Bancsec Advisor



Web Attacks Spike in Financial Industry

(October 27, 2017)

According to a recent report from BitSight, Web application compromise beat out human error as the most common type of data breach for financial organizations. In 2015, just over half of breach events identified were caused by human error, while only 8% were due to compromised web applications. This year; however, Web application compromise accounted for 33% of breach events, with human error coming in second at 21%. Banks should ensure proper Web application security is in place, which includes code review, architecture analysis, penetration testing, and continuous monitoring.

Relevant URL(s): https://www.darkreading.com/application-security/web-attacks-spike-in-financial-industry-/d/d-id/1330252


New Cybercrime Campaign a 'Clear and Imminent' Threat to Banks Worldwide

(October 16, 2017)

Fraudsters leveraged physical and cyber elements to wage a sophisticated attack on banks that resulted in the loss of hundreds of millions of dollars. Initially, “mules” set up accounts with banks using phony documentation. Then, a cyberattack that began with spear-phishing emails was carried out to eventually obtain access to the banks' card management systems to set overdraft features on debit cards. Lastly, other “mules” cashed out the accounts from ATMs in various cities. Due to the sophistication of this attack, multiple layers of security including back-end analytics, strong user authentication controls, and low withdrawal limits can help identify and mitigate risks.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/new-cybercrime-campaign-a-clear-and-imminent-threat-to-banks-worldwide/d/d-id/1330139


Outdated Vendor Systems Leaving Finance Industry at Risk

(October 3, 2017)

Many financial organizations tend to have refined vendor risk management programs; however, a recent study indicates a substantial gap between those organizations’ security posture and that of the companies in their supply chain. The mean rating for financial organizations was at least 30 points higher than the mean of companies in their supply chain. Banks should scrutinize the controls and security culture of their third and fourth parties to limit their risk exposure.

Relevant URL(s): https://www.helpnetsecurity.com/2017/10/03/outdated-vendor-systems/


Hackers Steal $60 Million from Taiwanese Bank Using Bespoke Malware

(October 11, 2017)

The Society for Worldwide Interbank Financial Telecommunications (SWIFT) system was abused to steal money again, this time to the tune of $60 million. The Far Eastern International Bank confirmed that malware had been identified on its systems and SWIFT terminal. Attackers were able to move the $60 million to bank accounts in Sri Lanka, Cambodian, and the US. SWIFT tools helped to detect the unusual behavior, and all but $500,000 of the stolen money was recovered. Multi-layered security including fraud detection tools, continuous network monitoring, and adaptive endpoint protection continue to be the best strategy to protect against threats such as this.

Relevant URL(s): https://www.tripwire.com/state-of-security/security-data-protection/hackers-steal-60-million-from-taiwanese-bank-using-bespoke-malware/


Dangerous Malware Allows Anyone to Empty ATMs - And It's On Sale

(October 17, 2017)

Ready-made ATM malware can now be purchased on underground hacking forums for around $5,000. This malware toolkit, which targets various ATM models, does not affect customers or their data directly; rather, it tricks the ATM into emptying its cash cassettes. Physically securing ATMs and leveraging application whitelisting are the best ways to mitigate this attack vector.

Relevant URL(s): https://thehackernews.com/2017/10/atm-malware-hacking.html


Equifax's Colossal Error: Not Patching Apache Struts Flaw

(September 14, 2017)

The recent Equifax breach, one of the largest of all time, was due to an unpatched vulnerability in Apache Struts. The flaw was announced when Apache released an updated version that fixed the vulnerability on March 6th. The breach exposed names, addresses, Social Security numbers, and in some cases driver’s license numbers of an estimated 143 million U.S. consumers. Banks can limit their exposure to similar attacks by monitoring security announcements and implementing a patching program that ensures operating systems and third-party software is kept up to date.

Relevant URL(s): https://www.careersinfosecurity.com/equifaxs-colossal-error-patching-apache-struts-flaw-a-10292


Cybercriminals Deploying Assortment of Banking Trojans and Ransomware

(September 18, 2017)

Ransomware has been a dire threat as of late, but well-established banking Trojans are now on the rise again. Check Point revealed that during the month of August, three banking Trojan variants, Zeus, Ramnit, and Trickbot, all appeared in the top ten of their Global Threat Impact Index. These Trojans are designed to harvest login credentials and other sensitive information such as PINs. Application whitelisting, sophisticated endpoint protection, and safe web browsing practices can help consumers protect themselves against these malevolent threats.

Relevant URL(s): https://www.helpnetsecurity.com/2017/09/18/banking-trojans-ransomware-august-2017/


ATM Hackers Double Down on Remote Malware Attacks

(September 27, 2017)

Attackers are increasingly gaining unauthorized access to ATMs by obtaining a foothold on the banks’ networks they are connected to. This access allows them to push malware to the ATMs so that money mules can cash out later using a preset numerical sequence. These attacks can also allow the perpetrator to steal payment card information from the ATMs as well. Adaptive endpoint protection, monitoring of anomalous network activity, and phishing awareness training can help limit exposure, as these attacks often begin with spear-phishing emails.

Relevant URL(s): https://www.bankinfosecurity.com/atm-hackers-double-down-on-remote-malware-attacks-a-10338


FFIEC Launches New Industry Outreach Website

(September 6, 2017)

The FFIEC recently launched a new website designed to share financial institution supervision information with regulators, financial institutions, the public, and other stakeholders. The website also provides access to archived, as well as new FFIEC-sponsored webinars. This industry outreach site will help to enhance communication between the FFIEC and interested parties.

Relevant URL(s): https://industryoutreach.ffiec.gov/


Office 365 Account Compromise Attempts on the Rise

(August 31, 2017)

Researchers are warning that Office 365 is quickly becoming attackers’ preferred way into business networks. Their attack method usually starts with a carefully crafted phishing email that tricks the victims into logging into a spoofed Office 365 page. Once the user logs in, their credentials are harvested, giving the criminal complete access to the account. Banks and other organizations leveraging Office 365 are urged to implement multi-factor authentication to thwart this attack.

Relevant URL(s): https://www.helpnetsecurity.com/2017/08/31/office-365-account-compromise/


WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

(August 2, 2017)

Researchers have discovered a new version of the credential stealing TrickBot banking Trojan that has worm-like capabilities similar to that of WannaCry and NotPetya. This Trojan, which is initially spread via email attachments, can now use the Windows Server Message Block (SMB) to spread locally across networks and fool users into entering their banking credentials on fake login pages. To protect against this threat, security patches should be applied promptly and users should always follow safe web browsing practices, which includes the handling of email attachments and links.

Relevant URL(s): https://thehackernews.com/2017/08/trickbot-banking-trojan.html


White House Advisers Warn of CNI Cyber-9/11

(August 23, 2017)

The National Infrastructure Advisory Council (NIAC) recently released a report that warns of an imminent 9/11-style attack on critical national infrastructure (CNI). They state that although the private sector and the government have appropriate capabilities and resources to defend against such an attack, they are not properly organized or focused. Several of their recommendations include establishing separate, secure networks for CNI, best-in-class assessment practices and scanning tools, and proactive sharing of threat intelligence to name a few.

Relevant URL(s): https://www.infosecurity-magazine.com/news/white-house-advisers-warn-of-cni/


Phish Bait: DMARC Adoption Failures Leave Companies Exposed

(August 23, 2017)

DNS records were recently analyzed by researchers at Agari to identify Domain-based Message Authentication, Report & Conformance (DMARC) adoption and policies across top companies. DMARC is a technology designed to verify if an email is from the domain it claims to be from. They found that due to a lack of full implementation of DMARC, more than 90% of Fortune 500 companies are leaving customers, business partners, and brand names at risk. Banks should work to fully implement DMARC to mitigate phishing and other domain impersonation-style attacks.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/phish-bait-dmarc-adoption-failures-leave-companies-exposed/d/d-id/1329702


Dumping Data from Deep-Insert Skimmers

(August 22, 2017)

KrebsOnSecurity was contacted by a police detective to help identify some strange devices found on two men caught maxing out stolen credit cards. These devices appear to allow thieves to retrieve card data from deep-insert skimmers without having to remove them. Deep-insert skimmers are placed within the card reader transport, completely hidden from view at the front of the ATM. Consumers should avoid standalone ATMs in low-lit areas, and stick to those that are physically installed at the bank when possible. It is also recommended to cover the number pad when entering your PIN.

Relevant URL(s): https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/


Ukraine Central Bank Detects Massive Attack Preparation

(August 21, 2017)

The National Bank of Ukraine has warned of a new attack targeting financial services firms that may be a precursor to another attack of NotPetya proportions. Upon initial distribution, it was not detected by standard anti-virus solutions. Although Ukraine may be the target of this new attack, as with NotPetya, it could spread to organizations in other countries. Application whitelisting and adaptive anti-malware can be integrated into cybersecurity programs to better protect endpoints from threats such as this.

Relevant URL(s): https://www.bankinfosecurity.com/ukraine-central-bank-detects-massive-attack-preparation-a-10209


US Banks Targeted with Trickbot Trojan

(July 20, 2017)

Trickbot, which specifically threatens financial organizations, is now targeting customers in the US. Until recently, this banking Trojan was only used to hit organizations abroad. Account takeover and fraud are the main goals of Trickbot. Other menacing banking Trojans are also being delivered through the Emotet loader. Both of these threats are being spread through spam campaigns and social engineering techniques. Multiple layers of security, such as social engineering and phishing training, adaptive endpoint protection, and continuous monitoring of network activity can help protect against threats such as these.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/us-banks-targeted-with-trickbot-trojan/d/d-id/1329417


One of the Biggest Ethereum and Bitcoin Exchanges Got Hacked

(July 5, 2017)

One of the largest Ethereum and Bitcoin cryptocurrency exchanges, Bithumb, was the recent victim of a data breach. Names, mobile phone numbers, and email addresses of more than 31,800 customers were stolen from the personal computer of a Bithumb employee. These customers are now being targeted in an effort to drain their digital currency wallets. Banks can avoid similar breaches by implementing an effective data loss prevention solution and prohibiting employees from storing sensitive information on personal devices.


Relevant URL(s): http://fortune.com/2017/07/05/bitcoin-ethereum-bithumb-hack/


Swiss Users Targeted with Windows, macOS Banking Trojan

(July 11, 2017)

Swiss users of both macOS and Windows have been the recent target of banking malware. The malware, which is delivered via phishing emails, contains two attached files to ensure the target is infected whether they use macOS or Windows. Both pieces of malware work in a similar fashion, so that the users’ traffic is intercepted and redirected to a spoofed version of their banking login page. Sophisticated endpoint protection or application whitelisting can be used to thwart these types of malware.

Relevant URL(s): https://www.helpnetsecurity.com/2017/07/11/swiss-users-macos-banking-trojan/


Critical Flaw Found in Windows NTLM Security Protocol

(July 11, 2017)

Researchers recently discovered two zero-day vulnerabilities in Windows NT LAN Manager (NTLM) security protocol that allow attackers to create new domain administrator accounts. NTLM, an older authentication protocol still supported by Microsoft, was replaced by Kerberos but continues to be widely used. As part of their patching cycle in July, Microsoft released a security patch for NTLM to address the issue. Servers with NTLM enabled should be patched as soon as possible, and NTLM traffic should be restricted on bank networks.

Relevant URL(s): http://thehackernews.com/2017/07/windows-ntlm-security-flaw.html


Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again

(July 17, 2017)

A critical vulnerability was recently identified in Cisco Systems’ WebEx browser extension for Chrome and Fireox, which allows attackers to remotely execute malicious code on the victim’s computer. All that is required for successful exploitation is tricking the victim into visiting a web page that contains malicious code, which executes with the privileges of the affected browser. Cisco WebEx browser extensions for Chrome and Firefox should be updated to the latest version as soon as possible, and users should always use restricted Windows accounts.

Relevant URL(s): http://thehackernews.com/2017/07/cisco-webex-vulnerability.html


Cyberattack Hits Ukraine Then Spreads Internationally

(June 27, 2017)

What started as an apparent attack on Ukrainian government and business systems in late June ended up crippling tens of thousands of machines worldwide. This outbreak was the most recent in a series of attacks that utilized hacking tools, such as EternalBlue, stolen from the National Security Agency. This malware was dubbed NotPetya because it masquerades as the older ransomware, Petya. Similar to WannaCry, banks can limit their exposure to this type of attack by ensuring machines are patched promptly and all unnecessary services are disabled.

Relevant URL(s): https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html


Kaspersky: Online Banking Hacks Cost Banks Nearly $1.8M Each

(June 19, 2017)

According to a new report from Kaspersky Lab, cybersecurity incidents involving online banking services cost banks an average of almost $1.8 million each. Many of these incidents also come with additional costs, such reputation damage, data loss, or leaks of confidential information. In addition, when a bank falls victim to distributed denial of service (DDoS) attacks, customers can lose trust in that bank. Since banks are such lucrative targets, they need to go the extra mile to protect themselves against cyberattacks.

Relevant URL(s): http://www.ciodive.com/news/kaspersky-online-banking-hacks-cost-banks-nearly-18m-each/445248/


Most Organizations Believe Their Mainframe is More Secure Than Other Systems

(June 7, 2017)

A recent survey shows that 78 percent of organizations believe their mainframe is more secure than other systems, while 84 percent say they have “blind spots” regarding what mainframe data is accessed and how it’s used. Organizations face the risk that mainframe data may be misused by employees or others that gain unauthorized access to the system. Banks should collect, manage, and analyze mainframe audit logs to limit risk.

Relevant URL(s): https://www.helpnetsecurity.com/2017/06/07/mainframe-secure/


HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

(June 13, 2017)

Cyber actors of the North Korean government have been using a malware variant known as DeltaCharlie to target the media, financial, aerospace and other critical infrastructure sectors of the United States. These cyber actors, referred to as HIDDEN COBRA, have leveraged their capabilities to target and compromise victims for many years. Tools used by HIDDEN COBRA include DDoS botnets, remote access tools (RATs), keyloggers, and wiper malware. Mitigation strategies to defend against their common attacks include application whitelisting, up-to-date operating systems and third-party software, restrictive privileges, and network segmentation.

Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA17-164A


Poor Endpoint Security Can Cost You Millions in Detection, Response, and Wasted Time

(June 13, 2017)

A new study reveals that many companies are not efficiently protecting their sensitive data, and organizations are wasting an average of $6 million on the time to detect and contain insecure endpoints. The study also reveals that organizations are finding it difficult to identify rogue, off-network, or out-of-compliance devices, increasing their attack surface. To better protect endpoints, banks can leverage adaptive anti-malware and application whitelisting.

Relevant URL(s): https://www.helpnetsecurity.com/2017/06/13/poor-endpoint-security/


Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc

(May 13, 2017)

One of the most widespread and damaging cyberattacks in history was seen earlier in May, affecting major companies, hospitals, and government officials in at least 99 countries. The ransomware, dubbed WannaCry, which locked down all files on infected computers until payment was made, also included worm-like features that allowed it to spread to other computers on the network. The exploit took advantage of a vulnerability on Windows systems that the vendor had previously released a patch for. Banks can limit their exposure to this and similar attacks by ensuring machines are patched promptly and all unnecessary services are disabled.

Relevant URL(s): http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html


Bank Account Hackers Used SS7 to Intercept Security Codes

(May 5, 2017)

Online banking customers were recently targeted by a two-stage attack designed to siphon money from their accounts. The assault included a phishing email, which tricked victims into visiting a phony bank website where they were asked to enter login information and their registered mobile phone number. Next, the fraudsters abused the SS7 protocol to forward all calls and SMS messages to an attacker-controlled number so that authentication codes could be intercepted, allowing them to complete fund transfers. The use of separate, hardware-based forms of multi-factor authentication can be utilized to help bank’s protect against attacks such as this.

Relevant URL(s): http://www.bankinfosecurity.com/bank-account-hackers-used-ss7-to-intercept-security-codes-a-9893


Google Docs Phishing Attack Abuses Legitimate Third-Party Sharing

(May 3, 2017)

Users of Google services were the recent target of an extremely convincing phishing campaign that abused Google Docs’ third-party sharing mechanism. Targets received messages, often from senders they knew, that appeared to be a shared document. Links within these messages led to a page requesting access to the user's Gmail account, which if granted would give the attackers full access to the victim's mailbox, and allowed the same message to be sent to all of that user’s contacts. Google has implemented a fix for this particular issue, but emails that looks suspicious in any way should always be treated with extreme caution.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/google-docs-phishing-attack-abuses-legitimate-third-party-sharing-/d/d-id/1328797


FBI: Business- and Email Account Compromise Attack Losses Hit $5 Billion

(May 5, 2017)

The FBI’s Internet Crime Complaint Center (IC3) recently reported a 2,370% increase in losses related to business email compromise (BEC) and email account compromise (EAC) between January 2015 and December 2016. These attacks, which are typically carried out after careful study of the victim and social engineering, have reportedly caused $5.3 billion in loss for global and domestic companies over a three-year period. Significant transactions should always require a dual-approval process and verbal verification with the requester, even when appearing to come from a trusted source.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/fbi-business--and-email-account-compromise-attack-losses-hit-$5-billion/d/d-id/1328812


Blackmoon Banking Trojan Goes Modular

(May 5, 2017)

The Blackmoon banking Trojan, utilizing a new framework to evade detection, has recently been seen targeting users in South Korea. The new framework uses three separate downloader pieces that execute separate components in a tightly coupled sequence, and work together to install the malware. Blackmoon is typically distributed through malicious sites and online advertisements. This unique design makes it easier for the authors to target users in other countries as well. Due to the evasive behavior of this malware, sophisticated endpoint protection or application whitelisting can be used to thwart its execution.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/blackmoon-banking-trojan-goes-modular-/d/d-id/1328814


Banks Must Focus More on Cyber-Risk

(April 5, 2017)

Online financial transactions have become essential to everyday life, and banks are under increasing threats from cyberattacks. A short time ago, the Federal Reserve, FDIC, and OCC released Enhanced Cyber Risk Security Standards. This guidance for midsize and large banks is designed to increase their focus on cyberattack resilience and cyber-risk mitigation.

Relevant URL(s): http://www.darkreading.com/endpoint/banks-must-focus-more-on-cyber-risk/a/d-id/1328566


Cybercriminals Seized Control of Brazilian Bank for 5 Hours

(April 4, 2017)

In October of 2016, cybercriminals compromised 36 domains belonging to a Brazilian bank for a five hour period. This allowed the attackers to intercept all of the bank’s online and mobile banking, point-of-sale, and investment transactions. Experts estimate that possibly millions of the bank’s customers across the globe, including the US, were also victimized with malware designed to harvest their data. This attack was possible, after administrative access to the bank’s DNS account was obtained. Implementing multi-factor authentication on critical systems such as DNS management can help thwart attacks such as this.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-of-brazilian-bank-for-5-hours/d/d-id/1328549


Health Savings Account Fraud: The Rapidly Growing Threat

(April 14, 2017)

Health savings account (HSA) fraud, a serious threat with ties to healthcare breaches, has been increasing in frequency since 2016. Victims’ “fullz”, or full listing of personally identifiable information (PII) obtained from compromised healthcare institutions, are being used by malicious actors to gain illicit access to funds, transfer money from the accounts, and even transfer funds to prepaid cards opened in the victim’s name. Preventing this type of fraud can be difficult, but monitoring account balances and activity closely and reporting potential indicators of compromise can reduce the extent of the damages.


Relevant URL(s): http://www.darkreading.com/endpoint/health-savings-account-fraud-the-rapidly-growing-threat/a/d-id/1328633


Mobile Payment Card Cloning: Understanding the Risks

(April 12, 2017)

The use of mobile contactless payments has been growing quickly, as well as Host Card Emulation (HCE), or emulating payment cards on a mobile device. An IT Security Consultant with SecuRing has recently revealed that it’s possible to copy mobile contactless card data to another device, allowing an attacker to use it for payment transactions. Banks deploying HCE technology in their mobile payment applications should test against card cloning attacks and be sure server side fraud detection is in place.

Relevant URL(s): https://www.helpnetsecurity.com/2017/04/12/mobile-payment-card-cloning/


ATMitch: Remote Administration of ATMs

(April 4, 2017)

Investigation into several recent fileless attacks led researchers to the discovery of new ATM malware, dubbed ATMitch. This malware, which can empty an ATM of its cash before removing itself, is installed on ATMs via Remote Desktop Connection (RDP) access from within the bank. ATMitch works on all ATMs that support the XFS library, which allegedly is the vast majority. Application whitelisting should be utilized on ATMs to help prevent this and other types of malware.

Relevant URL(s): https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/


Banking Agencies Issue Joint Report to Congress

(March 21, 2017)

Members of the FFIEC issued a joint report to Congress regarding their review of rules affecting financial institutions. The Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) requires the federal banking agencies and FFIEC to conduct reviews of their rules at least every 10 years in order to identify outdated and unnecessary regulations. The banking agencies published requests for written comment and received over 250 comment letters. The report describes several joint actions taken or planned by the regulators.

Relevant URL(s): https://www.ffiec.gov/press/pr032117.htm


NY Breach Report Highlights Third-Party Risk

(March 29, 2017)

In 2016, New York had one of the highest data exposure rates in the state's history, with the annual number of reported security breaches increasing by 60%. 81 percent of the 1,300 reported breaches involved the loss of Social Security numbers or financial information. As banks consider their security controls, they also need to think about ensuring their third-party service provider's controls meet their requirements and expectations.

Relevant URL(s): http://www.csoonline.com/article/3185908/security/expert-ny-breach-report-highlights-third-party-risk.html


Over One Million Fraud Attacks on Financial Firms in 2016

(March 1, 2017)

After more than one million financial firms were targeted in 2016 by scammers trying to capitalize on anti-fraud gaps, experts warn that this year may be worse. ThreatMetrix, which recently released its Q4 2016 Cybercrime Report, blocked more than 80 million attacks using stolen or fake credentials during 2016 in the financial sector. They also claim the number of attacks jumped 150% from Q3 to Q4 in 2016. Although preventing this type of fraud can be difficult, analytics can be used by banks to help identify and mitigate the risk.

Relevant URL(s): https://www.infosecurity-magazine.com/news/over-one-million-fraud-attacks/


Dridex Trojan Gets AtomBombing Update

(March 1, 2017)

One of the most destructive banking Trojans, Dridex, has recently been updated with new features. The malware is now equipped with a new sophisticated injection technique, known as AtomBombing, which allows it to propagate and infect endpoints under the radar. This update shows how attackers keep up to date on new technologies. In order to protect endpoints, banks can incorporate products such as adaptive anti-malware and application whitelisting into their security programs.

Relevant URL(s): https://www.infosecurity-magazine.com/news/dridex-trojan-gets-atombombing


Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan

(March 22, 2017)

Researchers have discovered that Chinese criminals are using fake base transceiver stations (BTS) to carry out SMiShing attacks, or phishing messages sent via SMS. The malware being distributed is targeting Android users' banking credentials and can bypass two-factor authentication. Researchers have warned that although this threat has only been seen in China so far, it could quickly spread worldwide. As always, users should keep their mobile devices updated to the latest version and avoid installing apps from third-party app stores.

Relevant URL(s): http://thehackernews.com/2017/03/rogue-bts-android-malware.html


Banks Around the World Targeted in Watering Hole Attacks

(February 14, 2017)

Polish banks were recently the victim of malware that was inadvertently distributed to them by their own financial regulator, the Polish Financial Supervision Authority (KNF). As affected banks shared indicators of compromise, other banks around the globe found that they had been hit as well. The majority of affected institutions are banks in the US, Poland, Mexico, UK, and Chile. Banks should update their defense systems with the indicators of compromise provided by BAE and Symantec to help identify and block this attack.

Relevant URL(s): https://www.helpnetsecurity.com/2017/02/14/banks-watering-hole-attacks/


Fast Food Chain Arby’s Acknowledges Breach

(February 17, 2017)

A spokesman for Arby's confirmed rumors that they had recently remediated a breach that affected hundreds of their restaurant locations nationwide. The breach, which is estimated to have occurred between October 25, 2016, and January 19, 2017, involved malicious software installed on payment card systems at the restaurants. Consumers should always remember to watch their card statements closely and report suspicious or unauthorized transactions.

Relevant URL(s): https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/


A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe

(February 8, 2017)

Fileless malware is going mainstream. Researchers at Kaspersky Lab have discovered that at least 140 bank and other enterprise networks have been infected by malware that resides solely in the memory of the compromised computers. They claim the infections are difficult to detect, partially due to the use of legitimate administrative and security tools, such as PowerShell, Metasploit, and Mimikatz. Banks can help protect systems by ensuring PowerShell is disabled throughout the organization and network segregation is properly implemented.

Relevant URL(s): https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/


Zeus-Derived Flokibot Malware Invades PoS

(January 31, 2017)

Ever since the source code for Zeus leaked in 2011 via underground forums, malicious actors have continued to refine the banking Trojan to help them steal banking credentials and infect point-of-sale (POS) devices. The latest example, Flokibot, includes a redesigned stealth dropper that is used to install other malicious code and is designed to evade anti-virus scans. The malware captures payment card numbers, as well as the encrypted PINs. Monitoring POS systems for data exfiltration and unusual network connections can help block this attack vector.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/zeus-derived-malware-continues-to-pwn-pos-devices-p-2384


Infected Weather App's Forecast: Malware

(February 22, 2017)

A legitimate Android app, Good Weather, was recently discovered to contain a Trojan capable of delivering banking malware. The malware is capable of accessing the victim's banking credentials and can bypass some two-factor authentication. Android users should carefully review the permissions that apps request and mobile antivirus software should be used.

Relevant URL(s): https://www.scmagazine.com/infected-weather-apps-forecast-malware/article/639512/


ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions

(February 7, 2017)

The digital threat protection suite, Easy Solution, has been endorsed by the American Bankers Association through its subsidiary the Corporation for American Banking. The endorsement comes after ABA's extensive due diligence, oversight from ABA's Endorsed Solutions' Banker Advisory Council, and research support by the cybersecurity company Bancsec. The suite, which includes anti-phishing monitoring and brand protection services, is now the solution of choice to ABA members.


Relevant URL(s): http://www.aba.com/Press/Pages/020717EasySolutionsEndorsement.aspx


Stolen Passwords Fuel Cardless ATM Fraud

(January 17, 2017)

"Cardless ATM" transactions, a new offering from several financial institutions that allows customers to take out cash with their mobile phones, is opening up new opportunities for thieves. With this new technology, customers can enter an amount they'd like to withdraw into the mobile banking app, then use a numeric code at the ATM or present a QR code to complete the transaction. As reported by krebsonsecurity.com, criminals are already leveraging stolen customer online banking credentials to exploit this new service. If banks are looking to offer this new feature, behavioral analytics, low withdrawal limits, and new customer and mobile device validation can help identify and mitigate risks.

Relevant URL(s): https://krebsonsecurity.com/2017/01/stolen-passwords-fuel-cardless-atm-fraud/


Carbanak's Back And Using Google Services For Command-and-Control

(January 17, 2017)

The Carbanak group responsible for stealing $1 billion from banks in 2015 has resurfaced with a new approach, using Google services to command-and-control its malware. The use of a trusted third party service allows the attackers to hide in plain site. The malware is typically distributed via phishing emails, which can often be identified by employees that regularly receive adaptive information security awareness training and testing.

Relevant URL(s): http://www.darkreading.com/cloud/carbanaks-back-and-using-google-services-for-command-and-control/d/d-id/1327909


ATM Malware Retooled to Strike More Machines

(January 16, 2017)

FireEye Labs recently identified a previously unseen version of Ploutus, one of the most advanced ATM malware families first discovered in 2013. This new version, dubbed Ploutus-D, interacts with KAL's Kalignite ATM platform that runs on 40 different ATM vendors. If a criminal were to gain access to the ATM internals, thousands of dollars could be dispensed in minutes. Banks with ATMs running KAL's Kalignite can take advantage of its built in security features, such as application whitelisting, disabled USB ports, and BitLocker full-disk encryption.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/latin-american-atm-malware-set-to-strike-more-machines-p-2361


Bank Leaks 60,000 Account Details in Three Character Email Slip-up

(January 9, 2017)

One of Australia's largest banks recently sent an email containing data on 60,000 bank accounts to an unknown external recipient by accident. The problem stems from the fact that the bank owns the nab.com.au domain, but not the nab.com domain. The data was erroneously sent to an email account at the nab.com domain. It's likely that no harm was done; however, the bank nor its customers can be certain. A data loss prevention and email encryption solution can help banks ensure a similar mistake doesn't catch them off guard.

Relevant URL(s): https://nakedsecurity.sophos.com/2017/01/09/bank-leaks-60000-account-details-in-three-character-email-slip-up/



Source Code for Another Android Banking Malware Leaked

(January 22, 2017)

Source code for Android banking malware, as well as instructions for its use, have been leaked online and researchers with Dr. Web have already identified it in the wild. The new Trojan, BankBot, has the ability to intercept SMS messages, show phishing dialogs, steal sensitive information and credentials, as well as payment card details. Users can protect themselves by disabling the installation of unofficial apps in their phone settings, and avoiding attachments and links from suspicious sources.

Relevant URL(s): http://thehackernews.com/2017/01/android-banking-malware.html


Hacks at Russian Central Bank Have Cost 2 Billion Rubles

(December 3, 2016)

During 2016, malicious actors tried to nab 5 billion rubles from Russia's central bank. The central banking authority managed to redirect some of the funds but attackers still made off with 2 billion rubles, the equivalent of $31 million. Although it's unclear who is responsible for this attack, it bears some resemblance to a string of heists that gained access to SWIFT, the Society for Worldwide Interbank Financial Telecommunication. Banks should review every aspect of their information security program, including controls around their e-banking channels.

Relevant URL(s): http://money.cnn.com/2016/12/02/technology/russia-central-bank-hack/index.html


Ransomware as a Service Fuels Explosive Growth

(December 5, 2016)

Although ransomware attacks don't get much publicity, a white paper from Osterman Research indicates that nearly 50 percent of US companies fell victim to these attacks during the past year. Another report by Trend Micro found there was an increase of 172 percent of new ransomware families in the first half of 2016. Even more alarming, malware authors have a new Ransomware as a Service (RaaS) business model, where they enlist distributors to spread the software, with some packages costing as little as $100. Protection against this threat can be difficult, but knowing what to expect, and having layered security systems and a robust ransomware response plan in place can greatly help limit exposure.

Relevant URL(s): http://www.csoonline.com/article/3146537/security/ransomware-as-a-service-fuels-explosive-growth.html


InPage Zero Day Used in Attacks Against Banks

(November 23, 2016)

Researchers at Kaspersky Lab have identified a zero-day vulnerability in Inpage publishing software. Several attacks attempting to exploit it against banks have been recorded, as well as a few against government agencies. The exploit, which is delivered via phishing campaigns, can often be prevented with consistent staff education and testing, as well as strong email threat protection systems.

Relevant URL(s): https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/


'Alice' Malware Loots ATMs

(December 21, 2016)

A new bare-bones ATM malware family, dubbed 'Alice', has recently been discovered by Trend Micro. Alice has one simple function, empty the ATM of its cash. All a criminal would need to infect a system is access to the ATM's internals to install and interact with the malware. In this case, physical ATM security and persistent monitoring can help defend against the threat.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/alice-malware-loots-atms/d/d-id/1327773


'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

(December 2, 2016)

Researchers at Newcastle University have developed an extremely easy way to guess the card number, expiration date, and security code of any Visa credit or debit card in six seconds flat. The attack, named 'Distributed Guess Attack', exploits the lack of a mechanism to detect multiple invalid payment requests made from different online merchant sites. This allows an unlimited number of cracks at predicting payment information by distributing the guesses across multiple sites. The researchers believe this may be the tactic used in stealing $3 million from Tesco Bank customers recently. To mitigate this threat, banks can implement back-end analytics to help identify fraud.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/frighteningly-easy-hack-guesses-full-credit-card-details-in-6-seconds/d/d-id/1327632


Tesco Bank Hacked

(November 7, 2016)

Over $3 million was recently stolen from 9,000 customers of UK based Tesco Bank. The bank did not disclose how accounts had been compromised or any other details of the attack. Tesco Bank announced that they're working with authorities and regulators to address the breach. This is one instance where having a well thought out incident response plan can help greatly.

Relevant URL(s): http://thehackernews.com/2016/11/tesco-bank-hack.html


OCC Discloses Data Breach

(October 28, 2016)

As required by the Federal Information Security Modernization Act (FISMA), the OCC notified Congress and other federal agencies of a major information security incident several weeks ago. The incident involves a former employee that downloaded over 10,000 records that contained controlled, unclassified information onto removable drives that are now missing. The OCC claims that policies and technical safeguards have been implemented to prevent such an event from occurring in the future.

Relevant URL(s): https://www.occ.gov/news-issuances/news-releases/2016/nr-occ-2016-138.html


Fake Executive Social Media Accounts Threaten Enterprises

(November 16, 2016)

Research conducted by BrandProtect revealed that 19 percent of Fortune 500 CEO Twitter profiles, and 9 percent of LinkedIn accounts reviewed were represented by numerous duplicate accounts, which raises concerns about potential security vulnerabilities. These types of fake profiles are often used in spear phishing or whaling attacks, or to push malware and ransomware into enterprises. Banks can better protect themselves as well as their customers with the use of brand protection services.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/16/fake-executive-social-media-accounts/


Android Trojan Targets Customers of 94 Banks in US, Europe

(November 2, 2016)

A malicious Android app masquerading as Flash Player is targeting online banking credentials as well as payment card details. The app is purportedly focusing on banks in the US, Australia, Germany, and France. Users should avoid installing unofficial apps on their devices and app reviews and sources should be checked before installation.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/02/trojan-flash-player-android-app/


TrickBot Banking Trojan is the Next Big Threat

(November 9, 2016)

Personal and business bank accounts are being aggressively targeted by a new banking Trojan named TrickBot. Researchers believe TrickBot may have been built by part of the team that built the nefarious banking Trojan Dyre. As they see it, this Trojan is likely to become a major threat. Third-party software and operating system patches should be kept current and users should always follow safe web browsing practices, which includes the handling of email attachments and links.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/09/trickbot-banking-trojan/



Contents

  1. 1 Web Attacks Spike in Financial Industry
  2. 2 New Cybercrime Campaign a 'Clear and Imminent' Threat to Banks Worldwide
  3. 3 Outdated Vendor Systems Leaving Finance Industry at Risk
  4. 4 Hackers Steal $60 Million from Taiwanese Bank Using Bespoke Malware
  5. 5 Dangerous Malware Allows Anyone to Empty ATMs - And It's On Sale
  6. 6 Equifax's Colossal Error: Not Patching Apache Struts Flaw
  7. 7 Cybercriminals Deploying Assortment of Banking Trojans and Ransomware
  8. 8 ATM Hackers Double Down on Remote Malware Attacks
  9. 9 FFIEC Launches New Industry Outreach Website
  10. 10 Office 365 Account Compromise Attempts on the Rise
  11. 11 WannaCry Inspires Banking Trojan to Add Self-Spreading Ability
  12. 12 White House Advisers Warn of CNI Cyber-9/11
  13. 13 Phish Bait: DMARC Adoption Failures Leave Companies Exposed
  14. 14 Dumping Data from Deep-Insert Skimmers
  15. 15 Ukraine Central Bank Detects Massive Attack Preparation
  16. 16 US Banks Targeted with Trickbot Trojan
  17. 17 One of the Biggest Ethereum and Bitcoin Exchanges Got Hacked
  18. 18 Swiss Users Targeted with Windows, macOS Banking Trojan
  19. 19 Critical Flaw Found in Windows NTLM Security Protocol
  20. 20 Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again
  21. 21 Cyberattack Hits Ukraine Then Spreads Internationally
  22. 22 Kaspersky: Online Banking Hacks Cost Banks Nearly $1.8M Each
  23. 23 Most Organizations Believe Their Mainframe is More Secure Than Other Systems
  24. 24 HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
  25. 25 Poor Endpoint Security Can Cost You Millions in Detection, Response, and Wasted Time
  26. 26 Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc
  27. 27 Bank Account Hackers Used SS7 to Intercept Security Codes
  28. 28 Google Docs Phishing Attack Abuses Legitimate Third-Party Sharing
  29. 29 FBI: Business- and Email Account Compromise Attack Losses Hit $5 Billion
  30. 30 Blackmoon Banking Trojan Goes Modular
  31. 31 Banks Must Focus More on Cyber-Risk
  32. 32 Cybercriminals Seized Control of Brazilian Bank for 5 Hours
  33. 33 Health Savings Account Fraud: The Rapidly Growing Threat
  34. 34 Mobile Payment Card Cloning: Understanding the Risks
  35. 35 ATMitch: Remote Administration of ATMs
  36. 36 Banking Agencies Issue Joint Report to Congress
  37. 37 NY Breach Report Highlights Third-Party Risk
  38. 38 Over One Million Fraud Attacks on Financial Firms in 2016
  39. 39 Dridex Trojan Gets AtomBombing Update
  40. 40 Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
  41. 41 Banks Around the World Targeted in Watering Hole Attacks
  42. 42 Fast Food Chain Arby’s Acknowledges Breach
  43. 43 A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe
  44. 44 Zeus-Derived Flokibot Malware Invades PoS
  45. 45 Infected Weather App's Forecast: Malware
  46. 46 ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions
  47. 47 Stolen Passwords Fuel Cardless ATM Fraud
  48. 48 Carbanak's Back And Using Google Services For Command-and-Control
  49. 49 ATM Malware Retooled to Strike More Machines
  50. 50 Bank Leaks 60,000 Account Details in Three Character Email Slip-up
  51. 51 Source Code for Another Android Banking Malware Leaked
  52. 52 Hacks at Russian Central Bank Have Cost 2 Billion Rubles
  53. 53 Ransomware as a Service Fuels Explosive Growth
  54. 54 InPage Zero Day Used in Attacks Against Banks
  55. 55 'Alice' Malware Loots ATMs
  56. 56 'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds
  57. 57 Tesco Bank Hacked
  58. 58 OCC Discloses Data Breach
  59. 59 Fake Executive Social Media Accounts Threaten Enterprises
  60. 60 Android Trojan Targets Customers of 94 Banks in US, Europe
  61. 61 TrickBot Banking Trojan is the Next Big Threat