For Sale: Members' Payment Card Data for $1 Each
Cybercriminals turn up the heat with highly sophisticated attacks targeting the financial industry to compromise back-end systems.
The financial industry is the most targeted industry worldwide, accounting for over a third of directed attacks, with banking Trojans heading the list of the most prevalent 2019 malware attacks.
That was among the revelations unveiled in “CiPulse 2020,” the Israeli-headquartered cybersecurity firm Cyberint’s threat landscape report.
Personal and financial data remain as an plentifully traded commodity on the underground economy with “fullz” — jargon used by card hackers and data resellers meaning full packages of individuals’ identifying information (including payment card details) — traded for as little as $1 each through dark web marketplaces.
Cyberint maintained attacks against financial organizations vary widely in capability and sophistication. While widespread phishing campaigns and specialist banking malware threats target retail banking customers globally, highly sophisticated threat actors increasingly seek out the financial industry to compromise back-end systems that will potentially net millions for organized cybercriminal gangs or nation-state sponsored groups.
The report suggested previously it was easy to understand the motivations of many mainstream threat actor groups. For example, nation-state threat actors conduct cyberwarfare and espionage campaigns while organized cybercriminal gangs conduct high-value financially motivated attacks. “With advancements in the capabilities of both nation-states and cybercriminals, the lines between have blurred: Some nation-state threat actors have become increasingly financially motivated while organized cybercriminal gangs seemingly appear to be getting involved in cyberespionage campaigns.”
“CiPulse 2020” noted underground prices remained steady year-on-year with many compromised accounts, often harvested through credential stuffing attacks, for sale at a portion of their “true” value (determined by available credit or subscription level/length). Fraudsters can rent bot networks of compromised hosts for as little as $60 for 1,000 victims, allowing them to launch distributed denial-of-service and spam campaigns from unsuspecting machines.
Nefarious services and “as-a-service” models are readily available for purchase by unsophisticated threat actors. These services can facilitate attacks with remote access tools and ransomware available for just a small amount of U.S. dollars, and help launch DDoS attacks for as little as $28 per day.
The report said 2020 will likely continue to see targeted ransomware attacks against local governments and specific industries, potentially driven by alternate motivations and orchestrated by organized cybercriminal gangs or event nation-state sponsored threat actors.
The Cyberint study held threat actors are not just the reserve of organized cybercriminal gangs, nation-state threat actors such as the Democratic People’s Republic of Korea, connected to a number of highly sophisticated, financially motivated attacks against both interbank systems and cryptocurrency exchanges.
Some campaigns appeared to be conducted on a more local or regional level. Much like widespread campaigns, numerous sophisticated attacks against the financial industry seemed to originate with spear-phishing emails and malicious attachments sent to key employees within the targeted organization. Following an initial compromise, these threats establish a foothold from which the threat can pivot, locate and then compromise specific systems such as those related to ATM infrastructure. Subsequently, these threats often use a combination of credential stealing techniques and web injections to attempt to gain access to and transfer funds from victims’ bank accounts.
Of the campaigns observed in 2019, Trickbot, the most prevalent banking threat, evolved since first identified in 2016 to target non-financial accounts, including U.S.-based mobile telecom providers. The modular features of Trickbot includes the ability to harvest credentials and steal cryptocurrency. Numerous source code leaks of Gozi, the second most prevalent banking threat, responsible for attacks since 2007, have ensured that its variants continue to evolve and pose a threat to customers of financial institutions.
“Often the outlet for compromised data, especially stolen payment cards, the underground economy – the unregulated marketplaces and nefarious transactions conducted upon them – continues to remain buoyant despite a number of popular marketplaces going offline in 2019,” the report claimed.