A ccording to the SearchInform study, since the beginning of 2017, one in four-bank financial institution in Russia was faced with data leakage. More often than others - in 61% of cases - ordinary employees tried to steal confidential information. At first glance, it seems that banking insiders have pushed outside attackers out of the list of top cyber security threats. However, experience tells us that insiders don't always act of their own free will.
Information security analysts have recorded a systematic growth of targeted attacks on financial and banking institutions since 2015. Along with the rise of incidents, cyber security experts are observing the evolution of attacks where attackers use end users as their entry points.
Insider as a means of attacking banks
The attack vector depends on the available hacking tools and the scammers' appetites. The targets of criminals are both private clients and clients - legal entities, banks themselves, and global payment systems.
Banks have more private clients than corporate clients, they are less protected in terms of information security, but the “profit” rarely exceeds tens of thousands of rubles. Corporate clients better "defend themselves", attacking them is a more costly and laborious process, but "dividends" reach millions of rubles. According to the Bank of Russia report, in 2016 the regulator received information about 717 unauthorized transactions from the accounts of legal entities for a total amount of 1.9 billion rubles.
Banks are the most difficult goal, the achievement of which requires a long and expensive preparation, although the successful implementation of the plan will bring in multimillion-dollar income in the future. For example, in an attack on the central bank of Bangladesh, criminals stole $ 81 million.
Bank theft in Bangladesh is called the largest theft of funds, committed through illegal access to the international banking system SWIFT. An important detail of the high-profile case: insiders from the IT department are suspected of aiding criminals.
No external attack, especially a complex one, is complete without an accomplice inside with legal access to corporate infrastructure.
Social Engineering and Other Ways to Manage Insiders
Ordinary people work in financial institutions with their own strengths and weaknesses, which means that it is impossible to eliminate the human factor by 100% - employees, even cautious ones, become victims of social engineering and criminal manipulation. Here are just a few of the methods scammers use to turn regular users into accomplices.
Typically, the operation begins by sending the victim a phishing email with a malicious document attached. Most often it is a Word document with an exploit. Opening the file activates other software that allows attackers to take control of the computer. This "classic" social engineering technique was used by the organizers of the attack on Russian banks, which sent fake letters on behalf of the Bank of Russia FinCERT. Most often, scattered employees “fall for” phishing, but attentive users also fall for cybercriminals.
Criminals are looking for compromising information on social networks or previously stolen databases. A more sophisticated method is to "implant" spyware on the victim's PC to collect information.
The information obtained is used for blackmail, but not for the purpose of a ransom, but to obtain, for example, data from a work account or a "login-password" link from a corporate mailbox. Thus, attackers "recruit" reckless bank employees who become unwilling insiders.
Since 2015, within 12 months, the volume of correspondence between professional fraudsters and insiders on the dark Internet has doubled. Attackers require different kinds of services. On "dark" bulletin boards they look for cashiers with access to bank card data of buyers, employees who are ready to open access to the IT system or name colleagues who can be blackmailed.
The scheme is simple: install the ransomware, and demand money for the "medicine" for the infected computer, or ... infect several other computers and get a key to decrypt the data for free.
Why are insiders dangerous?
Whether insiders act involuntarily or intentionally, their unauthorized actions seriously threaten the well-being of the business.
First, they lead to customer churn and loss of profits. For example, in one of the Russian banks, an employee of the department for work with corporate clients transferred personal data to competitors who offered more favorable credit terms. The data leak cost the bank 108.5 million rubles a year.
Secondly, there is a risk of disclosure of classified information, for example, about the number of securities held by shareholders, as happened with the client of SearchInform. The IB service stopped the employee in time, who, out of revenge, was going to "leak" the data on the distribution of shares to journalists with an accuracy of two decimal places. The efficient work of the specialists "saved" the bank at least 72 million rubles.
The practice of SearchInform clients shows that in an effort to make money or take revenge, employees go to any tricks. Get kickbacks for a positive decision to issue a loan; withdraw money from customer accounts and break into bank cells; publish publicly available account numbers and owners' names in the hope of selling the full database, "leaking" banking secrets.
Especially dangerous insiders
In 2014, three employees of AFK Sistema used access to inside information and closed transactions a few hours before the corporation officially released the data and quotations fell by 7%. Trading on insider information brought the entrepreneurial trio tens of millions of rubles.
The share of insider trading in the stock market reaches 30%. The Bank of Russia has come to grips with solving the problem and suggested that financial market players fence off insiders with a "Chinese wall" . The essence of the recommendation is to clearly distinguish between employees who are provided by clients with inside information and employees who are responsible for transactions in the financial market.
How to protect yourself from the actions of insiders in the banking sector?
Effective protection from insiders in a bank is built according to the same scheme as in other business structures. The strategy includes several key principles:
- Take control of the maximum possible number of communication channels, first of all - mail, Skype, instant messengers, removable storage devices.
- Analyze email traffic. With an explosive growth in the number of messages between two users who are not connected by a working relationship, it is worth checking the contents of the correspondence.
- Log all attempts by employees to gain access to confidential information.
- Monitor compliance with the work schedule. Regular presence at the workplace during non-working hours without good reason can serve as a "wake-up call" for the security service.
- Form risk groups for closer control. Employees with financial problems, alcohol, drug or gambling addiction, with a disloyal attitude towards their employer are an easy target for social engineering.
Banking and financial institutions pay more attention to data protection than others and take increased information security measures. At the same time, fraudulent schemes and attack scenarios are being improved. This means that banks need to sort out incidents bit by bit, implement effective protection methods, and use information security automation tools, for example, SIEM and DLP solutions . And thus, anticipate new threats and insider actions.