A new report from French-based cybersecurity company Sekoia describes evolutions in the financial sector threat landscape. The sector is the most impacted by phishing worldwide and is increasingly targeted by QR code phishing.
The financial industry also suffers from attacks on the software supply chain and stands among the most targeted sectors impacted by ransomware in 2023. And an increase in attacks on Android smartphones affects the sector, both for cybercrime and cyberespionage operations.
The phishing threat
Phishing is the top digital crime for 2022, according to the FBI, with more than 300,000 victims in 2022. The Anti-Phishing Working Group indicates that in the third quarter of 2022, the financial sector was the most impacted by phishing campaigns, with 23% of financial institutions being targeted.
Phishing as a service massively hits the sector
According to Sekoia, the phishing-as-a-service model has been massively adopted in 2023. Phishing kits built of phishing pages impersonating different financial organizations are being sold to cybercriminals in addition to kits made to usurp Microsoft and collect Microsoft 365 login credentials, which companies use for authenticating to various services.
One example of such a threat is NakedPages PhaaS, which provides phishing pages for a large variety of targets, including financial organizations. The threat actor manages licenses and regularly announces updates via its Telegram channel, which currently has about 3,500 members (Figure A).
Among all of the provided phishing pages, the threat actor mentions the online accounting software QuickBooks, used by many organizations in the financial sector.
QR code phishing campaigns are on the rise
An increase in the number of QR code phishing, or quishing, campaigns has been observed by Sekoia. Quishing attacks consist of targeting users with QR codes to deceive them into providing their personal information, such as login credentials or financial information.
Sekoia assesses that QR code phishing will increase due to its “effectiveness in evading detection and circumventing email protection solutions.”
Quishing capabilities are part of the Dadsec OTT phishing as a service platform, the most used kit in Q3 for 2023, according to Sekoia. It has been observed in several large-scale attack campaigns, impersonating banking companies in particular.
Another large quishing campaign targeted investment organizations via the Tycoon PhaaS kit. The quishing attack leveraged PDF and XLSX email attachments containing a QR code, ultimately leading to Microsoft 365 session cookie theft.
BEC campaigns evolve
Business email compromise campaigns have increased by 55% for the first six months of 2023. While those attacks typically impersonated CEOs and high-level executives, they now also impersonate vendors or business partners.
One recent case has impacted the financial sector with a sophisticated multi-stage adversary-in-the-middle phishing and BEC attack. The attack specifically targeted banking and financial services and originated from a compromised trusted vendor, showing an evolution in the BEC threat landscape.
Multiple supply chain risks
Open-source software supply chain attacks have seen a 200% increase from 2022 to 2023. As 94% of organizations in the financial sector use open-source components in their digital products or services, the sector can be affected by attacks leveraging compromises in the open-source software supply chain.
A striking example has been the Log4Shell vulnerability and its exploitation, which affected thousands of companies worldwide for financial gain and espionage.
Supply chain attacks specifically targeting the banking sector have also been reported, showing that some threat actors have the capability to build sophisticated attacks against the sector.
As stated by Sekoia, “It is highly likely that advanced threat actors will persist in explicitly targeting the banking sector’s software supply chain.”
Financial aggregators also appear as a new opportunity for threat actors to target the sector. According to Sekoia, those aggregators “are not submitted to the same level of regulation as traditional banking entities and are supported by technologies with potential vulnerabilities.”
The International Monetary Fund also states that “new technologies in financial services can also generate new risks” and that “APIs with poor security architecture could lead to leaks of potentially sensitive data.”
An attack on one such aggregator called Dexible in February 2023 stands as an example. In that attack, a vulnerability allowed attackers to orient tokens of users towards their own smart contracts before being withdrawn.
Financially oriented malware
Malware designed to collect financial data, including credit card information, banking credentials, cryptocurrency wallets and more sensitive data, have been around for many years already.
Mobile banking Trojans
A particular concern raised by Sekoia resides in the increasing number of mobile banking Trojans, which doubled in 2022 as compared to the previous year and continues to grow in 2023. Sekoia predicts that this is likely due to the increase in mobile devices being used for financial services and to the fact that those malware help bypass two-factor authentication.
Spyware — malicious pieces of code designed for collecting keystrokes, credentials and more sensitive data — have increasingly been used in 2023 for bank fraud, according to Sekoia. One Android malware is SpyNote, which started targeting banking applications in addition to its previous functionalities.
Ransomware targets the financial sector heavily, which became the fourth-most impacted sector in the third quarter of 2023, with ransom requests varying from $180,000 USD to $40 million USD and having huge physical impacts in some cases.
Sekoia reports an important change for known ransomware actors leveraging extortion impacting the financial sector, such as BianLian: They have shifted to an exfiltration-based extortion without any encryption of the victims’ systems and data. This move is likely done to avoid encryption problems at scale during mass compromise campaigns.
DeFi and blockchain bridges under attack
Decentralized finance, based on blockchain technology, also faces threat actors.
Cryptocurrencies are built on various blockchains, which are closed environments that cannot communicate with each other. To address this challenge, interoperability solutions have been developed, including cross-chain bridges and atomic swaps. These solutions rely on smart contracts, segments of code that execute token transfers based on the validation of specific conditions.
Attacks on DeFi organizations mostly target their employees, who may be lured into providing their credentials to attackers or becoming compromised by malware. Once inside the organization’s network, the attackers are able to steal cryptocurrencies.
An example of a state-sponsored threat actor targeting DeFi and blockchain bridges is Lazarus. The North Korean threat actor has generated 10 times more money than other actors and mostly focuses on the crypto assets industry entities located in Asia and the U.S. rather than European traditional banking institutions. Three attacks targeting DeFi platforms have been attributed to Lazarus in 2023 against Atomic Wallet, Alphapo and CoinsPaid, overall generating the theft of $132 million USD.
A blurry line between cybercrime and state-sponsored espionage
Attacks can sometimes be difficult to attribute, especially when an attacker’s motivation is not easy to estimate. Some attacks targeting the financial sector are fully aimed at financial gain, but others might aim at cyberespionage. Yet even more intriguing is the fact that some threat actors disguise their operations as being financially oriented when they are in fact strategic operations with an espionage goal.
In 2022, Secureworks, a Dell Technologies company, published research on threat actor Bronze Starlight targeting companies with ransomware. Secureworks indicates that “the combination of victimology and the overlap with infrastructure and tooling associated with government-sponsored threat group activity indicate that BRONZE STARLIGHT may deploy ransomware to hide its cyberespionage activity.”
Another case exposed by Kaspersky sheds light on a cryptocurrency miner being an element of a more complex malware called StripedFly and associated with the Equation malware.
Reduce cyber threat risks
The financial sector is prone to several security threats. Phishing and BEC have been around for many years but have evolved in complexity to still affect the sector and keep up with new technologies. All employees working for financial organizations should be educated to detect phishing attempts or fraud that could target them. They should also have an easy way to report any suspicious activity to their IT department.
More indirect attacks are observed in the wild, as attackers have increasingly been targeting organizations via supply chain attacks. In particular, open-source software used in products or services should be carefully checked before being deployed.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.