Moshe Hayun, threat intelligence team leader at Deep Instinct
The financial industry is the backbone of an economy- more specifically it is the building block of a digital economy. Offering a broad number of services to billions of users across the globe, including banking, loan, consultancy, and investment, the nature of modern finance provides consumers and businesses with endless opportunities.
However, the amount of data held in these organisations is why the financial industry has historically been one of the most popular domains for cybercriminals, as they typically have a larger attack surface to exploit. Consumers trust these organisations with some of their most private information, and the potential threat of leaking this data, and the subsequent consequences, can be a nightmare for financial institutions.
In 2021, banking institutions alone saw a 1318% increase in ransomware attacks with the average cost of a cyberattack in the financial sector reaching $5.7 million in 2021. Evidently, the finance industry is one that is going to continue to be seen as an attractive and lucrative target for cyber criminals, and it is therefore paramount that organisations within the sector do all that they can to prevent themselves from becoming the next victim.
The biggest cybercriminal families targeting the financial industry
Certain malware families have been a prominent threat to financial institutions throughout 2021. Our recent research revealed that Dridex and TrickBot were the most frequent malware families targeting the industry, specifically the banking sector. Dridex accounted for most of the malware attacks (68%), while TrickBot was responsible for 11% of the attacks.
Both are highly sophisticated banking trojans. For example, Dridex is a trojan designed to sneak behind an organisation’s defences (or, more accurately, trick defenders into bringing it beyond the perimeter themselves). While TrickBot on the other hand, is used to target individuals, businesses, and large enterprises to steal financial data, personal information and bank account credentials. Once this information is obtained, it can be used to carry out financial fraud and identity theft.
IcedID is another modular banking trojan that has attacked banks, e-commerce and credit card companies. Much like a worm, it has been designed to replicate, spread and infect more systems as it travels. Once executed on one machine, it will then cultivate and use simple evasion techniques such as operating after the machine restarts, making it more difficult to identify and defeat.
Another of the top five financial malware families is Zloader, a banking trojan that is a variant of the i Zeus banking malware. It is distributed in phishing campaigns or spoofed emails designed to trick victims into downloading and executing the malware. QakBot is the fifth malware family which can cause chaos within the finance sector. It steals information and is adept at stealing online banking credentials or other financial information.
Tricky Techniques and Implications
The malware families targeting the finance industry have their own techniques to achieve their financial goals. The more data they steal, the bigger the monetary gain. As such, they use a series of devious and stealthy methods to avoid detection. One common tactic is the use of malicious macros. Threat actors hide malicious code insider Word documents or other files which executes once someone opens them. For example, a favored method by Dridex is a PDF laden with JavaScript, or a malicious email attachment containing Word documents comprising of dangerous macros.
Trickbot, on the other hand, harvests emails and offers a backdoor into their victims’ network. The malware family also possesses a screen-lock, ransomware-style option which is designed to steal system passwords.
With techniques by these malware groups designed to be devious and arguably, cunning, it is no surprise that they are successful. LOLBins and PowerShell are another common tactic being used by cyber criminals to launch their ransomware attacks. Both are pre-installed on a computer which makes them ideal for threat actors to hide behind and avoid detection. This type of deception is also used by IcedID. For example, they can manipulate a victim’s browser so that they think they are viewing a genuine banking website, when in actual fact, they have been redirected to a fake website designed to steal system passwords.
Zloader on the other hand, uses Excel macros and other techniques including keylogging to steal information from users, while Qakbot spreads through malspam (malicious spam) and exploit kits that are deployed through compromised websites. If a victim visits the site, QakBot delivers its payload and infects them.
So, in this growing field of cyber-threats, how can financial institutions future proof themselves against devastating cyberattacks?
Facilitating real-time threat detection and prevention using deep learning
Most financial institutions today are using Endpoint Detection and Response (EDR) solutions which implements are designed to improve security at entry points to networks and systems. However, they often lack accuracy and speed.
EDR only works post-execution, meaning that malware is detected after it’s deployed into the target’s system. This means it is useful for finding known threats. However, threats evolve rapidly, with some of the fastest known malware infecting endpoints in less than 15 seconds. As a result, EDR solutions are not useful when it comes to preventing immediate and unknown threats and cannot process data at a speed which can ensure they are found in a timely manner that actually prevents attacks from infecting the endpoint.
To strengthen their proactive stance, finance companies need to move away from conventional EDR and implement deep learning – a more effective and next-gen solution for threat prevention. Deep learning is an advanced subset of AI that uses neural networks to imitate how humans think and learn in real-time- independently studying millions of attack patterns, file systems, and threat vectors.
However, deep learning solutions work without any human intervention. This broad knowledge base is then used to project existing and evolving threat patterns. This mechanism allows deep learning tools to detect threats in milliseconds, with unparalleled accuracy. Thus, even the fastest and most advanced malware is detected and stopped before they reach the target network.
Deep learning technology attains predictive analytics automatically through its own process of examining, analysing, and breaking down existing threat patterns, which helps to detect unknown and zero-day threats. It also produces a 99.9 percent accuracy rate which means security teams don’t have to chase after false-positive security alerts.
Deep learning solutions take the focus away from the conventional threat mitigation approach of the financial industry and emphasises threat prevention. The technology addresses the most critical security concern of the financial industry, which is accurately detecting and preventing threats. By detecting advanced threats in milliseconds, security teams can gain the upper hand on the attackers and close down their attack paths before they wreak havoc on the finance industry.
