Banks get attacked four times more than other industries

Modern-day criminals are still following Willie Sutton’s example of going after banks “because there’s where the money is.”

According to a new report from Websense Security Labs, the average number of attacks against financial services institutions is four times higher than that of companies in other industries.

In addition, a third of all initial-stage reconnaissance attacks target financial institutions, the company reported.

Criminals aren’t just going after banks for their money, according to Carl Leonard, principal security analyst at Websense. They’re also using banks as a vehicle to reach other victims.

For example, a compromised email account at a bank could allow hackers to leverage the trust that customers have in their bank to reach out to their business and retail customers.

According to Leonard, an email that originates from a real email account looks more realistic to security solutions than one with a spoofed return address.

Plus, if the hackers have access to previous emails, they can better impersonate bank employees.

“They’re actually piggybacking on the reputation and trust inherent in that industry sector,” said Leonard.

The top three malware threats that financial institutions faced during the first five months of the year were Rerdom, Vawtrack, and Geodo. In particular, the Geodo malware, with its own credential-stealing email worm, was seen 400 percent more often in finance than other industries.

However, attackers frequently switch up their attack methods, according to Websense. For example, there was a large spike in malicious redirection and obfuscation attacks in March. The more targeted short-term campaigns are accompanied by a constant barrage of low-level attacks designed to keep security teams distracted.

Typo-squatting also made a strong comeback this year, now in combination with email-based social engineering tactics, at an average cost of $130,000 per incident.

One of the most effective approaches is to register the .co domain. Other techniques include adding, deleting or transposing characters, or replacing characters with lookalikes such as the the number zero for the letter O.

Instead of waiting for a victim to accidentally stumble onto the fake sites, however, the criminals are using these domains to create email accounts that seem to belong to legitimate company employees.

“They’re sending mail from those servers that they set up, to make it look more realistic,” Leonard said. The emails are highly customized, and generally target C-level executives in an organization, he added.

But financial services were not the most targeted sector for these attacks, ranking behind manufacturing.

According to Leonard, the likely reason why manufacturing was a bigger target for these kinds of attacks is that the criminals are still in the testing stages.

“Malware authors have been testing this technique since the start of the year, adjusting focus from industry to industry,” he said.

They’re tweaking the initial payload, the realism of the typo domains, and adapting their techniques as they go along.

“They’re experimenting with industries that are not their primary target,” he said.

In addition to keeping an eye out for these sorts of attacks, Leonard suggested that banks increase their degree of cooperation with their peers, industry groups, and government agencies.