European banks getting targeted by malware

At least one in twenty devices used by the customers of major European banks is riddled with malware, according to new claims from one security company.

European bank customers hit by malware attacks
European bank customers hit by malware attacks

Software security company and consultancy Minded Security came to this conclusion after using its new AMT Banking Malware Detector solution to collect information on infected customers, with many of these being European banks.

In findings that were released on Thursday, the UK-based firm revealed that this malware consisted of unwanted adware (three percent), spyware (1.5 percent) and banking malware (0.5 percent), with the latter most often used to steal data and take over accounts.

Marco Morana, managing director of Minded Security UK, and SVP of risk and controls for Citi Bank London, noted that from his personal perspective malware continues to evolve in this space.

“Banking malware is constantly evolving, and escalating in sophistication, typical authentication and monitoring tools simply don't stand up against these new threats. The financial sector needs to deploy anti-malware technology that is effective at detecting and identifying the risks associated with both known, and unknown malware threats. Minded Security aims to help manage and mitigate these hard-to-find threats.”

Speaking to SC, he said that most bank failings on information security have come down to undiscovered software vulnerabilities, weak policies, little risk assessment, and more recently, little board-buy-in and the proliferation of mobile.

He said that the 1 in 20 malware compromises would be significant in banks with more than 40 million customers, before warning that too few of these focus on “what's the threat and who the attacker is.”

Morana added that banks were targeted by everything from targeted attacks and exploits to phishing emails and spoofed websites, with mobile an increasing point of interest.

“Today you're going to deal with very skilled and expert attackers…and in terms the attack surface, you're also seeing the proliferation of software on mobile,” he said, citing iOS and Android platforms in particular.

“For banks what we see more and more of is cyber-security risk management. Before the problem was at the level of operations – how can you do better policy and process. That's still important but we're now at a level of getting executive management attention.”

Morana added that banks were also focusing more on information security training and awareness.

Ben De La Salle, head of IT security and risk at Old Mutual Wealth, said in an email to SC that banking malware always outpaces defensive measures.

“Banking malware continues to evolve faster than traditional security controls; they are known to be able to bypass anti-malware technologies and often will engage after an unsuspecting user has already authenticated with their bank, meaning that companies defences need to be more focused on post-authentication activities. 

“This deficiency in traditional controls is evident when you consider how much the focus has shifted to user awareness and education, accepting the fact that traditional controls can be circumvented and in fact we need to ensure our defences include the user at every turn. Surely, it is natural now to include user behaviour when evaluating risks in real-time.

“The success of any technology such as this is to be able to understand the natural variances in human behaviour and not become a hurdle to the way in which users interact with services; whilst at the same time being able to detect those variances that separate the legitimate behaviour from attempted fraud.”

On the mobile threat, De La Salle added that banks had to go to mobile, and had largely got it right, offering access to frequent low-risk services, like balance enquiry, transferring between accounts, and payments to known recipients.

“The malware threats on mobile is just as relevant as on desktops/laptops. Protecting the customer data on the mobile device is critical, and ensuring that malicious code cannot inject transactions requests via the app, but the latter risk is reduced due to the restrictions on functionality available on the device.”