Bancsec Advisor



Cyberattack Hits Ukraine Then Spreads Internationally

(June 27, 2017)

What started as an apparent attack on Ukrainian government and business systems in late June ended up crippling tens of thousands of machines worldwide. This outbreak was the most recent in a series of attacks that utilized hacking tools, such as EternalBlue, stolen from the National Security Agency. This malware was dubbed NotPetya because it masquerades as the older ransomware, Petya. Similar to WannaCry, banks can limit their exposure to this type of attack by ensuring machines are patched promptly and all unnecessary services are disabled.

Relevant URL(s): https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html


Kaspersky: Online Banking Hacks Cost Banks Nearly $1.8M Each

(June 19, 2017)

According to a new report from Kaspersky Lab, cybersecurity incidents involving online banking services cost banks an average of almost $1.8 million each. Many of these incidents also come with additional costs, such reputation damage, data loss, or leaks of confidential information. In addition, when a bank falls victim to distributed denial of service (DDoS) attacks, customers can lose trust in that bank. Since banks are such lucrative targets, they need to go the extra mile to protect themselves against cyberattacks.

Relevant URL(s): http://www.ciodive.com/news/kaspersky-online-banking-hacks-cost-banks-nearly-18m-each/445248/


Most Organizations Believe Their Mainframe is More Secure Than Other Systems

(June 7, 2017)

A recent survey shows that 78 percent of organizations believe their mainframe is more secure than other systems, while 84 percent say they have “blind spots” regarding what mainframe data is accessed and how it’s used. Organizations face the risk that mainframe data may be misused by employees or others that gain unauthorized access to the system. Banks should collect, manage, and analyze mainframe audit logs to limit risk.

Relevant URL(s): https://www.helpnetsecurity.com/2017/06/07/mainframe-secure/


HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

(June 13, 2017)

Cyber actors of the North Korean government have been using a malware variant known as DeltaCharlie to target the media, financial, aerospace and other critical infrastructure sectors of the United States. These cyber actors, referred to as HIDDEN COBRA, have leveraged their capabilities to target and compromise victims for many years. Tools used by HIDDEN COBRA include DDoS botnets, remote access tools (RATs), keyloggers, and wiper malware. Mitigation strategies to defend against their common attacks include application whitelisting, up-to-date operating systems and third-party software, restrictive privileges, and network segmentation.

Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA17-164A


Poor Endpoint Security Can Cost You Millions in Detection, Response, and Wasted Time

(June 13, 2017)

A new study reveals that many companies are not efficiently protecting their sensitive data, and organizations are wasting an average of $6 million on the time to detect and contain insecure endpoints. The study also reveals that organizations are finding it difficult to identify rogue, off-network, or out-of-compliance devices, increasing their attack surface. To better protect endpoints, banks can leverage adaptive anti-malware and application whitelisting.

Relevant URL(s): https://www.helpnetsecurity.com/2017/06/13/poor-endpoint-security/


Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc

(May 13, 2017)

One of the most widespread and damaging cyberattacks in history was seen earlier in May, affecting major companies, hospitals, and government officials in at least 99 countries. The ransomware, dubbed WannaCry, which locked down all files on infected computers until payment was made, also included worm-like features that allowed it to spread to other computers on the network. The exploit took advantage of a vulnerability on Windows systems that the vendor had previously released a patch for. Banks can limit their exposure to this and similar attacks by ensuring machines are patched promptly and all unnecessary services are disabled.

Relevant URL(s): http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html


Bank Account Hackers Used SS7 to Intercept Security Codes

(May 5, 2017)

Online banking customers were recently targeted by a two-stage attack designed to siphon money from their accounts. The assault included a phishing email, which tricked victims into visiting a phony bank website where they were asked to enter login information and their registered mobile phone number. Next, the fraudsters abused the SS7 protocol to forward all calls and SMS messages to an attacker-controlled number so that authentication codes could be intercepted, allowing them to complete fund transfers. The use of separate, hardware-based forms of multi-factor authentication can be utilized to help bank’s protect against attacks such as this.

Relevant URL(s): http://www.bankinfosecurity.com/bank-account-hackers-used-ss7-to-intercept-security-codes-a-9893


Google Docs Phishing Attack Abuses Legitimate Third-Party Sharing

(May 3, 2017)

Users of Google services were the recent target of an extremely convincing phishing campaign that abused Google Docs’ third-party sharing mechanism. Targets received messages, often from senders they knew, that appeared to be a shared document. Links within these messages led to a page requesting access to the user's Gmail account, which if granted would give the attackers full access to the victim's mailbox, and allowed the same message to be sent to all of that user’s contacts. Google has implemented a fix for this particular issue, but emails that looks suspicious in any way should always be treated with extreme caution.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/google-docs-phishing-attack-abuses-legitimate-third-party-sharing-/d/d-id/1328797


FBI: Business- and Email Account Compromise Attack Losses Hit $5 Billion

(May 5, 2017)

The FBI’s Internet Crime Complaint Center (IC3) recently reported a 2,370% increase in losses related to business email compromise (BEC) and email account compromise (EAC) between January 2015 and December 2016. These attacks, which are typically carried out after careful study of the victim and social engineering, have reportedly caused $5.3 billion in loss for global and domestic companies over a three-year period. Significant transactions should always require a dual-approval process and verbal verification with the requester, even when appearing to come from a trusted source.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/fbi-business--and-email-account-compromise-attack-losses-hit-$5-billion/d/d-id/1328812


Blackmoon Banking Trojan Goes Modular

(May 5, 2017)

The Blackmoon banking Trojan, utilizing a new framework to evade detection, has recently been seen targeting users in South Korea. The new framework uses three separate downloader pieces that execute separate components in a tightly coupled sequence, and work together to install the malware. Blackmoon is typically distributed through malicious sites and online advertisements. This unique design makes it easier for the authors to target users in other countries as well. Due to the evasive behavior of this malware, sophisticated endpoint protection or application whitelisting can be used to thwart its execution.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/blackmoon-banking-trojan-goes-modular-/d/d-id/1328814


Banks Must Focus More on Cyber-Risk

(April 5, 2017)

Online financial transactions have become essential to everyday life, and banks are under increasing threats from cyberattacks. A short time ago, the Federal Reserve, FDIC, and OCC released Enhanced Cyber Risk Security Standards. This guidance for midsize and large banks is designed to increase their focus on cyberattack resilience and cyber-risk mitigation.

Relevant URL(s): http://www.darkreading.com/endpoint/banks-must-focus-more-on-cyber-risk/a/d-id/1328566


Cybercriminals Seized Control of Brazilian Bank for 5 Hours

(April 4, 2017)

In October of 2016, cybercriminals compromised 36 domains belonging to a Brazilian bank for a five hour period. This allowed the attackers to intercept all of the bank’s online and mobile banking, point-of-sale, and investment transactions. Experts estimate that possibly millions of the bank’s customers across the globe, including the US, were also victimized with malware designed to harvest their data. This attack was possible, after administrative access to the bank’s DNS account was obtained. Implementing multi-factor authentication on critical systems such as DNS management can help thwart attacks such as this.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-of-brazilian-bank-for-5-hours/d/d-id/1328549


Health Savings Account Fraud: The Rapidly Growing Threat

(April 14, 2017)

Health savings account (HSA) fraud, a serious threat with ties to healthcare breaches, has been increasing in frequency since 2016. Victims’ “fullz”, or full listing of personally identifiable information (PII) obtained from compromised healthcare institutions, are being used by malicious actors to gain illicit access to funds, transfer money from the accounts, and even transfer funds to prepaid cards opened in the victim’s name. Preventing this type of fraud can be difficult, but monitoring account balances and activity closely and reporting potential indicators of compromise can reduce the extent of the damages.


Relevant URL(s): http://www.darkreading.com/endpoint/health-savings-account-fraud-the-rapidly-growing-threat/a/d-id/1328633


Mobile Payment Card Cloning: Understanding the Risks

(April 12, 2017)

The use of mobile contactless payments has been growing quickly, as well as Host Card Emulation (HCE), or emulating payment cards on a mobile device. An IT Security Consultant with SecuRing has recently revealed that it’s possible to copy mobile contactless card data to another device, allowing an attacker to use it for payment transactions. Banks deploying HCE technology in their mobile payment applications should test against card cloning attacks and be sure server side fraud detection is in place.

Relevant URL(s): https://www.helpnetsecurity.com/2017/04/12/mobile-payment-card-cloning/


ATMitch: Remote Administration of ATMs

(April 4, 2017)

Investigation into several recent fileless attacks led researchers to the discovery of new ATM malware, dubbed ATMitch. This malware, which can empty an ATM of its cash before removing itself, is installed on ATMs via Remote Desktop Connection (RDP) access from within the bank. ATMitch works on all ATMs that support the XFS library, which allegedly is the vast majority. Application whitelisting should be utilized on ATMs to help prevent this and other types of malware.

Relevant URL(s): https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/


Banking Agencies Issue Joint Report to Congress

(March 21, 2017)

Members of the FFIEC issued a joint report to Congress regarding their review of rules affecting financial institutions. The Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) requires the federal banking agencies and FFIEC to conduct reviews of their rules at least every 10 years in order to identify outdated and unnecessary regulations. The banking agencies published requests for written comment and received over 250 comment letters. The report describes several joint actions taken or planned by the regulators.

Relevant URL(s): https://www.ffiec.gov/press/pr032117.htm


NY Breach Report Highlights Third-Party Risk

(March 29, 2017)

In 2016, New York had one of the highest data exposure rates in the state's history, with the annual number of reported security breaches increasing by 60%. 81 percent of the 1,300 reported breaches involved the loss of Social Security numbers or financial information. As banks consider their security controls, they also need to think about ensuring their third-party service provider's controls meet their requirements and expectations.

Relevant URL(s): http://www.csoonline.com/article/3185908/security/expert-ny-breach-report-highlights-third-party-risk.html


Over One Million Fraud Attacks on Financial Firms in 2016

(March 1, 2017)

After more than one million financial firms were targeted in 2016 by scammers trying to capitalize on anti-fraud gaps, experts warn that this year may be worse. ThreatMetrix, which recently released its Q4 2016 Cybercrime Report, blocked more than 80 million attacks using stolen or fake credentials during 2016 in the financial sector. They also claim the number of attacks jumped 150% from Q3 to Q4 in 2016. Although preventing this type of fraud can be difficult, analytics can be used by banks to help identify and mitigate the risk.

Relevant URL(s): https://www.infosecurity-magazine.com/news/over-one-million-fraud-attacks/


Dridex Trojan Gets AtomBombing Update

(March 1, 2017)

One of the most destructive banking Trojans, Dridex, has recently been updated with new features. The malware is now equipped with a new sophisticated injection technique, known as AtomBombing, which allows it to propagate and infect endpoints under the radar. This update shows how attackers keep up to date on new technologies. In order to protect endpoints, banks can incorporate products such as adaptive anti-malware and application whitelisting into their security programs.

Relevant URL(s): https://www.infosecurity-magazine.com/news/dridex-trojan-gets-atombombing


Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan

(March 22, 2017)

Researchers have discovered that Chinese criminals are using fake base transceiver stations (BTS) to carry out SMiShing attacks, or phishing messages sent via SMS. The malware being distributed is targeting Android users' banking credentials and can bypass two-factor authentication. Researchers have warned that although this threat has only been seen in China so far, it could quickly spread worldwide. As always, users should keep their mobile devices updated to the latest version and avoid installing apps from third-party app stores.

Relevant URL(s): http://thehackernews.com/2017/03/rogue-bts-android-malware.html


Banks Around the World Targeted in Watering Hole Attacks

(February 14, 2017)

Polish banks were recently the victim of malware that was inadvertently distributed to them by their own financial regulator, the Polish Financial Supervision Authority (KNF). As affected banks shared indicators of compromise, other banks around the globe found that they had been hit as well. The majority of affected institutions are banks in the US, Poland, Mexico, UK, and Chile. Banks should update their defense systems with the indicators of compromise provided by BAE and Symantec to help identify and block this attack.

Relevant URL(s): https://www.helpnetsecurity.com/2017/02/14/banks-watering-hole-attacks/


Fast Food Chain Arby’s Acknowledges Breach

(February 17, 2017)

A spokesman for Arby's confirmed rumors that they had recently remediated a breach that affected hundreds of their restaurant locations nationwide. The breach, which is estimated to have occurred between October 25, 2016, and January 19, 2017, involved malicious software installed on payment card systems at the restaurants. Consumers should always remember to watch their card statements closely and report suspicious or unauthorized transactions.

Relevant URL(s): https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/


A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe

(February 8, 2017)

Fileless malware is going mainstream. Researchers at Kaspersky Lab have discovered that at least 140 bank and other enterprise networks have been infected by malware that resides solely in the memory of the compromised computers. They claim the infections are difficult to detect, partially due to the use of legitimate administrative and security tools, such as PowerShell, Metasploit, and Mimikatz. Banks can help protect systems by ensuring PowerShell is disabled throughout the organization and network segregation is properly implemented.

Relevant URL(s): https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/


Zeus-Derived Flokibot Malware Invades PoS

(January 31, 2017)

Ever since the source code for Zeus leaked in 2011 via underground forums, malicious actors have continued to refine the banking Trojan to help them steal banking credentials and infect point-of-sale (POS) devices. The latest example, Flokibot, includes a redesigned stealth dropper that is used to install other malicious code and is designed to evade anti-virus scans. The malware captures payment card numbers, as well as the encrypted PINs. Monitoring POS systems for data exfiltration and unusual network connections can help block this attack vector.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/zeus-derived-malware-continues-to-pwn-pos-devices-p-2384


Infected Weather App's Forecast: Malware

(February 22, 2017)

A legitimate Android app, Good Weather, was recently discovered to contain a Trojan capable of delivering banking malware. The malware is capable of accessing the victim's banking credentials and can bypass some two-factor authentication. Android users should carefully review the permissions that apps request and mobile antivirus software should be used.

Relevant URL(s): https://www.scmagazine.com/infected-weather-apps-forecast-malware/article/639512/


ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions

(February 7, 2017)

The digital threat protection suite, Easy Solution, has been endorsed by the American Bankers Association through its subsidiary the Corporation for American Banking. The endorsement comes after ABA's extensive due diligence, oversight from ABA's Endorsed Solutions' Banker Advisory Council, and research support by the cybersecurity company Bancsec. The suite, which includes anti-phishing monitoring and brand protection services, is now the solution of choice to ABA members.


Relevant URL(s): http://www.aba.com/Press/Pages/020717EasySolutionsEndorsement.aspx


Stolen Passwords Fuel Cardless ATM Fraud

(January 17, 2017)

"Cardless ATM" transactions, a new offering from several financial institutions that allows customers to take out cash with their mobile phones, is opening up new opportunities for thieves. With this new technology, customers can enter an amount they'd like to withdraw into the mobile banking app, then use a numeric code at the ATM or present a QR code to complete the transaction. As reported by krebsonsecurity.com, criminals are already leveraging stolen customer online banking credentials to exploit this new service. If banks are looking to offer this new feature, behavioral analytics, low withdrawal limits, and new customer and mobile device validation can help identify and mitigate risks.

Relevant URL(s): https://krebsonsecurity.com/2017/01/stolen-passwords-fuel-cardless-atm-fraud/


Carbanak's Back And Using Google Services For Command-and-Control

(January 17, 2017)

The Carbanak group responsible for stealing $1 billion from banks in 2015 has resurfaced with a new approach, using Google services to command-and-control its malware. The use of a trusted third party service allows the attackers to hide in plain site. The malware is typically distributed via phishing emails, which can often be identified by employees that regularly receive adaptive information security awareness training and testing.

Relevant URL(s): http://www.darkreading.com/cloud/carbanaks-back-and-using-google-services-for-command-and-control/d/d-id/1327909


ATM Malware Retooled to Strike More Machines

(January 16, 2017)

FireEye Labs recently identified a previously unseen version of Ploutus, one of the most advanced ATM malware families first discovered in 2013. This new version, dubbed Ploutus-D, interacts with KAL's Kalignite ATM platform that runs on 40 different ATM vendors. If a criminal were to gain access to the ATM internals, thousands of dollars could be dispensed in minutes. Banks with ATMs running KAL's Kalignite can take advantage of its built in security features, such as application whitelisting, disabled USB ports, and BitLocker full-disk encryption.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/latin-american-atm-malware-set-to-strike-more-machines-p-2361


Bank Leaks 60,000 Account Details in Three Character Email Slip-up

(January 9, 2017)

One of Australia's largest banks recently sent an email containing data on 60,000 bank accounts to an unknown external recipient by accident. The problem stems from the fact that the bank owns the nab.com.au domain, but not the nab.com domain. The data was erroneously sent to an email account at the nab.com domain. It's likely that no harm was done; however, the bank nor its customers can be certain. A data loss prevention and email encryption solution can help banks ensure a similar mistake doesn't catch them off guard.

Relevant URL(s): https://nakedsecurity.sophos.com/2017/01/09/bank-leaks-60000-account-details-in-three-character-email-slip-up/



Source Code for Another Android Banking Malware Leaked

(January 22, 2017)

Source code for Android banking malware, as well as instructions for its use, have been leaked online and researchers with Dr. Web have already identified it in the wild. The new Trojan, BankBot, has the ability to intercept SMS messages, show phishing dialogs, steal sensitive information and credentials, as well as payment card details. Users can protect themselves by disabling the installation of unofficial apps in their phone settings, and avoiding attachments and links from suspicious sources.

Relevant URL(s): http://thehackernews.com/2017/01/android-banking-malware.html


Hacks at Russian Central Bank Have Cost 2 Billion Rubles

(December 3, 2016)

During 2016, malicious actors tried to nab 5 billion rubles from Russia's central bank. The central banking authority managed to redirect some of the funds but attackers still made off with 2 billion rubles, the equivalent of $31 million. Although it's unclear who is responsible for this attack, it bears some resemblance to a string of heists that gained access to SWIFT, the Society for Worldwide Interbank Financial Telecommunication. Banks should review every aspect of their information security program, including controls around their e-banking channels.

Relevant URL(s): http://money.cnn.com/2016/12/02/technology/russia-central-bank-hack/index.html


Ransomware as a Service Fuels Explosive Growth

(December 5, 2016)

Although ransomware attacks don't get much publicity, a white paper from Osterman Research indicates that nearly 50 percent of US companies fell victim to these attacks during the past year. Another report by Trend Micro found there was an increase of 172 percent of new ransomware families in the first half of 2016. Even more alarming, malware authors have a new Ransomware as a Service (RaaS) business model, where they enlist distributors to spread the software, with some packages costing as little as $100. Protection against this threat can be difficult, but knowing what to expect, and having layered security systems and a robust ransomware response plan in place can greatly help limit exposure.

Relevant URL(s): http://www.csoonline.com/article/3146537/security/ransomware-as-a-service-fuels-explosive-growth.html


InPage Zero Day Used in Attacks Against Banks

(November 23, 2016)

Researchers at Kaspersky Lab have identified a zero-day vulnerability in Inpage publishing software. Several attacks attempting to exploit it against banks have been recorded, as well as a few against government agencies. The exploit, which is delivered via phishing campaigns, can often be prevented with consistent staff education and testing, as well as strong email threat protection systems.

Relevant URL(s): https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/


'Alice' Malware Loots ATMs

(December 21, 2016)

A new bare-bones ATM malware family, dubbed 'Alice', has recently been discovered by Trend Micro. Alice has one simple function, empty the ATM of its cash. All a criminal would need to infect a system is access to the ATM's internals to install and interact with the malware. In this case, physical ATM security and persistent monitoring can help defend against the threat.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/alice-malware-loots-atms/d/d-id/1327773


'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

(December 2, 2016)

Researchers at Newcastle University have developed an extremely easy way to guess the card number, expiration date, and security code of any Visa credit or debit card in six seconds flat. The attack, named 'Distributed Guess Attack', exploits the lack of a mechanism to detect multiple invalid payment requests made from different online merchant sites. This allows an unlimited number of cracks at predicting payment information by distributing the guesses across multiple sites. The researchers believe this may be the tactic used in stealing $3 million from Tesco Bank customers recently. To mitigate this threat, banks can implement back-end analytics to help identify fraud.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/frighteningly-easy-hack-guesses-full-credit-card-details-in-6-seconds/d/d-id/1327632


Tesco Bank Hacked

(November 7, 2016)

Over $3 million was recently stolen from 9,000 customers of UK based Tesco Bank. The bank did not disclose how accounts had been compromised or any other details of the attack. Tesco Bank announced that they're working with authorities and regulators to address the breach. This is one instance where having a well thought out incident response plan can help greatly.

Relevant URL(s): http://thehackernews.com/2016/11/tesco-bank-hack.html


OCC Discloses Data Breach

(October 28, 2016)

As required by the Federal Information Security Modernization Act (FISMA), the OCC notified Congress and other federal agencies of a major information security incident several weeks ago. The incident involves a former employee that downloaded over 10,000 records that contained controlled, unclassified information onto removable drives that are now missing. The OCC claims that policies and technical safeguards have been implemented to prevent such an event from occurring in the future.

Relevant URL(s): https://www.occ.gov/news-issuances/news-releases/2016/nr-occ-2016-138.html


Fake Executive Social Media Accounts Threaten Enterprises

(November 16, 2016)

Research conducted by BrandProtect revealed that 19 percent of Fortune 500 CEO Twitter profiles, and 9 percent of LinkedIn accounts reviewed were represented by numerous duplicate accounts, which raises concerns about potential security vulnerabilities. These types of fake profiles are often used in spear phishing or whaling attacks, or to push malware and ransomware into enterprises. Banks can better protect themselves as well as their customers with the use of brand protection services.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/16/fake-executive-social-media-accounts/


Android Trojan Targets Customers of 94 Banks in US, Europe

(November 2, 2016)

A malicious Android app masquerading as Flash Player is targeting online banking credentials as well as payment card details. The app is purportedly focusing on banks in the US, Australia, Germany, and France. Users should avoid installing unofficial apps on their devices and app reviews and sources should be checked before installation.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/02/trojan-flash-player-android-app/


TrickBot Banking Trojan is the Next Big Threat

(November 9, 2016)

Personal and business bank accounts are being aggressively targeted by a new banking Trojan named TrickBot. Researchers believe TrickBot may have been built by part of the team that built the nefarious banking Trojan Dyre. As they see it, this Trojan is likely to become a major threat. Third-party software and operating system patches should be kept current and users should always follow safe web browsing practices, which includes the handling of email attachments and links.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/09/trickbot-banking-trojan/


Hackers Changing Tactics, Techniques, and Procedures

(October 24, 2016)

An NTT Security report reveals the financial industry has seen a significant increase in the sophistication and type of attacks in this most recent quarter. They identify finance as the most attacked industry, with 23 percent of all attacks, and 43 percent of these were web application attacks. Comprehensive penetration testing can help banks understand where and how these attacks could take place so that appropriate security solutions can be implemented.

Relevant URL(s): https://www.helpnetsecurity.com/2016/10/24/hackers-changing-tactics/


Ransomware Raises The Bar Again

(October 10, 2016)

Ransomware is now the top attack vector targeting financial organizations according to a recent survey by SANS. 55 percent of financial firms identify ransomware as the most prevalent attack, with some loss claims between $100,000 and $500,000. Banks should have ransomware response plans in place, along with offline backups, layered security systems, and end-user awareness to limit ransomware exposure.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/ransomware-raises-the-bar-again-/d/d-id/1327138


88% of Employees Lack Awareness to Stop Privacy or Security Incidents

(October 27, 2016)

A survey was recently conducted to test employees' cybersecurity awareness. The study revealed that 88 percent lacked sufficient awareness to stop preventable incidents. Other key findings cite that 16 percent of employees exhibit behaviors that put organizations at serious security risk and 25 percent failed to recognize sample phishing emails. Banks should ensure employees receive adaptive information security awareness training at regular intervals.

Relevant URL(s): https://www.helpnetsecurity.com/2016/10/27/employees-lack-awareness/


Attackers 'Hack' ATM Security with Explosives

(October 17, 2016)

Europe has seen a surge in attacks on ATMs, many using explosives to steal cash from the safes. In the first half of this year, police in Europe cataloged 492 of these attacks. On average, explosive attacks have netted criminals $18,300 each. Although these attacks have not yet made it to the United States, banks should have strong physical security in place at all ATM locations and they should be inspected regularly for tampering.

Relevant URL(s): http://www.bankinfosecurity.com/attackers-hack-atm-security-explosives-a-9457


Russian Criminals' Bank Attacks Go Global

(October 26, 2016)

Russian criminals have tested and perfected their techniques on local banks and are now taking them global. As stated by Moscow-based Group-IB, these criminals developed their attacks for the market they know best, then later go after banks in the U.S., Canada, and other countries. They also claim that another wave of attacks is building up in Russia, mobile banking Trojans, which have escalated 471 percent recently. U.S. based banks would be wise to stay abreast of international cyberattacks to help improve their security strategies.

Relevant URL(s): www.csoonline.com/article/3135364/security/russian-criminals-bank-attacks-go-global.html


FFIEC Rewrites the Information Security IT Examination Handbook

(September 27, 2016)

The FFIEC has recently updated their guidance for managing financial institutions' information systems, which is the first update in over 10 years. The updated handbook is almost 40% shorter; however, the expectations have increased. A more traditional approach to risk management is contained in the guidance, as well as an increased focus on cybersecurity controls, internal assessments, and third-party service providers.

Relevant URL(s): http://complianceguru.com/2016/09/ffiec-rewrites-it-handbook/


FDIC Updates IT Examination Procedures

(June 30, 2016)

FDIC-supervised institutions will be subject to new IT examination procedures starting immediately. This major overhaul, now dubbed InTREx (Information Technology Risk Examination), is the first considerable update since 2007. The new design has a simpler pre-examination phase but institutions should prepare for a more thorough examination phase. The new granular procedures require examiners to review and evaluate your documentation and determine if it sufficiently proves that you're doing what you say you'll do. Having necessary documentation available may make all the difference.

Relevant URL(s): https://www.fdic.gov/news/news/financial/2016/fil16043.html


SWIFT Sees New Hack Attacks Against Banks

(August 31, 2016)

Since the theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York, SWIFT has seen continued attacks against banks' local security controls to send fraudulent messages via the SWIFT network. In a private letter from SWIFT to its customers, the collective warns that some banks have lost money as a result. The letter also explains that targets have varied in size and geography, and have used diverse connectivity methods; however, they've all had weaknesses in their local security. Banks are urged to install the updated SWIFT software, which includes stronger password management rules, better user authentication, and better tools for detecting attacks.

Relevant URL(s): http://www.bankinfosecurity.com/swift-sees-new-hack-attacks-against-banks-a-9374


Secret Service Warns of ‘Periscope’ Skimmers

(September 16, 2016)

According to an alert by a financial task force, a new type of skimming technology known as "periscope skimming" has been found in at least two ATMs in Connecticut and Pennsylvania. This new skimmer connects directly to the ATM's internal circuitry to steal payment card information and can store up to 32,000 card numbers. In both of these cases the criminals installed the devices by gaining access to the insides of the ATMs with a key. ATMs should be physically secured, not exposed at the top if possible, and checked regularly for evidence of tampering.

Relevant URL(s): http://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/


Banking Trojan GozNym Botnet Sinkholed After Infecting Over 23,000 Victims in UK, US and Europe

(September 29, 2016)

Researchers with Cisco Talos were able to successfully bring down a very large botnets controlled by GozNym operators. GozNym, a powerful banking Trojan, is a combination of features from two families of malware, Gozi and Nymaim. The Trojan was found to have infected at least 23,000 victims in the US, the UK, and Europe. These types of threats, which are typically delivered via spear phishing, can often be mitigated with education campaigns, consistent social engineering testing of staff, and email security filtering.

Relevant URL(s): http://www.ibtimes.co.uk/banking-trojan-goznym-botnet-sinkholed-after-infecting-over-23000-victims-uk-us-europe-1583973


Data Breach At Oracle's MICROS Point-of-Sale Division

(August 16, 2016)

KrebsOnSecurity recently learned of a breach at Oracle Corp., which appears to have affected hundreds of systems, as well as a customer support portal for companies using MICROS point-of-sale (POS) payment systems. MICROS, one of the top three POS vendors, is used at more than 330,000 cash registers worldwide. Two anonymous security experts indicated that the breached customer support portal had been seen communicating with a server used by the Carbanak Gang, a group suspected of stealing more than $1 billion from banks and other organizations over the past few years. Oracle will be forcing password resets for all support accounts of the MICROS portal.

Relevant URL(s): http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/


Financial Malware Attacks Increase as Malware Creators Join Forces

(August 12, 2016)

According to Kaspersky Lab's most recent IT threat evolution report, a 15.6 percent increase in financial malware attacks on users was identified compared to the previous quarter. One reason for this may be due to a collaboration between the authors of two of the top banking Trojans, Gozi and Nymaim. The Nymaim Trojan, which was initially designed as ransomware, now includes banking Trojan functionality from Gozi. If criminals are unable to steal personal financial information, they will encrypt the users' files and demand a ransom. As always, up-to-date operating systems, third-party software patches, and antivirus definitions should be consistently applied to help users protect their systems.

Relevant URL(s): https://www.helpnetsecurity.com/2016/08/12/financial-malware-attacks-increase-malware-creators-join-forces/


New Banking Malware Touts Zeus-Like Capabilities

(August 15, 2016)

A new Zeus-like malware kit being promoted in the underground could bring more trouble to financial institutions. This new malware kit, Scylex, appears to be designed to enable financial crime on a large scale, including features such as user-mode root kit, secure reverse proxy, web injects, and even a Hidden Virtual Network Computing (HVNC) module that allows attackers to interact with the victim's bank account from the infected computer. Banks can better protect themselves by utilizing out-of-band two-factor authentication for account logins.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/new-banking-malware-touts-zeus-like-capabilities/d/d-id/1326612?


Stolen Devices to Blame for Many Breaches in the Financial Services Sector

(August 25, 2016)

A recent analysis by Bitglass of all financial service company breaches since 2006 indicates that leaks nearly doubled between 2014 and 2015. The first half of 2016 does not look any better, with 37 banks having disclosed a breach so far. The analysis shows that one in four breaches in the financial service sector is due to lost or stolen devices. By ensuring full disk encryption is in use on laptops and mobile devices, along with a wipe option, banks can reduce their exposure to this threat.

Relevant URL(s): https://www.helpnetsecurity.com/2016/08/25/breaches-financial-services-sector/


Study Finds Nearly 40 Percent of Enterprises Hit By Ransomware in the Last Year

(August 4, 2016)

Malwarebytes' "State of Ransomware" report shows that nearly 40 percent of businesses have experienced a ransomware attack in the last year, more than a third lost revenue, and 20 percent had to stop business completely. Other findings indicate that healthcare and financial services were the leading industries attacked by ransomware and more than 60 percent of attacks took more than 9 hours to remediate. A multi-layered approach, including up-to-date software, web and email security filtering, user awareness, regular offline backups, and well planned incident response continues to be the best strategy against ransomware.

Relevant URL(s): http://www.itsecurityguru.org/2016/08/04/major-international-study-finds-nearly-40-percent-of-enterprises-hit-by-ransomware-in-the-last-year/


Card Fraud Rises Globally, With Almost 1/3 Consumers Falling Victim

(July 13, 2016)

Payment card fraud is on the rise globally, with the U.S. in the top three affected countries in 2016, according to a report from ACI Worldwide. Their survey indicates that about thirty percent of customers worldwide have experienced card fraud in the last five years. The report attributes this to more sophisticated fraudsters, risky behavior by consumers, and increasing amounts of private data on social media platforms. Banks can be proactive in their efforts to prevent card fraud risks by implementing behavioral analytics as a sort of multi-factor authentication.

Relevant URL(s): http://www.itsecurityguru.org/2016/07/13/card-fraud-rises-globally-with-almost-13-consumers-falling-victim-report-by-aci-worldwide-and-aite-finds/


Trojanized Remote-Access Tool Ammyy Spreads Banking Malware

(July 18, 2016)

While investigating a malicious banking Trojan, researchers at Kaspersky Lab discovered that the Trojan was being distributed from the official site of Ammyy Admin, a legitimate remote administration software tool. They found that code checked to see if the computer initiating the download was part of a corporate domain. If so, it launched the Lurk Trojan, indicating that corporate workstations and servers were their primary target. Running up-to-date anti-malware software or advanced endpoint threat protection can help organizations defend against these types of attacks.

Relevant URL(s): https://securelist.com/blog/research/75384/lurk-a-danger-where-you-least-expect-it/


Necurs Botnet is Back, Updated With Smarter Locky Variant

(June 23, 2016)

After going silent for nearly a month, the Necurs botnet is back and now includes an improved version of Locky ransomware and the Dridex banking Trojan. The botnet delivers the ransomware and banking Trojan via malicious email attachments. Locky and Dridex account for millions of dollars in losses from United Kingdom and U.S. victims. Banks can better protect themselves by leveraging advanced email threat solutions to detect and block malicious attachments and links.

Relevant URL(s): https://threatpost.com/necurs-botnet-is-back-updated-with-smarter-locky-variant/118883/


'No More Ransom' Portal Offers Respite From Ransomware

(July 25, 2016)

The National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Center, Intel Security, and Kaspersky Lab have come together to help users avoid becoming ransomware victims and to help decrypt their files with NoMoreRansom.org. As security experts have said, paying ransoms is often a bad idea, enabling the criminals to build improved strains of malware and prompt them to continue their attacks. The site offers decryption tools for several ransomware variants and allows victims a way to report infections that can aid in tracking down the crooks behind the malware.

Relevant URL(s): http://www.bankinfosecurity.com/no-more-ransom-portal-offers-respite-from-ransomware-a-9285


Hackers Steal Millions from ATMs Without Using a Card

(July 14, 2016)

Dozens of ATMs operated by Taiwan's First Bank were attacked recently. The masked perpetrators appeared to gain control of the machines with a physical device, then made off with the equivalent of $2 million dollars. Investigators have determined that the machines were infected with three different malware files that forced them to dispense the cash. Banks should consider all points where ATMs could be vulnerable to physical attack, such as USB and network ports, and appropriate safeguards should be implemented.

Relevant URL(s): http://money.cnn.com/2016/07/14/news/bank-atm-heist-taiwan/index.html



Contents

  1. 1 Cyberattack Hits Ukraine Then Spreads Internationally
  2. 2 Kaspersky: Online Banking Hacks Cost Banks Nearly $1.8M Each
  3. 3 Most Organizations Believe Their Mainframe is More Secure Than Other Systems
  4. 4 HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
  5. 5 Poor Endpoint Security Can Cost You Millions in Detection, Response, and Wasted Time
  6. 6 Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc
  7. 7 Bank Account Hackers Used SS7 to Intercept Security Codes
  8. 8 Google Docs Phishing Attack Abuses Legitimate Third-Party Sharing
  9. 9 FBI: Business- and Email Account Compromise Attack Losses Hit $5 Billion
  10. 10 Blackmoon Banking Trojan Goes Modular
  11. 11 Banks Must Focus More on Cyber-Risk
  12. 12 Cybercriminals Seized Control of Brazilian Bank for 5 Hours
  13. 13 Health Savings Account Fraud: The Rapidly Growing Threat
  14. 14 Mobile Payment Card Cloning: Understanding the Risks
  15. 15 ATMitch: Remote Administration of ATMs
  16. 16 Banking Agencies Issue Joint Report to Congress
  17. 17 NY Breach Report Highlights Third-Party Risk
  18. 18 Over One Million Fraud Attacks on Financial Firms in 2016
  19. 19 Dridex Trojan Gets AtomBombing Update
  20. 20 Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
  21. 21 Banks Around the World Targeted in Watering Hole Attacks
  22. 22 Fast Food Chain Arby’s Acknowledges Breach
  23. 23 A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe
  24. 24 Zeus-Derived Flokibot Malware Invades PoS
  25. 25 Infected Weather App's Forecast: Malware
  26. 26 ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions
  27. 27 Stolen Passwords Fuel Cardless ATM Fraud
  28. 28 Carbanak's Back And Using Google Services For Command-and-Control
  29. 29 ATM Malware Retooled to Strike More Machines
  30. 30 Bank Leaks 60,000 Account Details in Three Character Email Slip-up
  31. 31 Source Code for Another Android Banking Malware Leaked
  32. 32 Hacks at Russian Central Bank Have Cost 2 Billion Rubles
  33. 33 Ransomware as a Service Fuels Explosive Growth
  34. 34 InPage Zero Day Used in Attacks Against Banks
  35. 35 'Alice' Malware Loots ATMs
  36. 36 'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds
  37. 37 Tesco Bank Hacked
  38. 38 OCC Discloses Data Breach
  39. 39 Fake Executive Social Media Accounts Threaten Enterprises
  40. 40 Android Trojan Targets Customers of 94 Banks in US, Europe
  41. 41 TrickBot Banking Trojan is the Next Big Threat
  42. 42 Hackers Changing Tactics, Techniques, and Procedures
  43. 43 Ransomware Raises The Bar Again
  44. 44 88% of Employees Lack Awareness to Stop Privacy or Security Incidents
  45. 45 Attackers 'Hack' ATM Security with Explosives
  46. 46 Russian Criminals' Bank Attacks Go Global
  47. 47 FFIEC Rewrites the Information Security IT Examination Handbook
  48. 48 FDIC Updates IT Examination Procedures
  49. 49 SWIFT Sees New Hack Attacks Against Banks
  50. 50 Secret Service Warns of ‘Periscope’ Skimmers
  51. 51 Banking Trojan GozNym Botnet Sinkholed After Infecting Over 23,000 Victims in UK, US and Europe
  52. 52 Data Breach At Oracle's MICROS Point-of-Sale Division
  53. 53 Financial Malware Attacks Increase as Malware Creators Join Forces
  54. 54 New Banking Malware Touts Zeus-Like Capabilities
  55. 55 Stolen Devices to Blame for Many Breaches in the Financial Services Sector
  56. 56 Study Finds Nearly 40 Percent of Enterprises Hit By Ransomware in the Last Year
  57. 57 Card Fraud Rises Globally, With Almost 1/3 Consumers Falling Victim
  58. 58 Trojanized Remote-Access Tool Ammyy Spreads Banking Malware
  59. 59 Necurs Botnet is Back, Updated With Smarter Locky Variant
  60. 60 'No More Ransom' Portal Offers Respite From Ransomware
  61. 61 Hackers Steal Millions from ATMs Without Using a Card