Business Continuity Management / Disaster Recovery

Financial Services Was Among Most-Breached Sectors in 2022

Industry Has Logged 566 Data Breaches Worldwide So Far, Public Notifications Reveal
Financial Services Was Among Most-Breached Sectors in 2022
Photo: Nic McPhee via CC BY-SA 2.0

Everyone knows why criminals have long loved to rob banks. But in this era of robbers operating remotely, which tactics are cybercriminals actually employing and how often are they successful?

See Also: From Cost Center to Strategic Asset: Automating Cyber Risk and Compliance

Too often, it seems, thanks to phishing attacks, money laundering, ATM skimmers, malware and more.

The problem goes beyond monetary losses associated with fraud or accounts getting drained. Globally speaking, organizations in the financial services sector have suffered the second-largest number of known breaches this year, placing financial services behind government organizations and ahead of the retail sector, according to threat intelligence firm Flashpoint.

"As of Dec. 9, finance and insurance entities across the world experienced 566 data breaches, which has so far amounted to over 254 million leaked records," Flashpoint's Risk Based Security division reports. While not all data breach notifications detail how data was exposed, when it was detailed, general hacking techniques were blamed 57% of the time.

Other tactics being used to steal money from banks include money laundering and transfer schemes. So-called Magecart tactics for stealing payment card data from websites remain alive and well. So too does the use of physical ATM card data skimmers. Such devices retail for $500 to $1,000, and tutorials for them are widely available, including on cybercrime forums such as AlphaBay, Flashpoint reports.

Phishing Dominates

Across the multiple cybercrime forums Flashpoint tracks, it says "phishing persisted as the most-advertised and most-solicited hacking service." That's notable in part because anyone who wields phishing need not be technically sophisticated.

Nevertheless, "phishing attacks tend to have a high success rate, and are leveraged by financially motivated threat actors in order to steal sensitive information, such as credit card numbers or bank account logins," it says. In addition, numerous cybercrime vendors offer "financial phishing pages that are prebuilt to collect financial login information," skinned to resemble a range of different, actual institutions' sites.

In Q3, cybersecurity firm Trellix says that based on its telemetry data, financial services was the sector most targeted with malicious emails, accounting for 20% of all such attack attempts, followed by state and local government at 13%, manufacturing at 12% and federal government at 11%.

Of course, phishing also is used by attackers with other motivations, including initial access brokers who gather "accesses" and sell them to others, including ransomware-wielding criminals.

Magecart Tactics

The practice of attackers sneaking so-called digital skimmers - typically, JavaScript code - onto legitimate e-commerce or payment platforms also continues. These tactics, known as Magecart-style attacks, most often aim to steal payment card data when a customer goes to pay. Attackers either use that data themselves or batch it up into "fullz," referring to complete sets of credit card information that are sold via a number of different cybercrime forums.

Innovation continues among groups that practice Magecart tactics. In recent weeks, reports application security vendor Jscrambler, three different attack groups have begun wielding new, similar tactics designed to inject malicious JavaScript into legitimate sites. One of the groups has been injecting a "Google Analytics look-alike script" into victims' pages, while another has been injecting a "malicious JavaScript initiator that is disguised as Google Tag Manager."

The third group is also injecting code, but does so by having registered the domain name for Cockpit, a free web marketing and analytics service that ceased operations eight years ago. Many websites apparently never expunged the Cockpit code from their websites, and attackers have been serving up scripts using URLs previously employed by Cockpit.

"By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce websites," Jscrambler reports. "Data collected from the sites was encoded, encrypted and then sent to an exfiltration server based in Russia."

Ransomware Remains a Threat

Banks are among the organizations that continue to fall victim to ransomware attacks. So far this year, Flashpoint reports, data was leaked from 55 financial services firms that declined to pay a ransom to their attackers. Not all ransomware attacks involve the theft of data or the leaking of that data if a victim doesn't pay, meaning the actual count of victims in the sector could be much higher.

Trellix earlier this year warned that it had seen a rise in ransomware attacks targeting the financial services sector (see: Bank on Seeing More Targeted Attacks on Financial Services).

For ransomware attacks, phishing was the dominant initial access vector used by attackers in Q3, ransomware incident response firm Coveware reports. Gaining access via software vulnerabilities or remote services such as Remote Desktop Protocol were less commonly used methods, and very occasionally initial access was traced to an insider.

Initial access vectors seen across thousands of ransomware incidents per quarter (Source: Coveware)

State-Sponsored Hackers

Experts say one of the most prevalent of the advanced hacking groups that target financial services continues to be North Korea's Lazarus nation-state hacking team. The group appears to operate as a state-backed arm of the government, using hack attacks to divert hundreds of millions of dollars into its development of nuclear weapons and intercontinental ballistic missiles (see: Feds Offer $5 Million to Help Disrupt North Korean Hackers).

Over the course of this year, the Talos threat research team at Cisco reports seeing "prolific activity from malicious cyber threat actors tied to the government of North Korea," of which Lazarus remains one of the most active. "The group has broadly targeted government organizations, healthcare, the defense industry, media and critical infrastructure entities," it reports. "Lazarus has also conducted widespread monetary theft primarily against financial institutions including cryptocurrency exchanges" (see: US Treasury Sanctions Tornado Cash, Freezes Its Assets).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.