Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Financial sector sees 300% increase in attacks

Rajiv Motwani, Websense

25-June-2015 Report details methods and offers guidance.

Drawing information from its large customer base across the globe, primarily from the up to 5 billion global daily inputs to ThreatSeeker Intelligence Cloud, the Websense Security Labs 2015 Financial Services Drill-Down Report examines the current state of cyber threats and data-stealing attacks against financial services institutions.

“The financial sector is lucrative, encountering 300% more attacks than other industries,” said Rajiv Motwani, Director, Security Research at Websense Security Labs. “It starts with Recon – gathering info about the victim.”

Given that percentage, it’s unsurprising that 30% of lures are focused on financial sector.

“That 30% uses specific invoices and tactics,” Motwani said. “Financial services has more and better detection. Clearly the attackers are upping their game, being more professional. Gone are the rambling, misspelled email messages. Now these ae very direct, single-sentence, such as a member of the C-suite might send.”

One attack used a message socially engineered for the victims – fewer than 100 financial services sector accountants. Taking advantage of their daily reliance and familiarity with macros within documents and spreadsheets, they were instructed to open an attached Microsoft Word document and run the macros.

The macro contacted a website to download an executable that opened a backdoor into the machine to progress the attack through the Kill Chain.
A second round of the campaign occurred one day later, with different attributes (for example, sender and subject).

Criminals engage in Targeted cybersquatting – registering domains by the thousands that are similar to legitimate domains of financial institutions. For example, .co instead of .com.

From those cybersquatted domains, they send email lures to victims. These email lures refer to prior correspondence, and are designed to look like a real email message from that company.

Each spear phishing incident averages a return of $130,000 – for the price of registering a domain. The domains are often abandoned within a month.
That has led Paul Vixie to propose a cooling off period of up to one month.

Websense researchers uncovered another anomaly – Geodo has seen 400% increase in effect in financial services, more than in any other. It’s used for credential stealing, uses MS Office macros to open, and it has an email component. It downloads more email addresses, which can account for the 400% increase.

“Cyber criminals are trying to steal credentials and information, and switch things up,” said Motwani. “The USA is up there for origin of attacks, as are European countries.” 

And the coding is always improving. For example, to evade a corporate sandbox, malware may query the targeted system for virtual machine artifacts, including a search for specific hard drive models, and a search of the Windows Registry for keys specific to virtual machines. When found, no malicious behavior occurs if the code finds VM keys or no physical hard drive.

Additionally, some executables may sleep or timeout before conducting any malicious behavior.