DDoS gets the press – “but it’s fraud that gets the attention of our banking executives,” said Lynn Price, an IBM security executive.
That may surprise given the blizzard of headlines Distributed Denial of Service attacks have won, but DDoS, so far, has not typically inflicted money losses. It may have shut down the websites of targeted institutions but it did no more.
Fraud, by contrast, is all about emptying the till. Sneakily. Quietly. No headlines sought. And exactly that is what bank and credit union executives really lose sleep over.
That reality is driven home in a recent, and detailed, report on the evolving threat landscape compiled by ENISA, the European Network and Information Security Agency. (The free report is here.)
What ENISA reports matters. It is an official agency of the European Union and this particular document is the product of an exhaustive analysis of data collected across the EU. Security vendors frequently color their pronouncements with breathy hype. Not ENISA. It’s more a Jack Webb, “just the facts” style that aimed to uncover what really worries companies and governments in the EU.
Distributed Denial of Service made the ENISA threat list but it was far down.
What ranked as bigger worries in this in-depth survey of IT executives? You already know: attacks with fraud at their heart.
Top of the chart are drive-by exploits, which are nasty attacks on known vulnerabilities of Web browsers and plug ins such as Adobe Flash. The report ominously noted that drive-by attacks has also shown up on Android phones, which could augur a new frontier of cyber crime.
Drive-bys are technically simple. Often many of the details of the how-to are included in announcements by legitimate researchers of the discovery of a vulnerability – and then for the criminal it amounts to waiting for an unpatched browser to show up at a site.
Particularly favorite websites to exploit are low-budget sites, often ones maintained by non-profits.
Last year, security firm Barracuda Researchers analyzed the top 25,000 websites and found enough compromised with drive-by exploits that it estimated they had infected 10 million visitors in just one month.
The worse news about drive-by attacks is that they download malware to the victim’s computer that will later interact with other sites – such as online banking. And that means credit unions have to be alert to members who arrive with infected computers.
The number two threat, per ENISA, are worms and Trojans, already well familiar to credit unions from the Zeus keylogger Trojan.
Especially worrisome to credit unions is that experts report uncovering Zeus kits – which are usually adapted to attack only customers of one financial institution – that have been written for very small institutions. One told me about discovering a kit adapted for a private bank that served under 500 (admittedly wealthy) customers. It’s not only the big banks that are Zeus targets now, and credit unions need to brace themselves for Zeus invasions, experts have told me.
Another threat high up on the ENISA list are exploit kits, which are sometimes referred to as malware as a service. The bad news: would-be cybercriminals who lack significant technical skill increasingly can buy pre-packaged attacks that, for a few thousand dollars, turn a computer illiterate into a world-class hacker.
Some 28% of all Web threats are traced back to one exploit kit, Blackhole, by Internet security researchers Sophos. Particularly insidious about Blackhole is that it starts an attack with a scan of a victim computer and, having identified susceptibilities, it then downloads a precisely honed payload.
Technically, exploit kits bring little new to the party but what they do is multiply the number of threats out there and that just makes the IT security job more complicated.
Also on the increase, according to ENISA, is old-fashioned phishing, which exploits the willingness of many consumers, as well as credit union employees, to click on links in emails and to provide information that should never be given out (such as username and password for online banking).
The ENISA bottom line: threats are multiplying – and a grim reality is that the depth of defenses at credit unions is not necessarily keeping pace. Which is why the question to ask is this: has your credit union kept pace with the development of more malicious computer-based attacks?
The era of robbing a bank or credit union with a gun and a note is entering its twilight. It’s all about bits and bytes now.