with a wipe option, banks can reduce their exposure to this threat.

Relevant URL(s): https://www.helpnetsecurity.com/2016/08/25/breaches-financial-services-sector/


Study Finds Nearly 40 Percent of Enterprises Hit By Ransomware in the Last Year

(August 4, 2016)

Malwarebytes' "State of Ransomware" report shows that nearly 40 percent of businesses have experienced a ransomware attack in the last year, more than a third lost revenue, and 20 percent had to stop business completely. Other findings indicate that healthcare and financial services were the leading industries attacked by ransomware and more than 60 percent of attacks took more than 9 hours to remediate. A multi-layered approach, including up-to-date software, web and email security filtering, user awareness, regular offline backups, and well planned incident response continues to be the best strategy against ransomware.

Relevant URL(s): http://www.itsecurityguru.org/2016/08/04/major-international-study-finds-nearly-40-percent-of-enterprises-hit-by-ransomware-in-the-last-year/


Card Fraud Rises Globally, With Almost 1/3 Consumers Falling Victim

(July 13, 2016)

Payment card fraud is on the rise globally, with the U.S. in the top three affected countries in 2016, according to a report from ACI Worldwide. Their survey indicates that about thirty percent of customers worldwide have experienced card fraud in the last five years. The report attributes this to more sophisticated fraudsters, risky behavior by consumers, and increasing amounts of private data on social media platforms. Banks can be proactive in their efforts to prevent card fraud risks by implementing behavioral analytics as a sort of multi-factor authentication.

Relevant URL(s): http://www.itsecurityguru.org/2016/07/13/card-fraud-rises-globally-with-almost-13-consumers-falling-victim-report-by-aci-worldwide-and-aite-finds/


Trojanized Remote-Access Tool Ammyy Spreads Banking Malware

(July 18, 2016)

While investigating a malicious banking Trojan, researchers at Kaspersky Lab discovered that the Trojan was being distributed from the official site of Ammyy Admin, a legitimate remote administration software tool. They found that code checked to see if the computer initiating the download was part of a corporate domain. If so, it launched the Lurk Trojan, indicating that corporate workstations and servers were their primary target. Running up-to-date anti-malware software or advanced endpoint threat protection can help organizations defend against these types of attacks.

Relevant URL(s): https://securelist.com/blog/research/75384/lurk-a-danger-where-you-least-expect-it/


Necurs Botnet is Back, Updated With Smarter Locky Variant

(June 23, 2016)

After going silent for nearly a month, the Necurs botnet is back and now includes an improved version of Locky ransomware and the Dridex banking Trojan. The botnet delivers the ransomware and banking Trojan via malicious email attachments. Locky and Dridex account for millions of dollars in losses from United Kingdom and U.S. victims. Banks can better protect themselves by leveraging advanced email threat solutions to detect and block malicious attachments and links.

Relevant URL(s): https://threatpost.com/necurs-botnet-is-back-updated-with-smarter-locky-variant/118883/


'No More Ransom' Portal Offers Respite From Ransomware

(July 25, 2016)

The National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Center, Intel Security, and Kaspersky Lab have come together to help users avoid becoming ransomware victims and to help decrypt their files with NoMoreRansom.org. As security experts have said, paying ransoms is often a bad idea, enabling the criminals to build improved strains of malware and prompt them to continue their attacks. The site offers decryption tools for several ransomware variants and allows victims a way to report infections that can aid in tracking down the crooks behind the malware.

Relevant URL(s): http://www.bankinfosecurity.com/no-more-ransom-portal-offers-respite-from-ransomware-a-9285


Hackers Steal Millions from ATMs Without Using a Card

(July 14, 2016)

Dozens of ATMs operated by Taiwan's First Bank were attacked recently. The masked perpetrators appeared to gain control of the machines with a physical device, then made off with the equivalent of $2 million dollars. Investigators have determined that the machines were infected with three different malware files that forced them to dispense the cash. Banks should consider all points where ATMs could be vulnerable to physical attack, such as USB and network ports, and appropriate safeguards should be implemented.

Relevant URL(s): http://money.cnn.com/2016/07/14/news/bank-atm-heist-taiwan/index.html


Federal Reserve Watchdog Probes Banks' Cybersecurity

(June 21, 2016)

The Office of the Inspector General (OIG) is in the process of auditing the Federal Reserve's effectiveness when it comes to ensuring banks have adequate security detection and controls in place. In the past, the Fed developed guidance for banks to "define expectations for information security and data breach management". On June 20th however, it was announced that the OIG will focus their review on the Federal Reserve's oversight of financial institutions' information security controls and cybersecurity threats. The audit is expected to be completed in the fourth quarter of this year.

Relevant URL(s): http://www.bankinfosecurity.com/federal-reserve-watchdog-probes-banks-cybersecurity-a-9215


Botnet-powered Account Takeover Campaign Hit Unnamed Bank

(June 21, 2016)

A large botnet consisting of home routers and other network products was recently used to mount two massive account takeover (ATO) campaigns against a bank and an entertainment company. In these ATO attacks, the botnet automated login attempts using previously breached credentials to identify working username and password pairs. The automated logins were run through an account-checking tool with proxy capabilities, so that login attempts appeared to originate from many different IP addresses. Using different credentials for every login and ensuring default credentials are changed on network equipment can help protect against this type of attack.

Relevant URL(s): https://www.helpnetsecurity.com/2016/06/21/account-takeover-campaign-hit-bank/


Feds Warn of Skyrocketing Business Compromise Scams

(June 17, 2016)

Email scammers have swiped $3.1 billion from businesses, a 1,300 percent increase in 18 months, the FBI warns. The scammers are typically using business email compromise scams (BEC), where the attacker identifies an individual inside a company with wire transfer capabilities, and sends them an email appearing to come from a C-level executive requesting a funds transfer to an attacker-controlled account. Significant transactions should always require a dual-approval process and verbal verification with the requester, and end-users should be educated to this type of fraud.

Relevant URL(s): http://www.theregister.co.uk/2016/06/17/feds_warn_of_skyrocketing_business_compromise_scams/


Vawtrak Banking Trojan Shifts to New Targets

(June 14, 2016)

The Vawtrak banking Trojan (aka Snifula) has acquired new capabilities and is becoming a serious threat. Version 2 of the malware can now target more users, is better obfuscated, which complicates the analysis process, and has a modular architecture. The Trojan also has the ability to steal certificates and browsing history, cached credentials and cookies, and can push web injects into browser processes. Banks can better protect their systems by ensuring software is kept up to date, and macros and PowerShell are disabled throughout the organization.

Relevant URL(s): https://www.helpnetsecurity.com/2016/06/14/vawtrak-banking-trojan-shifts-new-targets/


TeamViewer Accounts Hacked: Service Goes Offline, Customer Bank Accounts Emptied

(June 1, 2016)

Around June 1st, many TeamViewer users made claims that their computers were accessed by criminals and used to access bank accounts and PayPal using cached credentials, while others claimed that malware was installed. These claims came around the same time that the remote desktop connection software company experienced a Distributed Denial of Service (DDoS) attack. If TeamViewer must be used, it is recommended that two-factor authentication be put in place and passwords should be unique to the service.

Relevant URL(s): http://www.inquisitr.com/3156809/teamviewer-accounts-hacked-users-claim/


Password Reuse Bot Steals Creds from Weak Sites, Logs in to Banks

(May 24, 2016)

It's estimated that between 15 and 60 percent of users reuse passwords across multiple websites. In a recent cybercrime report published by security firm ThreatMetrix, news of a low-and-slow botnet dedicated to finding credentials and testing them on banking sites was disclosed. Once valid credentials to bank sites are found, slower velocity attacks are performed to carry out fraudulent transactions. Users should be reminded to use complex, unique passwords to protect all sensitive accounts and data.

Relevant URL(s): http://www.theregister.co.uk/2016/05/24/password_reuse_bot_steals_creds_from_crap_sites_logs_in_to_banks/


Malware Turns Whole ATMs Into Skimming Devices

(May 18, 2016)

In 2009, malware 'Skimer' was used to bypass physical skimming devices to target ATMs. Kaspersky Lab is warning that a new and improved version of the virus has returned, enabling the criminals to turn the whole ATM into a skimmer to steal card details and make withdrawals. The crooks typically skim card data for several months, then activate the cash dispensing function by inserting a particular card to invoke special commands, or they create counterfeit cards to make withdrawals from uninfected ATMs. Banks can utilize whitelisting technologies, hard drive only booting, BIOS passwords, regular AV scans, and network segmentation to better protect ATMs.

Relevant URL(s): https://www.finextra.com/newsarticle/28902/malware-turns-whole-atms-into-skimming-devices


SWIFT: Coordinated Financial Malware Attacks Underway

(May 13, 2016)

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is warning its customers of at least one more bank that was breached by the same actors that stole more than $81 million from Bangladesh Bank. In both of these incidents the attackers first compromised the bank's environment then obtained SWIFT operator credentials in order to submit fraudulent messages. Once these actions were complete, the evidence was removed. Banks are urged to review every aspect of their security programs, including controls in their e-banking channels and all payment environments to help mitigate this threat.

Relevant URL(s): http://www.bankinfosecurity.com/swift-warns-banks-coordinated-malware-attacks-underway-a-9101


Hacker Group Draws Bull's-Eye on 'Every Major Banking System'

(May 5, 2016)

Hactivist group Anonymous, the same group that targeted banks with distributed denial of service (DDoS) attacks in 2010, as well as the Bank of Greece more recently, claims it will be targeting major banking systems around the world. The motivation behind these attacks is believed to stem from stopped processing payments to WikiLeaks. A layered security strategy focusing on policy adherence and DDoS mitigation services can help limit the success of these types of attacks.

Relevant URL(s): http://www.americanbanker.com/news/bank-technology/hacker-group-draws-bulls-eye-on-every-major-banking-system-1080863-1.html



Contents

  1. 1 Banks Must Focus More on Cyber-Risk
  2. 2 Cybercriminals Seized Control of Brazilian Bank for 5 Hours
  3. 3 Health Savings Account Fraud: The Rapidly Growing Threat
  4. 4 Mobile Payment Card Cloning: Understanding the Risks
  5. 5 ATMitch: Remote Administration of ATMs
  6. 6 Banking Agencies Issue Joint Report to Congress
  7. 7 NY Breach Report Highlights Third-Party Risk
  8. 8 Over One Million Fraud Attacks on Financial Firms in 2016
  9. 9 Dridex Trojan Gets AtomBombing Update
  10. 10 Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
  11. 11 Banks Around the World Targeted in Watering Hole Attacks
  12. 12 Fast Food Chain Arby’s Acknowledges Breach
  13. 13 A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe
  14. 14 Zeus-Derived Flokibot Malware Invades PoS
  15. 15 Infected Weather App's Forecast: Malware
  16. 16 ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions
  17. 17 Stolen Passwords Fuel Cardless ATM Fraud
  18. 18 Carbanak's Back And Using Google Services For Command-and-Control
  19. 19 ATM Malware Retooled to Strike More Machines
  20. 20 Bank Leaks 60,000 Account Details in Three Character Email Slip-up
  21. 21 Source Code for Another Android Banking Malware Leaked
  22. 22 Hacks at Russian Central Bank Have Cost 2 Billion Rubles
  23. 23 Ransomware as a Service Fuels Explosive Growth
  24. 24 InPage Zero Day Used in Attacks Against Banks
  25. 25 'Alice' Malware Loots ATMs
  26. 26 'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds
  27. 27 Tesco Bank Hacked
  28. 28 OCC Discloses Data Breach
  29. 29 Fake Executive Social Media Accounts Threaten Enterprises
  30. 30 Android Trojan Targets Customers of 94 Banks in US, Europe
  31. 31 TrickBot Banking Trojan is the Next Big Threat
  32. 32 Hackers Changing Tactics, Techniques, and Procedures
  33. 33 Ransomware Raises The Bar Again
  34. 34 88% of Employees Lack Awareness to Stop Privacy or Security Incidents
  35. 35 Attackers 'Hack' ATM Security with Explosives
  36. 36 Russian Criminals' Bank Attacks Go Global
  37. 37 FFIEC Rewrites the Information Security IT Examination Handbook
  38. 38 FDIC Updates IT Examination Procedures
  39. 39 SWIFT Sees New Hack Attacks Against Banks
  40. 40 Secret Service Warns of ‘Periscope’ Skimmers
  41. 41 Banking Trojan GozNym Botnet Sinkholed After Infecting Over 23,000 Victims in UK, US and Europe
  42. 42 Data Breach At Oracle's MICROS Point-of-Sale Division
  43. 43 Financial Malware Attacks Increase as Malware Creators Join Forces
  44. 44 New Banking Malware Touts Zeus-Like Capabilities
  45. 45 Stolen Devices to Blame for Many Breaches in the Financial Services Sector
  46. 46 Study Finds Nearly 40 Percent of Enterprises Hit By Ransomware in the Last Year
  47. 47 Card Fraud Rises Globally, With Almost 1/3 Consumers Falling Victim
  48. 48 Trojanized Remote-Access Tool Ammyy Spreads Banking Malware
  49. 49 Necurs Botnet is Back, Updated With Smarter Locky Variant
  50. 50 'No More Ransom' Portal Offers Respite From Ransomware
  51. 51 Hackers Steal Millions from ATMs Without Using a Card
  52. 52 Federal Reserve Watchdog Probes Banks' Cybersecurity
  53. 53 Botnet-powered Account Takeover Campaign Hit Unnamed Bank
  54. 54 Feds Warn of Skyrocketing Business Compromise Scams
  55. 55 Vawtrak Banking Trojan Shifts to New Targets
  56. 56 TeamViewer Accounts Hacked: Service Goes Offline, Customer Bank Accounts Emptied
  57. 57 Password Reuse Bot Steals Creds from Weak Sites, Logs in to Banks
  58. 58 Malware Turns Whole ATMs Into Skimming Devices
  59. 59 SWIFT: Coordinated Financial Malware Attacks Underway
  60. 60 Hacker Group Draws Bull's-Eye on 'Every Major Banking System'