Cyber Siege in Banking: The Threat Landscape in Financial Institutions

11 min readDec 23, 2023


Table of Contents:

1- Introduction

2- Strategies & Tactics

3- Bank Customers Cyber Attacks

4- Targeting Infrastructure

5- Targeting Third-Party Companies that Serve Banks

6- Exact Domain Spoofing Technique

7- Spoofing Attacks

8- Conclusion

1- Introduction:

Financial institutions could potentially face annual losses ranging from US$100 to 300 billion due to cyberattacks. Despite the enormity of this figure, it is not surprising, given recent events. Over the past three years, multiple banks collectively incurred losses of $87 million from attacks that compromised their SWIFT (Society for Worldwide Inter-bank Financial Telecommunication) infrastructures. However, this is merely the tip of the iceberg. In a single instance, a cyber-criminal group managed to extract $1.2 billion from over 100 financial institutions across 40 countries before its leader was apprehended in 2018.

Cyberattacks pose significant risks to the foundational infrastructures and operational systems of financial organizations. Over the past two years, there has been a notable increase in attacks marked by persistence, sophistication, and extensive impact. This surge is driven by high-profile incidents, heightened consumer awareness of breaches, and ongoing enhancements in security mechanisms protecting sensitive credentials. Attackers are increasingly targeting easily exploitable vulnerabilities. Continuous monitoring by security institutions has provided valuable insights into the evolving tactics and techniques of cyber-criminals. For instance, a 2023 report by IBM Security indicated a 40% rise in financially motivated attacks, underscoring the urgent need for robust cybersecurity measures.

· What cybersecurity blind spots are they using?

· What are the real-world implications?

· How can users and organizations fortify their defenses against these threats?

Figure 1: A survey conducted by Sophos among 444 IT professionals employed in the financial services sector. (Sophos, 2022)

2- Strategies & Tactics

Traditionally, financially motivated attackers focused on bank customers, but groups like the Lurk cyber-criminal organization shifted their focus to employees of large business organizations. These attacks specifically targeted individuals within financial departments, including accountants and bank employees. Cyber-criminals recognized that stealing money could extend beyond compromising individual banking accounts; it could involve targeting the infrastructure of the bank itself or manipulating payment documents and systems. Telecommunication networks and banking infrastructures are lucrative targets due to their association with financial transactions. Attacks on these systems might involve targeting ATMs, SWIFT networks, payment gateways, card processing systems, and similar facilities. For instance, while attackers can possess the capability to manipulate a bank customer’s digital information, they might lack the ability to create a legitimate paper trail, a task that could be facilitated by an insider.

Recent research has uncovered that criminal groups are increasingly attempting to bribe banking employees to facilitate money exfiltration and laundering schemes. A notable case involved the creation of a fake charity, complete with bank accounts and a convincing website, to siphon money from compromised accounts and buy time for wiring and cashing out the stolen funds. Telecommunication companies, critical to the finance industry, are also prime targets. Compromising telecom network infrastructures allows cybercriminals to profit from activities such as money laundering, premium SMS subscriptions, and SMS rerouting and hijacking. This interest is driven by the widespread use of mobile devices for second-factor authentication and one-time passwords (OTPs) in banking. A 2023 report by the Financial Services Information Sharing and Analysis Center (FS-ISAC) highlighted a 45% increase in attacks targeting telecommunications, underscoring the growing intersection between telecom vulnerabilities and financial cybercrime.

Figure 2: The introduction of new services and technologies presents a significant security threat to telecom organizations from threat actors. The primary attack vector in current telecom networks (4G/5G) is a noteworthy concern. (matrixshell, 2023)

Social engineering attacks, commonly referred to as “SIM Jacking,” have seen a significant proliferation in recent years. In these incidents, attackers target the phone numbers of bank customers whose accounts they have already compromised. They then pose as the legitimate subscribers of the telecommunications company, claiming that their SIM card has been lost. By deceiving the telecom provider, they manage to get a new SIM card issued for the targeted number. This reissued SIM card allows the attackers to authorize financial transactions and steal the customer’s funds.

A variant of this attack involves temporarily rerouting the victim’s phone number, which also grants the attackers access to sensitive information and authorization codes.

The prevalence of these attacks has surged notably, with significant increases in reported incidents in regions such as Russia, Eastern Europe, and North America. According to cybersecurity reports, there was a 400% increase in SIM jacking incidents globally between 2018 and 2022. Specifically, in Russia and Eastern Europe, reported cases rose by 250%, while in North America, incidents more than tripled within the same period.

Comparatively, SIM jacking has become one of the fastest-growing forms of social engineering attacks. In the United States alone, the Federal Trade Commission (FTC) noted that SIM swapping fraud cases jumped from 1,038 in 2013 to over 6,000 in 2020, representing a nearly 500% increase. Similarly, in the United Kingdom, Action Fraud reported a 60% rise in SIM swap scams from 2019 to 2021.

These statistics highlight the increasing sophistication and frequency of SIM jacking attacks, underscoring the need for enhanced security measures by both telecom providers and consumers to mitigate this growing threat.

3- Bank Customers Cyber Attacks

The targeting of users/customers involves the deployment of diverse techniques. Attackers amalgamate and draw inspiration from older yet effective phishing methods, such as the FakeSpy Android banking trojan. Some of these techniques are continually refined, incorporating features that facilitate the automated extraction of pilfered data and funds. A banking malware achieves this through the utilization of an Automatic Transfer System (ATS) engine, enabling the deployment of a web injection script, commonly known as an “inject,” to automatically instigate fund transfers and evade authentication mechanisms.

These browser injects exhibit versatility. Attackers use them to navigate around a bank’s security controls, compel users to install malicious components on their mobile devices, bypass authentication mechanisms, or exfiltrate payment data like credit card information. They can also be employed in social engineering attacks to pilfer personally identifiable information (PII), such as date of birth, mother’s maiden name, and first pet’s name, among others, or autonomously transfer funds to banking accounts controlled by the attackers, often referred to as money mule accounts. Code injections are introduced into a banking website or its components, such as JavaScript libraries or hidden i-frames. Unfortunately, an everyday user can inadvertently trust the content displayed on a compromised website, without realizing that the actual web page has been tampered with.

Figure 3: A survey conducted by Sophos in 2022 among 444 IT professionals employed in the financial services sector. (Checkpoint, 2023)

4- Targeting Infrastructure

Attackers extend their focus to network infrastructures. Unfortunately, numerous components of banking systems, including internal banking systems and point-of-sale (PoS) interfaces, are frequently left exposed on the internet, making them susceptible to opportunistic attacks. Although these components are not primary targets, there have been instances of multiple malware campaigns employing domain name system-changing (DNS) capabilities, using them as launching points to reach their intended targets. Network equipment used by users is tampered with on a broad scale, redirecting users to a DNS server controlled by hackers. This functions as a standard resolver, ensuring users remain unaware of the compromise. When attempting to access a targeted banking website, the attacker-controlled DNS server redirects users to a system under their control, exposing them to phishing and man-in-the-middle attacks.

Figure 4: Cybercriminals obtain credit card details through the installation of automated malware. This malicious software infiltrates networks, systems, and workstations, scanning for unencrypted information belonging to cardholders. Subsequently, this data is sold on the dark web. (Encora, 2023)

5- Targeting Third-Party Companies that Serve Banks

To infiltrate specific banking organizations, attackers often exploit vulnerable points through social engineering attacks. These attacks are a primary method used by hackers to acquire detailed information about the organization’s employees, including their roles and areas of interest. By presenting themselves as legitimate entities, they ensure that their weaponized documents go unnoticed when sent to these employees.

A common approach to gathering employee information involves compromising third-party vendors that provide services to the targeted organizations, such as those managing ATM equipment. Attackers also infiltrate relevant forums or distribution mailing lists. For instance, the Lurk group compromised an online forum for accountants to reach their intended targets. Additionally, attackers analyze data from already compromised systems to gain insights about potential targets. Groups like Cobalt and Silence are known for employing these tactics.

Data from the Smart Protection Network™ (SPN) indicates that Silence has targeted financial organizations in Russia, Belarus, and Vietnam. In comparison, Cobalt remains particularly active within the Commonwealth of Independent States (former USSR countries) and Eastern European nations like Bulgaria. Cobalt is also recognized for compromising the supply chains of banks or financial organizations to ultimately breach their targets’ IT/online perimeters.

Using SPN telemetry, instances were identified where Cobalt attacked companies such as software integrators, financial services firms, and other banks to reach their desired targets. For example, in 2018, a spear-phishing campaign targeted a prominent system/software integrator in Russia, which served as a launching point to attack domestic financial organizations.

Comparative analysis shows that while Silence focuses on direct targeting of financial institutions in specific countries, Cobalt employs a broader approach, leveraging supply chain attacks and targeting a wider range of geographical locations. The increased sophistication and frequency of these attacks underscore the need for enhanced security measures within financial organizations and their associated service providers.

Figure 5: llustration of a phishing email mimicking the domain. (Ironscales, 2020)

While the phishing emails have been discovered in “a few thousand mailboxes” thus far, the Ironscales report indicates that nearly 200 million Office 365 users could be vulnerable, as the messages originate from a spoofed domain that is an exact replica of the domain. The spear-phishing emails have currently targeted Office 365 users in various sectors, including financial services, healthcare, insurance, manufacturing, utilities, and telecom industries, as per the report. In this campaign, the perpetrators are likely aiming to obtain users’ credentials.

“This spear-phishing campaign poses a significant risk to companies, as even the most cautious employees — those skilled in checking sender addresses — are likely to perceive the message as authentic,” noted Lomy Ovadia, a researcher with Ironscales, in the report released on Monday.

6- Exact Domain Spoofing Technique

In the uncovered phishing campaign, Ironscales identifies the use of an “exact domain spoofing technique,” where emails are sent from a fraudulent domain that precisely matches the spoofed brand’s domain.

“The attackers crafted a realistic-looking email from the sender ‘Microsoft Outlook,’ urging users to utilize a relatively new O365 feature that enables the retrieval of emails mistakenly marked as phishing or spam messages,” state the researchers. The fraudulent messages employ urgent and somewhat fear-inducing language, designed to prompt users to click on a malicious link without hesitation. According to the report, the link purportedly redirects users to a security portal where they can review and take action on ‘quarantined messages’ captured by the Exchange Online Protection (EOP) filtering stack, a feature available since September. Clicking the link directs users to input their legitimate Office 365 login credentials on a fake login page, leading to the harvesting of usernames and passwords, likely for sale on darknet forums. The report highlights that these phishing emails managed to bypass secure email gateways implemented by the targeted companies to prevent such attacks.

“The reason [secure email gateways] traditionally stop exact domain spoofing is because, when configured correctly, this control aligns with the domain-based message authentication, reporting & conformance (DMARC), an email authentication protocol specifically built to prevent exact domain spoofing (SPF/DKIM),” states the report. However, in this case, Ironscales researchers found that Microsoft servers currently do not enforce the DMARC protocol, meaning these exact domain-spoofing messages are not flagged by the security controls in Office 365, according to the report.

7- Spoofing Attacks

In the banking sector, a spoofing attack involves cybercriminals creating deceptive emails, websites, or messages that mimic legitimate communication from banks. These fraudulent communications aim to trick individuals into divulging sensitive information or performing unintended actions, ultimately leading to unauthorized access or fraudulent activities in financial accounts. Vigilance and robust cybersecurity measures are essential to counter these deceptive tactics.

Figure 6: An illustration steps for spoofing attack (HeimdalSecurity, 2022)

Since the beginning of the COVID-19 pandemic, security experts have warned that fraudsters and cybercriminals are increasingly exploiting spoofed websites of prominent brands and government institutions. This trend has accelerated, posing significant risks to individuals and organizations alike.

a) In October 2020, security firm Proofpoint uncovered a phishing campaign that spoofed the U.S. Election Assistance Commission domain. This campaign aimed to harvest banking credentials, account data, and vehicle identification information from unsuspecting victims. Such targeted attacks highlight the sophisticated methods employed by cybercriminals to exploit trust in official institutions.

b) In November 2020, the FBI identified nearly 100 spoofed websites using variations of the agency’s name. These fraudulent sites are potentially used for disinformation campaigns and credential theft. The sheer number of these spoofed websites underscores the scale and persistence of cyber threats during the pandemic.

c) Also in November 2020, researchers at Abnormal Security discovered a phishing campaign that spoofed the U.S. Internal Revenue Service (IRS) domain. This campaign aimed to deceive victims into sending money to fraudsters, leveraging the authority and trust associated with the IRS to manipulate individuals.

Comparative analysis reveals a significant increase in the use of spoofed domains for phishing and fraud during the pandemic. For instance, a report from the Anti-Phishing Working Group (APWG) showed a 220% increase in phishing attacks from Q1 to Q3 2020. This surge correlates with the rise in remote work and increased online activity, providing more opportunities for cybercriminals to exploit.

Moreover, the focus on high-profile targets such as the U.S. Election Assistance Commission and the IRS indicates a strategic shift towards leveraging trusted institutions to maximize the impact of phishing campaigns. This is a notable evolution from earlier phishing tactics that often targeted less prominent brands and institutions. The increasing sophistication and prevalence of these spoofed website attacks during the COVID-19 pandemic highlight the urgent need for enhanced cybersecurity measures and public awareness to mitigate the risks posed by these evolving threats.

8- Conclusion

In conclusion, the escalating threat of cyberattacks poses a substantial financial risk to institutions, with potential annual losses estimated between US$100 to 300 billion. Recent incidents, such as the compromise of SWIFT infrastructures resulting in $87 million in collective losses over three years, underscore the severity of the issue. The evolving landscape of cyber threats demonstrates heightened persistence, sophistication, and impact, driven by attackers exploiting vulnerabilities, consumer awareness, and improved security measures. Sophos’ 2022 survey reveals ongoing concerns within the financial sector regarding these evolving strategies and tactics. Cyber-criminals, once focused on bank customers, now target large business organizations’ employees, emphasizing the need for adaptive defense mechanisms. Telecommunication networks become lucrative targets, and the rise of social engineering attacks like “SIM Jacking” further amplifies risks, especially in regions like Russia, Eastern Europe, and North America. The multi-faceted assault on bank customers involves refined techniques, such as utilizing banking Trojans and automated transfer systems. Code injections into banking websites exploit vulnerabilities, emphasizing the importance of user awareness and security measures. Network infrastructure is not immune, as exposed components become points of attack, potentially leading to phishing and man-in-the-middle exploits.

In the broader context, the escalating use of spoofed websites by fraudsters during the COVID-19 pandemic underscores the persistent threat. Security measures must adapt to counter evolving tactics, emphasizing the importance of proactive cybersecurity strategies, ongoing research, and collaboration within the industry to safeguard against financial losses and protect sensitive information.