In March of this year 15 Canadian financial institutions were targeted by new a malware attack aimed at stealing passwords.
This followed this discovery in January aimed at the Bank of Montreal (BMO), Royal Bank of Canada (RBC) and National bank of Canada and a number of other institutions around the world that included luring customers to fake bank Web sites.
Financial institutions have always been in the sights of hackers for obvious reasons, but a new study released this morning by security vendor Raytheon Websense says its part of a recent trend by attackers to hone in on the sector.
There are three times as many security incidents among banks, credit unions and insurance companies that any other sector, Carl Leonard, the vendor’s principal security analyst, said in an interview.
“The landscape in 2015 is very dynamic … Malware authors have definitely changed gear this year to adjust their attack methods, how dynamic they are being and the emphasis on financial services.”
Not only do attackers regularly change tactics and exploit kits, they also shift where they are coming from, Leonard added. While most attacks originate in the U.S. — ranging from 30 to 70 per cent in any given month — in April attacks from Canada were in the top five (although in single digits).
“They’re doing that so it’s not easy to predict who is going to be number one,” Leonard said. “They’re trying to make it difficult to defend against, difficult to report on and difficult to understand the attacks.”
Another popular strategy is typosquatting, creating a fake Web site with a URL that has a spelling error hackers count on victims making — for example, typing .co instead of .ca. These sites are the launching pads for malware to be send to unwitting consumers.
In an email interview Michael Ball, Â ITWorldCanada.com blogger and director of IT security architect for Manulife Financial, said typosquatting is a problem his company regularly faces. “The problem is that people – the public in general – are easily manipulated when it comes to anything that looks like it might impact their financial well being” and click on a message, he wrote.
“Dozens of illegitimate domains are created each year that use either the Manulife or John Hancock brand [Manulife’s U.S. division] in their name, but are not affiliated with us in any way.”
Ball also said financial institutions are too slow in adopting enhanced security measures between each other. The cause, he thinks, is “more politics, and the lines of business assuming  ‘They’re a big financial institution like us.  They have to be safe to work with,’ not understanding that we are facing our own security challenges.”
Because this country doesn’t have a mandatory breach notification law — and the one that came into being last week hasn’t come into effect yet — it’s not easy to figure out how many successful breaches there have been in the financial sector.
According to one source, last year the Bank of Nova Scotia saw 643 records compromised by an insider, and the Bank of Montreal suffered a breach with an unknown number of records lost in what was described as an accidental loss involving account access. That doesn’t include customers who individually fell victim to a scam.
The variety in attacks doesn’t make it easy for CISOs to keep on top, Leonard said. For example, use of obfuscated code can account for as much as half of all threats in one month, and none at all in an attack the next month.
Obfuscation and search engine optimization poisoning continue to be more prevalent in attacks against financial services than other industries, the report says.
They also have to deal with a constant barrage of low-level attacks cyber criminals use to keep security pros distracted while they launch targeted attacks against senior staff who might have administrative privileges.
One might think that the sector would by now be aware of the need to be run by best practices. But the bank quotes a Wall Street Journal article that an unnamed CSO of a Fortune 500 bank didn’t patch several servers for the Heartbleed bug. The reason, the executive said, was it would break continuity with several European banks that hadn’t upgraded their systems. Patching, apparently, would disrupt their operations with its overseas partners.
Leonard said CISOs in the financial sector have to understand risks of each threat type they face to craft their responses. In particular they have to figure out how to deal with the “easy to handle ones in a quick and efficient manner” so they can “zoom in on the most risky types of threats.”
