Financials – SurfWatch Labs, Inc.

Payment Card Fraud and Cryptocurrency Attacks Saw Significant Increase Last Quarter

The financials sector saw an increase in incident volume in the third quarter of 2017, and much of that increase revolved around cyber-attacks targeting various cryptocurrency platforms, as well as payment card breaches in the consumer goods sector that led to increased fraud activity on cybercriminal markets.

2017-10-12_FinancialRisk — The financial sector (blue) saw above average risk scores for incident volume, effect impact, and targeted asset in Q3 when compared to all sectors (black).

Key takeaways from SurfWatch Labs’ threat intelligence findings for the period include:

Banks remained as the top trending group associated with cybercrime in the financials sector, accounting for nearly one quarter (24.4%) of the negative cyber events collected by SurfWatch Labs; however, that percentage was down from 38.1% in the first half 2017 and 35.8% across all of 2016.
That drop was largely attributed to increased activity in the specialty financials group, which saw its percentage of threat intelligence jump from 7.4% in the first half of 2017 to 19.4% in Q3 as malicious actors increasingly targeted cryptocurrency platforms.
Payment cards were the dark web target category to see the most significant increase, accounting for 14.6% of the financials sector’s dark web threat intelligence – a rise from 7.1% in the first half of 2017.

2017-10-12_FinancialIncidentVolume — The financials sector saw an increase in the amount of threat intelligence collected by SurfWatch Labs beginning in July, and that increased volume continued throughout Q3 2017.

Malicious Actors Increasingly Targeting Cryptocurrency

Cybercrime incidents related to the banking group remained the most widespread in SurfWatch Labs’ Q3 threat intelligence data. However, when excluding our dark web data, many of the most noteable cyber-attacks – including all five of the top trending incidents for the period – occurred at cryptocurrency organizations in the specialty financials group.

2017-10-12_FinancialGroupsAll — Specialty financials accounted for 19.4% of the cybercrime threat intelligence collected by SurfWatch Labs during Q3, a significant increase from the 7.4% during the first half of 2017.

Several of the top trending cyber-attacks in Q3 revolved around the hijacking of Ethereum Initial Coin Offerings (ICO) in order to steal cryptocurrency. Notable attacks include:

- In July, Coindash said that an actor gained access to its website during the company’s ICO and changed the text on the site to a fraudulent Ether wallet address – resulting in $10 million worth of Ether being stolen from investors.
- Veritaseum also reported in July that it had $8.4 million worth of tokens stolen during its ICO as a result of a “very sophisticated” attack, which may have involved at least one corporate partner dropping the ball, according to the company’s founder.
- In August, Enigma Catalyst said that investors were scammed out of approximately $500,000 of Ether when malicious actors hijacked the company’s website, mailing lists, and Slack accounts and subsequently offered a fake pre-sale to investors ahead of the company’s upcoming ICO.

In addition, there were a variety of other cryptocurrency-related attacks during the period. For example, a bug was found in the multi-signature wallet code used as part of Parity Wallet software, which led to wallets being exploited and reports of approximately $34 million worth of Ether being stolen before white hat hackers intervened to prevent an additional $85 million in theft. In addition, a malicious actor was also able to trick the hosting provider of the open source Classic Ether Wallet into hijacking the Classic Ether Wallet domain, resulting in potential theft as transactions were made on the site.

As cryptocurrencies continue to gain legitimacy and value, it is likely that malicious actors will continue to shift towards targeting them in both the near and long term. For example, one group is tracking over 150 active Ethereum scams heading into the fourth quarter of the year. Exploiting the popularity of cryptocurrencies has proven to be highly profitable for both cybercriminals and state actors, such as North Korea.

Fraud Activity Increases on the Dark Web

SurfWatch Labs also observed an increase in the amount of fraud-related activity in Q3, with fraud accounting for 43.6% of financials dark web threat intelligence – a significant jump from previous periods. In the first half of 2017, fraud accounted for 24.4% of collected dark web intelligence, and during 2016 it accounted for 24%.

2017-10-12_FinancialEffectMacrosDarkWeb — SurfWatch Labs collected a much larger percentage of fraud-related threat intelligence in Q3 2017 than during any other recent period.

Digging deeper into the data, it is clear that point-of-sale (POS) and other payment card breaches helped to drive a significant portion of fraud activity in Q3. In the first half of 2017, the target tag of “payment cards” appeared in only 8.3% of the dark web threat intelligence collected by SurfWatch Labs. In Q3 that number rose to 14.5%.

Some of the notable payment card breaches announced during Q3 include:

The fast food chain Sonic has been tied to at least a portion of five million fresh payment cards being sold on a cybercriminal market.
Whole Foods announced a POS breach involving its taprooms and restaurants.
Avanti announced a POS breach affecting an undisclosed number of the company’s self-serve snack kiosks.
Equifax’s massive breach included more than 200,000 payment cards.
B&B Theaters announced it was investigating a payment card breach that may date all the way back to 2015.
Sabre announced a breach affecting its SynXis Central Reservations system back in May, and affected hotels continued to issue breach notification letters throughout Q3.
Third-party vendor Aptos continues to be tied to payment card breaches at online retailers.

Other payment card breach notifications and investigations have continued to be announced in the days since Q3 ended, including a POS breach at Hyatt Hotels and Irish retailer Musgrave warning SuperValu, Centra, and Mace customers to be on the lookout for fraud. In addition, Flexshopper announced it exposed payment card information, and Tommie Cooper and Cricut announced they discovered malware on their website checkout pages.

Numerous organizations also warned of payment cards phishing scams during the period – including Netflix, Uber, E-ZPass, Newcastle University, and more. A number of other data breaches and leaks involved partial payment card information.

Conclusion

The financials sector continues to be the target of a wide range of attacks due to the nature of the data organizations hold and the services they provide. As we noted in our Fraud and the Dark Web whitepaper, the number of avenues through which malicious actors can carry out fraud has increased along with the number of digital accounts tied to financial information. However, Q3 saw an increase in more traditional payment card fraud activity on the dark web – likely resulting from several large one-off POS breaches, as well as issues at vendors that have spread through the supply chain to affect both in-person and online purchases.

On the flip side, the number of cryptocurrency related breaches, particularly those tied to Ethereum, have highlighted a shift that may have legs – particularly since there is less regulation and, in some cases, less security to circumvent in order to pull off multi-million dollar heists. For example, it was reported that at least one Slack account with administrative privileges at Enigma used a previously leaked password and didn’t require two-factor authentication. Likewise, the incident involving Classic Ether Wallet began by simply socially engineering a third party over the phone by impersonating the site’s owner. Malicious actors are quick to copy the successful techniques of their peers, and we will likely see similar attempts against cryptocurrency organizations in the future.

Weekly Cyber Risk Roundup: Yahoo’s Value Drops and New Regulations

Yahoo is once again back in the news for a variety of reasons, including a reported third data breach. However, it appears the reports of a “new breach” stem from additional notifications that were sent to some users on Wednesday regarding forged cookies being used to access accounts. Yahoo first disclosed that it was notifying affected users that “an unauthorized third party accessed our proprietary code to learn how to forge cookies” in its December 2016 breach announcement.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said regarding the recent account notifications. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”

In addition to users potentially growing weary of Yahoo’s months-long series of breach notifications, two senators sent a letter to Yahoo questioning the company’s “willingness to deal with Congress with complete candor” about the recent breaches. Initial inquiries showed that “company officials have been unable to provide answers to many basic questions about the reported breaches” and a planned congressional staff meeting was cancelled at the last minute by Yahoo, wrote Sen. John Thune, chairman of the Senate Commerce Committee, and Sen. Jerry Moran, chairman of the Consumer Protection and Data Security Subcommittee. The letter requests answers to five questions related to Yahoo’s breaches and subsequent response by February 23.

All of that negative press may translate into hundreds of millions of dollars being cut from Yahoo’s pending deal to be acquired by Verizon. Bloomberg reported last Wednesday that the two companies were close reaching a renegotiated deal that would lower the price of the core Yahoo business from $4.8 billion to about $4.55 billion — a $250 million dollar discount. In addition, the remaining aspects of Yahoo, to be renamed Altaba Inc., will likely share any ongoing legal responsibilities related to the breaches, although the deal is not yet final.

Other trending cybercrime events from the week include:

Variety of espionage campaigns: A campaign dubbed “Operation BugDrop” targeted a broad range of Ukrainian targets by remotely controlling computer microphones in order to eavesdrop on sensitive conversations, and at least 70 victims have been confirmed in a range of sectors including critical infrastructure, media, and scientific research. A phishing campaign against journalists, labor rights activists, and human rights defenders used fully-fleshed out social media accounts of a fake UK university graduate to engage with targets for months and make repeated attempts to bait the targets into handing over Gmail credentials. Spyware from the Israeli cyberarms dealer NSO Group has been found on the phones of nutrition policy makers, activists and government employees that are proponents of Mexico’s soda tax, leading to concerns over how the NSO Group is vetting potential government clients and whether a Mexican government agency is behind the espionage.

Actor breached dozens of organizations: A hacker going by the name “Rasputin” has breached more than 60 universities and government agencies by allegedly using a self-developed SQL injection tool. The targets included dozens of universities in the U.S. and the UK, city and state governments, and federal agencies like the Department of Health and Human Services.

Employee data compromised: In addition to a growing list of organizations impacted by W-2 phishing emails, Lexington Medical Center announced a W-2 breach involving unauthorized access to its employee information database known as eConnect/Peoplesoft. The city of Guelph, Ontario, is notifying some employees that their personal information was compromised when a flash drive containing sensitive documents was accidentally given to a former city employee as part of an ongoing wrongful dismissal lawsuit. A data breach at the San Antonio Symphony compromised the data of about 250 employees.

Ukraine accuses Russia of critical infrastructure attacks: Ukrainian officials accused Russia of targeting their critical infrastructure with malware designed to attack specific industrial processes, including modules that sought to harm equipment inside the electric grid. The attacks employed a mechanism dubbed “Telebots” to infect computers that control infrastructure. Researchers believe that Telebots evolved from BlackEnergy, a group that first attacked Ukraine’s energy industry in December 2015.

Other cybercrime announcements: FunPlus, the creators of the popular mobile game Family Farm Seaside, said it was the victim of a data breach, and the actor behind the attack claims to have stolen millions of email addresses as well as 16GB of product source code. Columbia Sportsware announced that it is investigating a cyber-attack on its prAna online clothing store. Hackers have stolen data on approximately 3,600 customers of Danish telecom company 3 and then attempted to blackmail the company for millions of dollars in return for not making the data public. Family Service Rochester, an organization that works with families with child welfare or family violence concerns, is notifying individuals of unauthorized access to their personal information, as well as a ransomware infection. Bingham County computer servers were infected with ransomware. The Russian Healthcare Ministry recently experienced its “largest” DDoS attack in recent years.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

In addition to Yahoo, the past few weeks have seen several new regulatory announcements and fines related to data breaches.

For starters, New York Governor Andrew Cuomo announced that new regulations will go into effect on March 1, 2017, “to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks.” The regulation includes minimum standards organizations must meet, such as:

Controls relating to the governance framework for a robust cybersecurity program, including adequate funding, staffing, oversight, and reporting
Standards for technology systems, including access controls, encryption, and penetration testing
Standards to help address breaches, including an incident response plan, preservation of data, and notice to the Department of Financial Services (DFS) of material events
Accountability by requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to DFS

In addition to the New York regulations, the Australian data breach notification law passed through the Senate and will go into effect either by a proclaimed date or a year after receiving Royal Assent. Violating these soon-to-be-implemented rules can be costly for organizations. Over just the past week organizations of various sizes announced breach-related settlements — most of which were compounded by not following required security practices.

Memorial Healthcare Systems will pay $5.5 million for failing “to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules.”
Horizon Blue Cross Blue Shield of New Jersey will pay $1.1 million over the theft of unencrypted laptops.
Grand Buffet restaurant will pay a $30,000 over the theft of payment card information by an employee and failing to implement corrective actions after being informed about the mishandling of credit cards.

Following the cybersecurity best practices outlined by regulatory bodies can not only help prevent many security incidents from occurring in the first place, but in the event of a breach those organizations are far less likely to face the wrath of government bodies.

Weekly Cyber Risk Roundup: DDoS Attacks Disrupt Services and SEC Probes Yahoo

A series of distributed denial-of-service (DDoS) attacks against financial institutions led to customers of Lloyds Banking Group experiencing intermittent outages over a 48-hour period and was the top trending cybercrime event over the past week.

The Guardian reported that the attacks hit Lloyds, Halifax and Bank of Scotland from January 11 to January 13. IBTimes reported that other unnamed lenders were targeted, but experienced no down time. Motherboard spoke to a hacker who claimed to be behind the attack and allegedly tried to ransom Lloyds over the incident. However, Lloyds issued a statement saying it was able to provide normal service for “the vast majority” of customers and that “only a small number” experienced any issues during the attack.

In other DDoS news, the ticketing systems for the Sundance Film Festival were taken offline due to a cyber-attack on January 21. “We have been subject to a cyberattack that has shut down our box office,” the festival tweeted. “Our artist’s voices will be heard and the show will go on.” According to The Hollywood Reporter, “although the festival was able to get its ticketing systems back online within an hour of the Saturday breach, multiple other denial-of-service (DDoS) attacks on Sundance’s IT infrastructure followed.”

Finally, the Korea Internet & Security Agency recently issued a report echoing concerns shared by other security professionals, including SurfWatch Labs Adam Meyer: expect DDoS attacks leveraging Internet-of-Things devices to rise in 2017. South Korea has recently faced political turmoil, and in December the country’s Constitutional Court began its first hearings on the impeachment of President Park Geun-hye. The agency report predicted that DDoS attacks may occur against key government agencies and social infrastructure-related facilities with the goal of stirring the political and social instability brought on by the impeachment proceedings and potential upcoming election. According to SurfWatch Labs’ data, government was the third highest trending sector related to DDoS attacks in 2016, behind only information technology and consumer goods.

Other trending cybercrime events from the week include:

Another year of W-2 breaches begins: Approximately 1,400 Campbell County Health employees had their W-2 information stolen when an employee fell for a phishing email impersonating a hospital executive. Eight Missouri school districts were targeted with identical phishing messages impersonating the superintendent and requesting employee W-2 information, and an employee at the Odessa School District fell for the scam and forwarded the information. The Argyle Independent School District in Texas and the Tipton County School District also reported breaches due to similar phishing emails.

Media outlets hit with political attacks: The Twitter accounts of BBC Northampton and The New York Times video were both hijacked and used to spread fake messages saying that President Donald Trump was injured in the arm by gunfire at his inauguration and that Russia was planning to attack the U.S. with missiles. Crescent Hill Radio WCHQ said its FM feed was hacked and a song titled “Fuck Donald Trump” was played on repeat for 15 minutes before the station could shut down the broadcast.

Exposed databases reveal sensitive data: Security researchers have found nearly 400,000 audio recordings belonging to VICI Marketing exposed to the Internet, and as many as 17,649 of those recordings include customer payment card numbers and private customer information. The other 375,368 audio recordings are “cold calls,” some of which contain personal information. A misconfigured database used by The Candid Board, a subscription website dedicated to images and video of women who appear unaware they are being recorded, led to the leak more than 178,000 members’ information. The source also said that he or she is in possession of “a large chunk of data from multiple boards operated by this group,” which IBTimes explained was in reference to another leaked database holding tens of thousands of records from a website called NonNudeGirls.

Arrests and charges: A former employee of First Niagara call center admitted to using his position to steal callers’ personal information and then using that information to transfer $15,492.59 from customer accounts to his own. An IT worker employed by the New York Police Department accessed personnel files of police officers and then attempted to sell that information to an undercover informant. A 32-year old Russian programmer suspected of developing the NeverQuest banking Trojan was arrested in Barcelona, according to Spanish authorities.

Other cybercrime announcements: A hacker gained access to a server for the National Aids Research Institute in India and was able to access an archive containing the results of dozens of HIV tests. Malware was found on computers at 21 locations of Bowlmor AMF, the world’s largest bowling center operator, leading to a point-of-sale breach. Cockrell Hill Police Department in Texas lost some digital videos and documents dating back to 2009 after ransomware encrypted the departments files and those encrypted files were then saved to the automatic backup system. Other breach announcements include the South Washington County School district in Minnesota, MultiCare Health System, Ohio State Veterinary Medical Center at Dublin, Catholic Charities of Baltimore, and Wisconsin Democratic Party websites.

Cyber Risk Trends From the Past Week

The fallout over two massive data breaches at Yahoo continued this past week as it was reported that the Securities and Exchange Commission (SEC) opened an investigation into the timeline of Yahoo’s data breach disclosure and that the sale of Yahoo’s main web operations to Verizon has been delayed until the next quarter.

Sources told The Wall Street Journal that the SEC issued a request for documents from Yahoo in December and is looking into whether Yahoo’s breach disclosures may have violated civil securities laws. The investigation will likely focus on Yahoo’s 2014 data breach affecting 500 million users, which was announced in September 2016. Yahoo is said to have linked the 2014 breach to state-sponsored actors two years before the public disclosure. In December 2016 Yahoo disclosed a separate breach affecting more than one billion users.

The SEC has never brought a case against a company for failing to disclose a data breach, the Wall Street Journal reported, but experts said the SEC has been looking for a case to clarify guidance issued in 2011. That guidance requires the disclosure of material information about cybersecurity risks and incidents if it could affect investors, but what is “material” is still a question – a question that this case may potentially help answer.

Those two data breaches have led to speculation over the past few months of how they may impact Verizon Communication’s acquisition of Yahoo, which was valued at $4.83 billion last July. Yahoo said it is “working expeditiously” to finish the deal; nevertheless, the sale has been pushed back until next quarter.

“Yahoo has been an interesting process,” Verizon Chief Financial Officer Matt Ellis said in an interview last Tuesday with Bloomberg. “There’s been good progress, but we are still awaiting the final reports and therefore we haven’t reached any conclusions yet.”

Weekly Cyber Risk Roundup: Latest Breaches and Enhanced Security Standards

The massive distributed denial-of-service (DDoS) attack that disrupted websites and services on October 21 was the focal point of a large portion of cybercrime discussion last week. As we noted in a previous post, the attack against DNS provider Dyn has led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

According to some reports, the DDoS attack may have surpassed one terabyte per second of traffic; however, the latest analysis from Dyn indicates that the botnet behind the attack may have been much smaller than the initial reports of “millions.”

“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” wrote Scott Hilton, EVP of products at Dyn. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Other trending DDoS news includes the Syrian Cyber Army claiming responsibility for attacks against Belgian news organizations. The DDoS attacks made several news websites inaccessible or extremely slow, including De Standaard, Het Nieuwsblad, Gazet van Antwerpen, Het Belang van Limburg and RTFB. In another case of ideological hacktivism, Martin Gottesfeld, 32, was indicted for his role in DDoS attacks against Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network. Gottesfeld admitted to his involvement in #OpJustina in a written editorial, saying that the attack against BCH was designed to interfere with a fundraiser in order to cause maximum financial damage. Finally, The Guardian is reporting that financial institutions in London are stockpiling bitcoins in the event extortionists target them with powerful DDoS attacks.

Other trending cybercrime events from the week include:

Payment card breaches announced: Danish payment processor Nets is warning of a payment card breach that appears to be tied to a foreign-based Internet retailer and is advising banks to block up to 100,000 cards in order to prevent fraudulent transactions. A data breach at Hitachi Payment Services, which manages ATM network processing for Yes Bank, is suspected to be the cause of recent fraud that has led to banks in India either replacing or asking customers to change security codes on 3.25 million debit cards. A pro-Donald Trump super PAC known as Great America PAC has mistakenly published the credit card numbers and expiration dates of 49 donors. Last month the same super PAC exposed 336 donors’ email addresses and phone numbers.

Data breaches continue, both large and small: A Red Cross Blood Service database of 1.28 million donor records going back to 2010 was accidentally published to a webserver by a third-party contractor. A hacker known as Peace told Motherboard he hacked Adult FriendFinder and obtained a database of 73 million users, and another hacker known as Revolver or 1×0123 posted screenshots appearing to show he had access to the website’s infrastructure. A Ukrainian hacker group known as CyberJunta has released more than a gigabyte of emails stolen from the office of Russian politician Vladislav Surkov. Baystate Health is notifying about 13,000 patients that their personal information may have been compromised due to a phishing attack that was designed to look like an internal memo. Virgin Media potentially exposed the personal information of up to 50,000 people applying for jobs. Rocky Mountain Credit Union in Montana notified 135 of its members that their personal information may have been accidentally exposed due to an undisclosed security issue discovered on the website customers use to upload documents related to mortgage applications. The University of Santa Clara’s Office of Marketing and Communications had internal documents stolen and leaked to the student newspaper due to an employee leaving his or her username and password in plain site at a workstation.

Update on cybercrime charges and arrests: The Booz Allen Hamilton contractor who was arrested for the possession of classified NSA materials allegedly had documents dating back to 1996 that were marked either “secret” or “top secret,” according to recent court filings. In total, investigators have seized more than 50 terabytes of information and thousands of pages of documents. Celebgate hacker Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced to 18 months in prison for using phishing emails designed to steal Apple and Google credentials and then using those stolen credentials to hack into more than 100 accounts. Authorities said there is no evidence that Collins was responsible for the leak of nude celebrity photographs tied to the hack. Yevgeniy Nikulin, the Russian man who was arrested in connection with the 2012 LinkedIn breach, has also been indicted for his alleged role in the breaches at Dropbox and Formspring, according to documents unsealed on Friday.

Note: Dyn, by far the top trending new target, is not shown in the chart below in order to make the other targets more readable.

Cyber Risk Trends From the Past Week

The Financials sector’s cyber risk score peaked in early October, reaching its highest level since February 2016. Since then, it has steadily declined for most of the month — until the past week. This week’s rise in cyber risk score (+2.2%) was the biggest increase of any sector over the period.

Part of that may be tied to the recent payment card breaches highlighted above, which began at online retailers and other providers before moving to directly impact banks. For example, the chief executive of National Payments Corp of India said that the spike in reported fraud that led to advising banks to replace cards was tied to a possible compromise of one of the payment switch provider’s systems. Sources told Reuters that the issue stemmed from a breach in systems of Hitachi Payment Services, which is currently investigating the matter.

That interconnectivity of the Financials sector has led to concerns from government agencies, and the the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation recently issued a joint proposal on enhanced cyber risk management standards to address those concerns.

“Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the proposal stated. “The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

According to the proposal, “The agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or ‘sector-critical standards,’ applying to those systems of covered entities that are critical to the financial sector.”

The enhanced standards would apply to certain entities with total consolidated assets of $50 billion or more on an enterprise-wide basis, they added. Comments on the proposal are open until January 17, 2017.

Payment Transactions Face New Data Breaches and Exploits

The last few weeks have not been kind to businesses and customers concerning payment transactions and digital currency. Several point-of-sale systems and digital wallet services have come under fire for data breaches and potential financial theft — not to mention the recent theft of $68 million worth of bitcoin.

The most wide-reaching event may be the breach at software company Oracle Corp, which was reported by Brian Krebs on Monday. A Russian cybercrime group appears to be behind an attack that saw the compromise of hundreds of computers system, including a customer support portal for Oracle’s MICROS point-of-sale credit card payment systems.

This could be a potentially huge breach, as more than 330,000 cash registers around the world utilize Oracle’s MICROS point-of-sale system. In 2014, the company said that about 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels used the software.

It is currently unknown how many organizations were affected by the breach or how long the breach took place. The investigation is ongoing, but potential ties to the Carbanak Gang have raised the level of concern. Oracle did tell Brian Krebs that the company “detected and addressed malicious code in certain legacy MICROS systems,” and that Oracle asked customers to reset their MICROS passwords.

Digital Wallets Face Scrutiny

At last week’s Black Hat conference, a security researcher presented on a flaw in the mobile payment system Samsung Pay. Samsung Pay allows customers to save payment cards on a digital wallet, providing users the option to select the payment card of their choice with the added security of a PIN or fingerprint scan to complete a purchase.

Security expert Salvador Mendoza discovered several problems with Samsung pay, including static passwords used to protect databases, weak obfuscation, and comments in the code. Mendoza also discovered issues with the tokens that are used to complete transactions. Cybercriminals could potentially predict future tokens from studying previous tokens used to make fraudulent transactions.

“Samsung Pay has to work harder on the token’s expiration date to suspend it as quickly as possible after the app generates a new one, or the app may dispose of the tokens which were not implemented to make a purchase,” Mendoza explained. “Also, Samsung Pay needs to avoid using static passwords to ‘encrypt’ its files and databases with the same function because eventually someone will be able to reverse it.”

Samsung responded to Mendoza’s claims by saying “reports implying that Samsung Pay is flawed are simply not true.”

However, in a separate document Samsung did admit that “skimming” a token is possible, although extremely difficult.

“Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the company wrote. “This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.”

Samsung Pay isn’t the only digital wallet in the news for potential cybersecurity issues. Venmo — a digital wallet service that allows users to interact with friends by sending money, making purchases, and sharing payments — made headlines recently for flaws that could potentially lead to malicious purchases.

A flaw in an optional SMS-based feature could allow a criminal to easily steal money from people’s accounts, according to researchers. Because Venmo allows users to charge friends through shared bill pay, that friend has to authorize the charge before payment is made. A hacker with physical access to a Venmo user’s phone could steal money from another user’s account by replying to a notification text message with a provided 6-digit code. A feature in Siri that allows users to reply to text messages from locked devices along with the iOS text message preview feature make this attack possible.

“A hacker could have sent a payment request to a targeted user, and if they had access to the victim’s locked device, they could have used Siri to send the approval code displayed on the screen, ” said Eduard Kovacs of SecurityWeek. “The maximum amount of money an attacker could have stolen from one user was $2,999.99 per week, which is the weekly limit set by the developer.”

Keeping Payments Safe

As we’ve highlighted on this blog and in recent threat intelligence reports, high-profile payment-related breaches aren’t at the forefront of cybercrime in the way they were several years ago. However, recent events prove that these payment systems — traditional point-of-sale systems, digital wallets and digital currencies — can lead to significant direct losses as well as brand damage and other consequences from the negative press generated by discovered vulnerabilities.

As SurfWatch Labs’ Chief Security Strategist Adam Meyer recently wrote, cybersecurity is largely about identifying and removing opportunity for malicious actors to do bad things — either directly or indirectly. There are clear best practices that can be utilized by both businesses and customers to help protect sensitive payment data. Unfortunately, data is only as safe as the methods used to protect it.

Cybercriminals are constantly coming up with new methods and tricks to crack software and trick people into divulging their sensitive information. Cyber threat intelligence can help organizations remain mindful of the many new and evolving threats, identify their weaknesses, and deploy safeguards to protect data — whether that is payment-related data or other sensitive information.

More Financial Institutions Fall Victim to SWIFT Attacks

In late June, reports surfaced of an unnamed Ukrainian bank having $10 million stolen, adding to the growing list of cyber-attacks leveraging SWIFT, the messaging system used by financial institutions around the world.

“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” said the Information Systems Audit and Control Association (ISACA).

These SWIFT-related attacks often require significant time investment from cybercrimnals, but the payouts can be substantial — including an $81 million theft from Bangladesh’s central bank in February.

According to the Kyiv Post:

[ISACA] said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.

“The SWIFT case — it’s actually more in line with what’s happening right now, which we call multi-dimensional attacks because it involves many areas,” said ThetaRay CEO Mark Gazit, who was a guest on this week’s Cyber Chat podcast.

The attacks shed light on the trend of some cybercriminal groups moving beyond personal information and credit card theft. Instead, they are focusing on the institutions themselves and the potentially massive payouts that come along with a successful attack.

These groups are becoming smarter and often know the inner working of banks, Gazit said.

“If you go to the dark web you can find the set of rules for banks in the United States, and some of the banks will have more than 10,000 rules. They’re all published.”

Growing Problem for Financial Organizations

Customers have an expectation of certain convenience features, and banks have to keep pace with those expectations in order to not lose business. The growing digital footprint makes those financial institutions much more susceptible to cybercrime, which is increasingly automated, Gazit said.

This means that cyber-attacks have more impact throughout organizations.

“It becomes a board issue, a CEO issue, a risk issue. Suddenly, it’s not just an issue that IT guys should deal with somewhere in back office rooms. It’s actually becoming something that relates the very core part of the business.”

On Monday, SWIFT announced that they were engaging with several security companies to assist the community by providing forensic investigations related to SWIFT products as well as providing anonymized intelligence data to help prevent future fraud.

Part of the problem around cybersecurity is that teams may be hampered by their past successes and failures, Gazit said.

“Existing organizations such as financial institutions, utility companies, they still have very good people that have extensive knowledge that is derived from the past, and sometimes past knowledge can be a curse when you try to prepare yourself against new attacks.”

He added, “I think that we’ll see more surprises, more attacks that nobody expected, more crime that people will be very much surprised how it happened or how it could happen.”

For more, listen to the full conversation with ThetaRay’s Mark Gazit about how financial sector attacks are evolving and what needs to be done to stay ahead of cybercriminals.

Cyber-Attacks Against Banks Making Huge Impact in 2016

Although the financials sector hasn’t been as widely discussed as others this past quarter, cyber-attacks in the sector are having a greater impact, according to SurfWatch Labs’ data.

snapshot_1462215431132 — The impact and targeted asset financials scores (red) are trending much higher than other sectors (blue), according to SurfWatch Labs.

Since March 2016, the financials industry has made big headlines for high-profile cyber events involving the Central Bank of Bangladesh and most recently, Qatar National Bank. These two banks have contributed enormously to the amount of cybercrime discussion surrounding banks.

2016-05-02_groups — Banks are the most discussed group in the financials sector, accounting for nealy 40% of the negative CyberFacts collected by SurfWatch Labs, followed by Diversified Financial Services (14%) and Specialty Financials (13%)

The Central Bank of Bangladesh is the top trending financials sector target so far in 2016. The multiple cyber-attacks against the Trump Organization – including an Anonymous campaign – and the January DDoS attack against HSBC Bank round out the top three targets.

2016-05-02_itt — *The Central Bank of Bangladesh is the top trending financials target in 2016.*

Latest on Bangladesh Bank Heist

The $81 million bank heist of the Central Bank of Bangladesh is one of the most successful cyber bank thefts in history. The bank was attacked via SWIFT, a well-known and utilized international bank messaging system.

SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication. The system authorizes payments between accounts and is recognized for its security. According to Michael Corkery of The New York Times, one financial analyst even called SWIFT “the Rolls-Royce of payments networks.”

Unfortunately for banks, SWIFT issued a warning to customers that cybercriminals have attempted similar bank thefts through its system.

“SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network,” the warning read.

One of the main problems with SWIFT is that not all banks put security features in place to protect against potential threats.

“SWIFT is a great organization,” said Chris Larsen, the founder of Ripple, to The New York Times. “But the system is fractured and antiquated. The way it is set up, you cannot totally isolate problems in a place like Bangladesh from the whole network.”

HSBC U.K. Banking System Taken Offline

In January 2016 Europe’s largest financial lender HSBC suffered a DDoS attack, keeping several banking customers unable to access their accounts. The attack took place on Friday, January 29, and services were restored on January 30.

This was the second website outage suffered by the bank in January.

The attack was particularly damaging due to its timing. HSBC was attacked on the last Friday in January, a particularly busy day for banks as the end of the fiscal year approaches. Millions of customers -– both online and mobile app users –- were affected by the attack.

HSBC never released any technical data about the incident. DDoS attacks can have an impact on brand reputation as well as loss of revenue. On average, a DDoS attack can cost about $40,000 per hour, according to a study conducted by Incapsula.

New Hybrid Malware Used In Bank Attacks

Cybercriminals are always looking for new, sophisticated ways to attack organizations. A new threat called GozNym malware has been identified targeting banks in the North America, Asia, and Europe. As SurfWatch Labs recently reported to customers, the malware has stolen over $4 million between 24 banks in North America alone.

The GozNym banking Trojan has been discussed frequently over the past 30 days.

2016-05-02_advisories — *The GozNym banking Trojan is the top trending advisory tag in the Financial sector over the last 30 days.*

GozNym is a hybrid malware, containing code from both the Nymaim and Gozi ISFB variants. The source code from the Nymaim malware is used to steal user data and login credentials. Once this data is obtained, the source code from the Gozi ISFB malware manipulates web sessions and conducts online banking fraud attacks. This nasty threat not only perpetrates bank fraud, it can also open the door for further malware attacks, including ransomware.

Like most malware, GozNym relies heavily on one factor to promote infection – human behavior. The malware is spread through exploit kits and Office macros, both of which require human interaction for its operation to take place.

Banks are an especially ripe target for cybercriminals due to the amount of transactions and data transferred between individuals and other organizations. Hacking tools such as malware and DDoS services can be purchased on the dark web for a surprisingly low price and used to create havoc and devastating financial loss for organizations. As demonstrated in the Central Bank of Bangladesh theft, it only takes one vulnerability to crack a company’s security, and the impact of those attacks is often more far reaching than other sectors.