Some hacks are serendipitous events for skiddies who happen across a website with an easily exploitable common vulnerability. Others, especially the major breaches of major enterprises, are planned and executed with care. Such planning often leaves traces of noise across the internet. IntSights, founded in 2015, searches both the surface and deep web for this noise, and converts it into actionable intelligence. It looks for evidence of planned attacks before they actually occur.
Financial services is one sector that is unlikely to fall to skiddie attacks. The bank heists of $4.4 million (NIC Asia Bank, November 2017), $60 million (Far Eastern Bank, October 2017) and $100 million (Post-Soviet Bank, Russia, February 2017) would have needed planning. IntSight is predicated on the idea that such planning may be detectable; and if detected, the attack can be mitigated.
It has found considerable growth in pre-attack indicators, matching the actual growth in real financial services attacks. An analysis (PDF) focuses on two categories of 'attack indicators' found on the internet: company or customer data offered for sale in a black market, and phishing email target lists. Based on this analysis, IntSights finds that financial organizations comprise the single most-attacked industry sector.
In the first six months of 2017, it found an average of 207 attack indicators per U.S. bank. By the first six months of 2018, this had risen to an average of 520 indicators per bank -- an increase of 151%.
These figures come from a similar year-on-year growth of 135% in instances of financial data being sold on dark web black markets. a 91% increase in corporate email addresses found on phishing target lists, a 40% increase in corporate credential leakage, and a 149% increase in stolen bank card information.
Following high-profile takedowns of major deep web marketplaces leading to arrests and prosecutions for the sale of illegal physical goods (such as drugs and guns), IntSights believes that these marketplaces are now concentrating on the sale of data. However, even this is evolving. While the deepest forums remain, criminals are increasingly untrustful of their fellow members -- and are shifting towards business hidden in plain sight on the surface web.
Over the same period, IntSights has seen a 49% growth in the creation of fake social media accounts -- or put another way, two new fake profiles targeting each individual bank per week.
"A fake profile," notes the report, "can lure users to phishing sites or downloading fake apps. It can pose as customer service and ask for confidential information. It can spread false information to misdirect the public, manipulate stock price or influence the public to buy or sell. Additionally, it can also be used to harvest personal data and enrich other personal data that the attacker might hold."
The report also notes that the three dominant hacking groups that attack the financial sector are Money Taker, Carbanak and Cobalt -- all believed to be situate in Russia. Money Taker is thought to be responsible for more than 20 successful attacks against financial institutions in the U.S., UK and Russia. Carbanak has been credited with more than 300 successful attacks on banks, financial institutions and retailers. Cobalt has been credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan.
However, financial services aren't merely attacked by criminal gangs -- they also attract the attention of nation-state APT groups like Lazarus (North Korea). Lazarus has been credited with the 2014 attack on Sony Pictures; the WannaCry ransomware attack on multiple organizations around the world; the theft of $12 million from Banco del Austro in Ecuador; the theft of $1 million from Tien Phong Bank in Vietnam -- SWIFT attack; the theft of $81 million from the Central Bank of Bangladesh; the theft of $60 million from FEIB Bank in Taiwan; and the theft of $5 million from various banks in Nepal.
Based on its analysis of the activity it has tracked over the last 18 months, IntSights sees a continuously adapting and evolving financial services threat landscape -- some of which is already evident. Criminals will increasingly attack the supply chain, gaining access to large enterprises via their smaller suppliers. They will also look to compromise third-party software used by larger organizations -- a case in point being the recent Ticketmaster breach via Inbenta software.
IntSights also believes that direct extortion 'will become the new ransomware'. The huge fines that can be levied from new legislation such as the EU's General Data Protection Regulation (GDPR) will far exceed that amount that can be extorted by ransomware or the cost of recovering from ransomware. "Regulation fines and brand reputation damage," warns the report, "can be way more costly than downtime or lost data. Therefore, organizations are willing to pay more to not have a breach disclosed to the public, rather than pay to regain access to their data. Hackers will leverage this fear as a tactic to get more money."
Finally, IntSights notes that black market vendors are moving away from the deep web "to social media platforms (such as Facebook closed groups) and encrypted chat rooms (such as Telegram, ICQ and Jabber). We expect this trend to continue over the next year as it provides black market vendors with better privacy and secrecy."
"We see many financial organizations too focused on stopping direct attacks to their corporate systems," concludes Itay Kozuch, director of threat research at IntSights. "However, our research shows that cybercriminals have begun circumventing these defenses using social media, mobile application stores and phishing schemes.
"These tactics leverage an organization's brand and credibility to trick users and run scams, which can be even more costly and dangerous than direct attacks," he added. "We published our Financial Services Threat Landscape report to help these organizations widen their view of the threat landscape to not just protect against direct attacks, but protect their customers and prevent successful fraud."
Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018, bringing the total capital raised by the firm to $41.3 million.
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Previous Columns by Kevin Townsend: