1. Organized Crime Targeting Financial Institutions
Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organized crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers.
Rob Lee, senior forensics investigator at Mandiant, a risk assessment firm, says the battle between "us and them" increasingly pits the financial services industry against organized crime organizations. "The days of the Maginot line of information security are long gone," Lee says, referring to the defensive World War I battle line created by Allied troops to keep German troops from invading France. The battle lines reach far wider than just an institution's firewalls, he adds.
Anton Chuvakin, an information security expert and author, predicts that 2010 will see a frightening rise in incidents attributable to organized crime. "Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises -- all signs point to dramatic rise of cybercrime," he says. "This is simply the logical consequence of today's situation with the use of information systems: Insecure computers plus lots of money plus no punishment equals 'go do it!'"
In other words, there has not been a better time to go into a cybercrime business, Chuvakin says. "The strategy is pretty much the 'blue ocean' one, with a lot of unexplored opportunity and a low barrier to entry."
2. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. "This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts," Litan says.
Uri Rivner, Head of New Technologies, RSA's Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. "In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0," Rivner says. MITB trojans send money in real time, he explains, rather than just stealing credentials for sale in the underground. Rivner sees additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring, he says.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. "In 2010, we project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services," Rivner says.
3. More Malware
It seemed that almost every week in 2009 there was another announcement by a security researcher of a newly discovered malware variant. RSA's Rivner says malware spread like wildfire. "The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008," he notes. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network "friend list" with links to infection servers).
Increasingly, sophisticated, distributed malware is being seen in forensic investigations of cyber crimes, says Dave Shackleford, an information security expert and SANS instructor. Criminals are also adding a flavor of social engineering to get the malware into a user's machine. "Large scale botnets are growing, and the quality of the code is improving, as these kinds of malware are increasingly funded by criminal organizations," he warns.
4. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting US banks and credit unions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after, says RSA's Rivner. As institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
"Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover," Rivner says. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia, he adds. "Caller ID spoofing is also prevalent," he observes.
5. Increased Insider Threat
The trusted insider is the most dangerous foe for any institution -- and the most feared, as seen by the amounts of money and data taken by insiders The prevalence of insider crime can be blamed on several factors, but the insider threat at financial institutions is increasing, notes Shackleford. "I see there will be an increase in internally-driven fraud, caused in part by the bad economy and also the ease of access to data," he predicts.
Tom Wills, Security and Fraud senior analyst at Javelin Strategy and Research, agrees and adds the insider threat -- with the insider defined as anyone with access to the extended enterprise, not only employees and contractors, but partners and suppliers too -- may have financial problems that push them toward the crime. "Additionally, you have to consider individuals with significant IT knowledge who may not be fully employed and may have incentive to perform activities that they would not have previously," he notes.
Nathan Johns, a Crowe Horwath consultant, says disgruntled employees may also turn to crime. "These are people who are not receiving raises, bonuses, or potentially being laid off, who have the opportunity to do activities that they would not have done in better times," he observes.
Johns also warns that unauthorized access by former employees can lead to problems. "There has been an increase in people being released by organizations, but often times the removal of their access rights is lagging their departure from the organization," he says.
The employees who become insider threats may do so without even knowing they're involved, warns RSA's Rivner. "Already thousands of Fortune 500, government and bank employees are infected with financial trojans that targeted them as consumers. As a side-effect, there are also thousands of infected corporate laptops or PCs used at home for remote access via a VPN," he warns.
Rivner expects 2010 will see fraudsters developing ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. "Bank employees will be a primary focus for these cybercriminals," Rivner predicts.
6. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says Ed Skoudis, lead forensic investigator for InGuardians, a security forensic firm. "Exploits against the ever-growing base of smart phones [are on the rise], leading to the possible building of a botnet based on iPhone or Android phones," Skoudis observes.
RSA's Rivner concurs with the propensity for fraud in the mobile banking sector saying, "Mobile banking fraud is coming. More customers are enrolling in mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile trojans and SMS redirection attacks." He expects the U.S. to experience the first wave of attacks towards middle of 2010. "Banks will start funding the extension of their online banking protection to the mobile channel," he predicts.
Part of the problem is that customers don't always pay attention to what they're receiving on their mobile devices, says Johns of Crowe Horwath. "People rely more and more on their BlackBerrys and smart phones, and don't pay attention to the information that they are getting on them, and they push back to security being installed on the devices," he adds.
Javelin's Wills sees mobile fraud happening if banks start to enable full service banking on mobile devices. "This means money movement instead of just checking balances and finding ATM locations," he says.
The mobile target will continue to grow, says Shackleford, and as smart phones become more sophisticated, the number of attacks will grow too. "In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks," he says.
7. Web 2.0 and Social Media Attacks
At the same time institutions are flocking to Facebook and tweeting on Twitter, the cyber criminals are lining up their arsenals for attack via Web 2.0 and social media sites. InGuardians' Skoudis says attacks via social networking sites are the new way for criminals to get into bank accounts. "These sites are being used by the bad guys for reconnaissance to learn more about their targets," says Skoudis adding, "At the same time, they're delivering malicious content to unsuspecting users."
Institutions should also be on lookout for additional client-side spear phishing attacks will expand into new means of targeting users through use of social networks says Lee of Mandiant.
8. SQL Attacks -- More To Come
The biggest data breach on record -- Heartland Payment Systems -- was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers at Verizon Business. SQL injection attacks were one of the most common methods of breaching systems in the Verizon report's cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
There's more to watch for, says Javelin's Wills, including attacks on web applications -- especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
"Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications," says InGuardians' Skoudis. "The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser," he explains. This technique is used to create botnets as well as skim credit card and account information from the client machine.
He also sees infrastructure attacks, launched via an infected browser happening. "Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems," Skoudis says.
Within institutions, Shackleford sees VoIP and other converged networking issues coming up "From simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions," he predicts.