FinTech Magazine speaks to the VP of SpyCloud Labs (part of SpyCloud) and former digital crime expert in the FBI, Trevor Hilligoss, who divulges the most common tactics cybercriminals use to steal data and launch attacks against the financial sector.
Hilligoss shares how these malicious tactics will continue to evolve in 2024 and the actions financial leaders can take to mitigate the risk of a cyberattack.
What are the most common tactics cybercriminals use against the financial sector? How will these tactics continue evolving in 2024?
Compromised employee and consumer identities have long represented a significant cybersecurity threat for financial institutions.
Identity-based attacks using stolen usernames and passwords, otherwise known as account takeover (ATO), are widely used tactics for cybercriminals looking to facilitate ransomware, fraud and other cyber incidents causing monetary loss.
In 2022 alone, SpyCloud recaptured over 3.6 million exposed credentials (username/email + password) that were linked to the financial sector.
However, criminals have evolved their methods in recent years with the growth of malware. Information-stealing malware, or infostealers, have fuelled a method of attack known as session hijacking.
Infostealer malware siphons high-quality data, such as session cookies, from infected employee browsers.
Using the malware-stolen data, criminals can pose as legitimate users and hijack an active, already-authenticated web session, allowing them to carry out cyberattacks by circumventing any controls in place to prevent malicious access.
Session hijacking can entirely bypass traditional defenses and authentication measures such as MFA as the criminal poses as a legitimate employee or customer, granting them all the permissions that the legitimate user possesses.
Cybercriminals are adopting this attack technique rapidly – among the 171,528 malware-infected employees tied to Fortune 100 companies, 15,274 infected employees were from the financials industry, based on an analysis of domain names found in saved login data.
Furthermore, based on research by SpyCloud into possible links between infostealer malware and successful ransomware infections, infostealer malware preceded roughly one-third (30%) of publicly identified ransomware events impacting North American and European organisations thus far in 2023.
What steps can financial IT leaders take to bolster their cybersecurity and protect employees and consumers?
To defend themselves against ATO and other cyber attacks, financial organisations should enforce strong authentication policies with non-SMS or email-based SSO where possible, monitor and update access procedures and protocols when an employee changes roles or leaves the company, and create and enforce clear company policies on the proper use of business and personal devices.
Additionally, where possible, organisations should consider limiting the cookie duration of any cookie used in the authentication process, to shorten the time these cookies remain valid.
Protecting against malware and session hijacking requires a more holistic approach, which includes a comprehensive malware infection remediation strategy designed to identify and remediate the stolen data before it can be used by criminal actors for financial gain.
Simply changing passwords after a malware infection does not guarantee active user sessions or trusted device tokens will be invalidated.
The data that can be exfiltrated after a successful infostealer infection often includes cookies and other means of authentication - such as API tokens and webhooks - which may remain active long after passwords have been reset by a user or organisation and may be difficult or impossible for the user to remediate on their own.
Even firms that have adopted advanced monitoring and access controls may not realise that access information has been stolen by an infostealer, putting organisational and customer data at risk.
Any organisation that manages personal information for its users must embrace a holistic cyber defense strategy that includes controls for the variety of access methods available in its environment.
BizClik is a global provider of B2B digital media platforms that provides executive communities for CEOs, CFOs, CMOs, Sustainability Leaders, Procurement & Supply Chain Leaders, Technology & AI Leaders, Cyber Leaders, FinTech & InsurTech Leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare, and Food & Drink.
BizClik – based in London, Dubai, and New York – offers services such as Content Creation, Advertising & Sponsorship Solutions, Webinars & Events.