Attack the Hack: How Banks Can Beat Modern Malware

David Vergara, July 15, 2019
Attack the hack: How banks can beat modern malware

The complex stage where banks operate today resembles a theater where a trio of players vie for the spotlight. Regulations with punitive measures for non-compliance, such as PSD2 in Europe, drive stronger security. Bank growth initiatives strive to cut friction across digital channels and spur customers into more and higher value transactions.

And finally, there’s the dark force, portrayed by a truly malicious actor: the one who steals bank customer credentials to perpetrate fraud by emptying accounts.

Banks have dealt with all three forces for many years, struggling on despite the billions of dollars invested in anti-fraud technology globally. In fact, banks lost $16.8 billion to cybercriminals in 2017, according to Forbes. Today, fraud has more than doubled from 2016 for key loan products such as car loans, mortgages, student loans and home equity lines of credit.

And one of the most effective methods these cybercriminals use to steal personal data is malware.

Defiling Malware, Defined

As explained on BAI, malware is simply a tool that hackers use to swipe data and commit bank fraud. Relative to early bank fraud schemes such as phishing and pharming, malware is newer and has been very successful at circumventing bank security technologies. Near the top of the list is mobile malware, which commonly masquerades as a repackaged app that’s essentially an indistinguishable knock-off of the original.

Malware attempts to steal account and login information, making account takeover fraud (ATO) possible. Once the hacker takes over, they can transfer money from the victim’s account to their own through a simple electronic funds transfer. By itself, ATO represents a $5 billion problem for global banks, making it a strategic focal point for banks to address.

There are two types of bank malware attacks:

  • General attacks are designed to steal user login information not just for banking applications but also any secure socket layer (SSL) sessions. These attacks also collect credentials for social networking sites and web-based emails.
  • Targeted attacks made Zeus malware infamous worldwide years ago—and its variations continue to plague banks today. The cybercriminal designs configuration files that target specific financial organizations. Then, they trigger a man-in-the-browser (MitB) attack, which simply uses the configuration file to render a fake web page indistinguishable to the end user. Hackers can then easily steal account and user data to drain funds.
eBook

Account Takeover Fraud: How to Protect Your Customers and Business

Help prevent account takeover fraud and secure customers at every stage of their digital journeys.

Download Now

The Many Modes of Malware

With names straight from a Marvel Comics epic, banking trojans disguise themselves as a legitimate app or software that users download and install. Once installed, they activate various methods to extract personal and account details and transmit them back to hackers for siphoning funds.

The attack method differs across trojans. For example, Zeus (aka ZBOT; Family includes: Zeus Panda, SpyEye, Ice IX, Citadel/Atmos, Carberp, Bugat and many others) installs itself on Windows computers via spam emails and drive-by downloads (files downloaded from legitimate sites that have been infected). Once installed, Zeus uses keystroke logging—that is, it reads a user’s keyboard inputs—to record bank login details and forward it to hackers. It also connects itself to a botnet to process and execute new instructions.

Marcher malware, however, is designed with mobile users in mind. It’s equipped with several sophisticated means of attack, including the ability to mirror official banking app screens. When the user opens an official bank app, Marcher immediately overlays its own fake screen on top of it. Of course, the user thinks they’re entering information into their app. But they’re really sharing all the sensitive information with the trojan, which can now execute account takeover fraud.

Even with the vast numbers and types of malware today, the speed and innovation of newly developed variants is incredible. Worse still, each new generation is exponentially more sophisticated in evading detection to ensure a longer life of stealing personal and account information. According to Kaspersky Labs, the number of mobile banking trojans increased 138 percent between 2017 and 2018.

Five Weak Links in the Fraud-fighting Chain

Aside from addressing the malware itself, banks should always think more holistically and consider it one key chink in the anti-fraud armor. As explained on BAI, these five weak links enable malware and fraud among banks today:

  1. Static authentication – Simple username/static passwords are easy to hack. If they are the sole authentication method, they open the door to hackers to use them repeatedly across user applications. Cost effective multi-factor authentication, including biometric options, enables stronger security with a better user experience.

  2. Vulnerable channels – Unencrypted client/server authentication channels allow bad actors to intercept user credentials. Encrypting these communications is vital.

  3. Insufficient protection of the mobile app – Most experts agree that app developers spend disproportionate time on user experience over security. For this reason, app shielding should be used on all banking apps to mitigate sophisticated malware attacks. Banks with the ability to detect, prevent, and report on various attacks can mitigate account takeover fraud and better adapt to emerging fraud methods.

  4. Selective data collection and analysis – Any fraud solution should leverage comprehensive user, device, and transaction data across digital channels to get a clearer view of context, ultimately using it to drive fraud detection accuracy.

  5. Reactive approach to fraud detection – Near real-time and manual fraud review doesn’t cut it in the modern, omnichannel banking world; it allows more fraud to flow through driving greater exposure for banks. Fraud detection platforms should be real time, using traditional rule sets with machine learning to better detect new and existing fraud.

Parting Thoughts: A Closure of Malware Exposure

Cybercriminals love the rich targets that lie within the modern digital banking realm. It’s compelled them to outpace banks in a “space race” of fraud where billions of dollars are at stake.

Though vast malware exists today—and is propagated every day—banks also have the tools and tech to mitigate exposure. More than ever, a key technology to defeat mobile malware is app shielding. It should be used on all mobile banking apps as it wards off malware and intrusion, tampering and reverse-engineering.

This and the other anti-fraud technologies belong on the short list of every financial institution. One, it’s the best way for banks to up their game against modern malware and fraud. And second, there’s no gain in letting your successful financial play devolve into a tragedy.

This article, originally published on June 28, 2019, first appeared on BAI.org.

David Vergara is Director of Security Product Marketing at OneSpan and has over 10 years of experience in the software security space. Prior to OneSpan, he was VP Marketing for Accertify leading go-to-market strategy for their online fraud detection solution.