The finance sector is perhaps the most obvious target for cyber attacks.

Moving vast amounts of money around, banks and other financial institutions attract criminals after material gain. But because of their inherent power, financial institutions also attract political activists (hacktivists) and nation-state-backed hackers intent on destabilising economies, countries and trading blocs.

Cyber threats vary in their manner and impact and a concerted campaign will blend different attack types at different stages. Attacks on financial organisations seek one or more of the following:

1. User accounts for email and other systems
2. Access to confidential transactional data
3. Copying and extracting of customer account data
4. Control over transactional systems, either to steal or disrupt

A campaign might start with spear-phishing to gain access to a particular person’s PC. This is then used to send clone emails to others in the organisation, eventually getting high-level access to systems. Then data is stolen via exfiltration or systems deliberately crashed, depending on the overall goals of the hackers.

What are all these different attacks and how do they damage financial organisations?

Types of cyber threat

Phishing and its various off-shoots

Phishing is the number one way for cyber criminals to get a foothold in your network.

Some emails use a scatter-gun approach, sending the same generic email to a large number of email addresses. They’ll superficially resemble emails from delivery companies, online shopping platforms, banks or other widely-known organisations. They are usually deployed by criminals rather than hacktivists.

Spear phishing is targeted and more sophisticated, using company logos and graphics in emails that target a particular organisation, sometimes an individual, like a technical supervisor with privileged system access.

Whaling is a subset of spear phishing where the targets are high level. They’ll include directors and C-suite members, particularly the non-technical ones who may not be as cautious as a CISO or CIO.

Clone phishing is a variant where a copy of a previously seen message is created and sent from an email address as close as possible to a company address. Often this is a second stage – the email will be sent from an already compromised but low-level system, to try and gain access to higher level systems.

Malware

Often the intent of a phishing email is to draw people into downloading and installing malware. This generic term covers a multitude of malicious programs but the ones most likely to be used against financial institutions are:

Trojans – masquerade as legitimate programs but once installed can be used to run a variety of other malicious programs, mostly aimed at finding confidential information

Spyware – looks for potentially useful information and sends it back to the hackers

Keyboard logger –type of spyware that records keystrokes to collect usernames and passwords

Other types of malware, including ransomware and cryptocurrency mining software, are usually launched indiscriminately. Financial organisations are as likely to be hit by them as any other organisation (and should protect against them) but rarely as part of a targeted campaign.

Data exfiltration

This term refers to a technique for taking data out of the organisation once unauthorised access is achieved. The internet and internal networks rely on a Domain Name System (DNS) where packets of data are directed to the correct servers (it translates between domain names and IP addresses).

With the right malware in place, criminals can hide stolen data within DNS data packets. As they are so crucial to basic network operations, these packets need to pass through defensive firewalls. Theft is therefore hard to spot and prevent.

The intent with exfiltration by criminals is two-fold. Access to account details allows money to be fraudulently moved or stolen, but there is also money to be made selling personal details on the ‘dark web’; the areas where policing is light and criminals trade malware toolkits, stolen data and much more. This means that it’s not just institutions holding funds that need to be concerned with cyber threats – all financial organisations are at risk.

Distributed Denial of Service (DDoS) attacks

DDoS attacks are very different and serve to prevent companies operating.

As DNS is crucial to effective network operation, criminals have developed ways to cripple networks by overloading servers with thousands of spurious requests. The DNS servers do their best to respond to them but eventually slow to a crawl or crash, rendering the network unusable. This prevents the business from doing almost all work that relies on connection to a computer.

Often a DDoS attack is launched by a botnet, a group of many compromised PCs (sometimes thousands) in the control of a hacker. This makes it harder to shut down – if it were only a few computers, those addresses could be blocked and the attack halted.

DDoS attacks are often used by hacktivists to disrupt and damage financial institutions as seems likely with the attack on the Netherlands’ financial institutions in February. But while under a DDoS attack, it’s imperative to start looking for other active cyber threats. If it is a criminal campaign, posing as a hacktivist attack, it could be a smoke screen to hide other simultaneous tactics – perhaps exfiltration or an attempt to crack financial computer systems.

Find out more

Our white paper on security for financial institutions covers the ground in more detail, including how Nominet’s tools and services use the DNS as a protective shield to help organisations cope with digital transformation and regulatory compliance.

To download a copy of the white paper simply enter a few details using the link below.