Credit Unions Should 'Increase Phishing Identification' in 2020

With the cyberthreats of Iranian operatives still hanging over organizations, a number of incidents affecting financial service companies, some predating the latest Iran-U.S. crisis, but all raising eyebrows, made news recently.

ZDNet reported a security researcher with the Twitter handle @vrNicknack alerted Troy Hunt, the Have I Been Pwned/? search engine operator with a notice received from P&N Bank, a division of Police & Nurses Limited and operating in Western Australia. The notice warned of an information breach “of certain personal information” occurring through its customer relationship management platform as a result of online criminal activity. The cyberattack occurred on or around December 12 when the bank performed a server upgrade. Speculation is a company P&N Bank hired to provide hosting provided the entry point.

Stephan Chenette, co-founder/chief technology officer at AttackIQ, said, “The financial industry is one of the largest targets for cybercriminals and unfortunately, breached data from those types of organizations can be damaging for years to come.” Chenette noted the number of accounts is unknown, P&N Bank is one of the largest banks in Western Australia. As a result, a complete set of personally identifiable information is available on the dark web, further exposing the account holders to future fraud or phishing attacks. “Organizations must take proactive approaches to protect their data. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats.” Additionally, organizations should do their due diligence in ensuring third-party partners are practicing adequate security measures and extend testing to partners as well.”

In another incident, Bleeping Computer reported a group tracked as Ancient Tortoise is targeting accounts receivable professionals, tricking them into sending over aging reports (collections of outstanding invoices) and consequently amassing data on customers they can scam in future attacks.

Although business email compromised by scammers are recognized for utilizing social engineering or hacking to switch the bank accounts used by an organization’s financial department to wire out funds, the Ancient Tortoise actors go further. BleepingComputer reported researchers at Agari Cyber Intelligence Division observed the latest threat group mimicking a company’s CFO and requesting an updated aging report together with the latest contact information for every client with unpaid overdue invoices.

“BEC scams are often run out of Asia and the Middle East because it is easier to set up (and then liquidate) ‘burner’ bank accounts in order to launder the money, taking advantage of the Hawala system of informal value transfer systems,” according to Colin Bastable, CEO of Lucy Security. “The challenge as always in getting away with the loot, especially when most global bank transactions end up touching the U.S. banking system at some stage. Running the payments through Asian and Middle Eastern banks can often enable the bad guys to rapidly turn the deposits into cash.”

Bleeping Computer also reported about an Android banking Trojan dubbed Faketoken recently observed by security researchers while emptying its preys’ accounts to power offensive mass text campaigns directing at mobile devices all over the world.

Faketoken, first introduced in 2012 as a mobile transaction authentication number interceptor camouflaged as a mobile token generator, later added ransomware capabilities in December 2016.

In addition to employing bogus logins and phishing overlay screens to lift identifications and steal mTAN numbers used by financial institutions to validate online transactions, the malware can also generate customized phishing pages aimed at more than 2,200 financial apps, and steal device information.

Sam Bakken, senior product marketing manager for mobile security at OneSpan, pointed out, “It’s still early days in 2020 and yet we have already seen several concerning mobile app security issues. First, the Shopper.an Android malware that de-activated Google Play Protect and demonstrated that despite their best efforts, we cannot count on Apple or Google alone to keep our mobile devices safe. Then we saw Princeton researchers show that mobile network operators are not getting any better at preventing SIM swap scams, which underscored that the carriers are not yet capable of protecting us either. Finally, there was the resurrection of the Faketoken Android banking Trojan showing us that attackers still consider mobile banking Trojans lucrative.” Bakken said it is clear mobile fraud and attacks will not abate in 2020, meaning that in particular financial institutions cannot rely on their customers’ mobile devices to be secure.

Again, although no evidence suggests a connection to Iran or other state-sponsored cybercriminals or a direct connection to credit unions, these types of financial crimes are nevertheless concerning.

Paul Love, chief information and privacy officer, for CO-OP Financial Services, said, “State threat actors are focused on the highest impact, most visible targets. Disrupting financial systems is and has always been a prime target of nation-state attackers, as disrupting a country’s financial systems can create short-term and long-term impact. Credit unions should increase phishing identification and reporting capabilities, increase monitoring for abnormal system and network activity, and revisit and practice their incident response and containment processes.” Love suggested organization be aware of how to contact your local and federal law enforcement agencies for support if needed. “Additionally, have a reputable, third-party incident responder on retainer so that you can quickly get third-party support if internal resources need support to contain an attack.”