Cyber attacks against banks reach record levels

Cyber attacks against banks are at record levels globally and rising sharply, according to several recent reports.

In India, the government recently reported record rates of successful breaches by hackers against the nation’s banks, while this month Russia’s second-largest bank VTB was hit by the largest distributed disruption of service (DDoS) in its history.

Meanwhile, in the UK this month two men were arrested as part of the UK’s biggest ever fraud operation. They posed as representatives of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide and TSB.

Against this backdrop, less than one quarter of UK financial services organisations consider themselves well-prepared to defend themselves against cyber attacks, according to the 2022 Cybersecurity Census Report.

Fallout from Russian aggression

Financial service application programming interface (API) and web application attacks are reported to have more than doubled worldwide in the past 14 months. The growth is understood to have been driven in part by the war in Ukraine, which has coincided with a shift from the US being traditionally the most cyber-victimised region, to Europe.

A report this month from Akamai, Enemy at the Gates: Analysing Attacks on Financial Services, reveals that attacks on financial services have grown by distributed disruption of service (DDOS) attacks on financial services have risen by 22% year-on-year.

Financial services continue to be one of the world’s most widely attacked industries sectors, and the number of attacks shows signs of growing, according to the report. Web application and application program interfaces (API) attacks, in particular, are increasing at an alarming rate while also growing in complexity. Attackers are seeking to gain a foothold to internal networks and cause disruption as a means of pressuring organisations to pay money to prevent further damages. As a vital sector, financial services need to be up and running. Attackers could also monetise stolen sensitive information or gain access to customer’s accounts and steal their money, it says.

Andrew Martin, CEO of UK-based cyber security company DynaRisk, says there has been a noticeable increase in DDoS attacks, and that these are talked about widely by cyber criminals.

“One of the big drivers for that is the Russia-Ukraine conflict,” he says. “There is a lot of hacking activity going on, on both sides. People that are supportive of Russia's campaign are launching attacks against Western interests, which certainly include financial services, but they aren’t specifically limited to that,” he says. “And then, of course, you have the patriotic hackers on the West side, who are launching attacks against Russia. So, the barrier to entry to launching denial of service attacks, has gone down substantially.”

Cyber criminals have set their sights on financial services and its customers, a move that has raised cyber security awareness and seen an increase in IT budgets for cyber security, according to the Akamai report. Failure to safeguard their perimeter and data could result in breaches by ransomware and other threats, and consequently, significant critical data and financial losses, the report says. According to IBM’s Cost of a Data Breach 2022 report, data breaches against financial services, which is considered “critical infrastructure,” has an average cost of $5.97m.

Richard Meeus, Akamai director of security strategy, warns that APIs need to be assured they have the same degree of protection as websites. “APIs are not as well protected as websites, even though they have access to the same level of the same information, information, the back end,” he says.

“Making sure that the API's are protected to at least the same degree as the website is very important. But that's probably down to understanding the state in which users are interacting with the website. It’s a question of spotting those fake websites that are out there, making sure that the log-ons are user log-ons and enterprise log-ons and that they are undertaken through a Fido2-level quality compliance system.”

It is also important to ensure that the APIs have the same level of protection as the websites, he adds.

The report reveals that DDoS attacks have figured prominently in attacks against financial institutions primarily during the conflict between Russia and Ukraine.

“Before the onset of the physical war in March 2022, it appears that a cyber war transpired first with both sides launching a slew of DDoS attacks in February 2022 to take down government and bank sites, disrupt the normal lives of citizens, and inflict damage,” says Mr Meeus. “We've seen attacks against the London Stock Exchange, European Parliament and the website of the White House, and the Prince of Wales's website was knocked offline via a denial-of-service attack and there have been many more such attacks. But financial Services in particular are targeted because the hackers are obviously trying to extort them, or getting money from them,” he says.

A denial-of-service attack can be used as a distraction, he says. “If hackers are trying to carry out a very large value fraud, they might also launch a denial-of-service attack, to try and distract the security team away from the other activity that they're doing.”

Denial of service attacks are also used in conjunction with ransomware attacks, where a hacker will have put some malware onto a computer in a company's network, they'll be trying to ransom them, he says.

Wherever there is a connected conflict in the world it is not unusual to see an ancillary or a follow-on in the cyber war, he adds. “Although we're seeing this many different journeys across the world, wherever there's a conflict, there will be a complementary cyber conflict as well to match the kinetic conflict. There’s nothing particularly unusual about the situation in Ukraine.”

Barriers to entry lower

The barrier to entry to conduct these denial-of-service attacks has really decreased, says Mr Martin, with political conflicts such as Ukraine having driven the commoditisation of DDoS capabilities. “You can pay as little as $50, to get access to a denial-of-service portal, where you can launch tax quite easily. In the past, just like just like many different things, let's say there were hundreds of people capable of launching these attacks. And now there are thousands of people that are capable of launching these attacks, because the barrier to entry is now much lower,” he says.

Mr Meeus says hackers are aware that banks and financial institutions are aware of their susceptibility to cyber attack and that they have a high level of security and that, as a result, their consumers are more at risk than before as they present a lesser degree of security. The number of false websites is growing as a result, he says. “Lot of the attacks now are geared around trying to exploit the consumers of those banks, things like scraping of the bank's website in order bring up a duplicate site somewhere else, to use as a phishing site.”

By this means the hackers trick consumers into entering their credentials into their site, which looks identical to their normal bank website, he says.

Ransomware attacks against financial services are on the rise because the potential reward is great, he says. “This is why banks need protection against forged websites and why they need to adopt things like Fido2. With Fido2 when a client is logging in from their laptop there is an authentication that gets around phishing and MFA bypass techniques,” he explains.

He says that his cyber security company sees see trillions of DNS requests every day. “This gives us a very rich treasure trove of data that we can sift through and dissect and allows us to detect request going through two domains of look similar. It allows us to detect requests that indicate that a mock-up of your website has been created, and that we can alert you say, you've got a mock-up of your website, there's being used at the moment for a phishing attack.”

With no sign of an end to political uprising, financial services are expected to come under increasing attack, according to Mr Martin, who says that owing to a high level of patriotic hacking, attackers will feel that law enforcement is not going to come after them. “If I'm a bad guy, or if I'm an attacker in one of these countries, I'm probably thinking, ‘Well, you know, what I'm doing is trying to help my particular cause. And, you know, I don't therefore think that I'm going to get arrested.’ If the geopolitical tensions were not there, people wouldn't feel that sense of impunity, to be able to just go off and do whatever they like.”

Advising banks to prepare against attacks he says. “Number one, have a plan. Number two, test the plan. And number three, have a mitigation service already available. Because in the moment it's very, it can be very chaotic. You do not want to be trying out your plan for the first time when you are actually being attacked,” he concludes.