Alleged Bank Hack Tied to Phishing?Suspected JPMorgan Breach Raises Risk Awareness
News reports of suspected attacks against JPMorgan Chase, and perhaps other banks, serve as an important reminder for financial institutions of all sizes to ramp-up their security efforts, especially to guard against phishing attacks.
"This should serve as a loud wake-up call for bank boards to elevate security to the top of their agenda, and to make sure their security staff, e.g., the CISOs, are doing everything they can to secure the business," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner.
The Hacker Threat
In a blog posted just after news of the alleged attack broke, Litan states: "Hackers are always probing bank systems, and even a year ago or so, law enforcement authorities and regulators put out an advisory to banks about criminals hacking into bank employee accounts to infiltrate their computer networks, and in some selected cases to steal funds."
If the JPMorgan attack is confirmed, it likely will be traced to the compromise of an employee, either through a spear phishing attack or some other means, Litan says.
Just days before news of the apparent hacking attacks against U.S. financial institutions grabbed headlines, researchers at online security firm Proofpoint discovered a large-scale credential phishing scheme aimed at JPMorgan Chase customers. In some cases, users were directed to a spoofed webpage, which contained an exploit kit. Once users input a username and password on the spoofed page, they were prompted to download a fake Java update that was actually malware.
"Exploits are attempting to install the recently discovered Dyre banking Trojan that attempts to steal banking credentials," Proofpoint notes in its Aug. 21 blog. "...The version of Dyre used in this attack was not detected by any of the leading anti-virus providers at the time of the attack."
Proofpoint did not respond to Information Security Media Group's inquiry about whether the apparent hack of JPMorgan Chase's banking system could be linked to the spear-phishing campaign it detected the third week of August. But Kevin Epstein, vice president of advanced security and governance for Proofpoint, notes that the firm immediately notified the bank of the scheme, which it detected during an analysis of global e-mail trends.
"Security professionals can't afford to discount any phish, even consumer-based," Epstein says. "We've repeatedly seen evidence that people click on links, even when they have no reason to click."
Even though this campaign was aimed at end-users, it could be at the root of the apparent hacking of JPMorgan Chase, says John LaCour, CEO of online security firm PhishLabs. An employee may have been fooled by the same scheme, or the compromise of a customer may somehow have resulted in the compromise of an employee, he says.
"If that's accurate, the point is that technical controls are not enough - and that all users have to know that they're part of the defense plan," LaCour says. "Unfortunately, bank employees have to make the right decision 100 percent of the time and the bad guys only need to find their way in 1 percent of the time."
Litan notes that the timing of the spear phishing campaign and the revelation of an apparent breach appear to be beyond coincidental. "Almost all of these attacks start with spear phishing," Litan says. "So, yes. It could be related, and probably is."
Security is not solely about having the right technologies, such as multi-factor authentication, in place, Litan says.
"Organizations need to be aligned in order to properly defend themselves from cyber-attacks," she points out. "Senior and board-level management need to support security initiatives directly by getting involved, and not just leaving it to the CIO or CISO to figure out. These IT ... executives can't do their jobs without business support. And that has to come from the board level, given the siloed nature of these large bank organizations."
Carl Herberger, vice president of security solutions for security firm Radware, which specializes in mitigating distributed-denial-of-service attacks, says training and education are paramount.
"This shows the importance of having staff trained on the latest cybersecurity risks, as well as participation in information-sharing organizations that can turn threats into actionable intel," he says. "We recommend that all financial-services companies exercise extreme care with their security postures over the near term."