Smaller banks under fire from phishing attacks

A US government financial agency has warned smaller banks and financial institutions in the US to be aware of the heightened risk of their systems being phished by cyber-criminals.

Eastern hackers use phishing-led APT to steal millions from banks
Eastern hackers use phishing-led APT to steal millions from banks

The Federal Financial Institutions Examination Council (FFIEC)  agency says that cyber-criminals are phishing the banks with the specific aim of increasing the daily withdrawal limits of account holders - allowing them to drain a card account in one or two days, rather than being limited by the normal daily ATM Limit.

The FFIEC adds that the hackers are looking for access to the web-based ATM control panels used by bank staff, which are used to set the amount of money customers can withdraw, and the geographies where they can take money out. 

SCMagazineUK.com understands that pre-paid debit cards are especially susceptible to this type of attack. 

The cyber-criminals use debit or credit card information obtained through other attacks to make their withdrawals, usually on holidays and weekends when monitoring by banks is more limited. 

“The cash-out phase of the attack involves criminals organising simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days,” says the FFIEC. 

The attack methodology is far from theoretical, SCMagazineUK.com notes, as Oman's Bank of Muscat and RakBank, the UAE-based  National Bank of Ras Al-Khaimah, were hit by this type of attack around 15 months ago. 

RakBank reportedly lost $5 million (approximately £3 million) to fraudsters after around 4,500 ATM withdrawals were made in 20 countries around the world on December 22, 2012. The Bank of Muscat, meanwhile then lost $40 million (£24.1 million) in just 10 hours in February 2013. 

In both incidents, cyber-criminals dramatically increased the limits on prepaid debit cards after also breaking into card issuer computers in the US and India. Authorities later arrested people in the US, Germany and Spain in association with the banking fraud. 

Commenting on the raised threat to banks from phishing attacks, Phil Robins, a director with Encode UK, said that, as cyber defences improve, so the criminals will rise to the challenge. 

"People are the weakest link in all security and are therefore very susceptible to this type of Advanced Persistent Threat (APT)," he said. 

"This joint statement [from the FFIEC] defines good cyber security practice including both the testing and monitoring of the safeguards," he added. 

Colin Miles, CTO of Pirean, an employee security consultancy, said that smaller financial institutions can protect themselves against this kind of phishing attack by adopting stronger authentication mechanisms to protect key applications. 

"Where any organisation has digital assets which could be compromised to cause reputational or financial damage - to itself or its customers - it is vital that they have higher levels of assurance regarding who is accessing the service than knowledge of a username/password alone," he said. 

"With the right technology these institutions can lower the risk profile for sensitive applications safe in the knowledge that a basic credential theft will not compromise access to a control panel application," he added. 

Miles went on to say that financial institutions exposed to this kind of risk should also consider implementing controls for advanced threat prevention and detection. 

"These security controls offer capabilities to offer protection against zero-day application exploits by preventing malware from ever reaching the network even when otherwise trusted employees have been compromised through so called spear-phishing scams," he explained. 

The same approach, he says, will also then a further layer of protection by monitoring the network for signs of unwanted data exfiltration – effectively stopping sensitive data from ever leaving the network and reaching the bad guys. 

Tim Keanini, CTO with security vendor Lancope, said that it is interesting to note that prepaid card systems were targeted because prepaid cards do not enjoy the same protection under the law as debit or credit cards. 

Prepaid debit cards, he explained, may carry fewer consumer protections in the event of loss or a disputed charge than debit cards and this may have been a factor in why they were targeted. 

The same approach, he says, will also then a further layer of protection by monitoring the network for signs of unwanted data exfiltration – effectively stopping sensitive data from ever leaving the network and reaching the bad guys.