Banking Frauds of 2013

December 3, 2013 by Ryan Mazerik


Technology has changed the way that we work and operate; the flood of advances that we see daily are mind-boggling in their variety and quantity. While technological advances are necessary for the advancement of our race, they can also bring with it a slew of other problems.

The major culprit is the massive amount of information that we can now store and collect; with so much data in our hands, it is easy for persons with malicious intent to misuse such information. Information is a commodity and the public would much rather that other people manage it for them. All kinds of companies collect information about their users to make it easier and more efficient for them to operate. The financial sector is responsible for managing the information and money of thousands of users around the world and this makes them highly susceptible to cyber-attacks. This sector consists of institutions that manage our money, including banks, accounting firms, insurance firms, investment funds, etc.

The financial sector is constantly targeted because “that’s where the money is.”

The major cyber-attacks that have been carried out against the financial sector are shown in the image shown above (MacAfee Threat Report). As shown in the image, several attacks were carried out in the span of two months; this is a highly disturbing turn of events.

A few months ago, some major banks, including JP Morgan and Bank of America, participated in the “Quantum Dawn” exercise, which simulated an attack in order to study the outcome when hackers penetrate a stringent security area.

This exercise was orchestrated by the SIFMA (Security Industry and Financial Association) and the attack was run for a period without affecting any real systems. The goals were to degrade the performance of the system, steal money, and develop an understanding of the operational readiness of the industry to function after an attack. The cyber-attack scenarios planned were:

  • Creation of an automatic sell-off in target stocks by using stolen administrator accounts
  • Introduction of counterfeit and malicious telecommunication equipment to divert attention and slow the investigation into the automatic sell-off
  • Substantiation of the price drop by issuing fraudulent press releases on target stocks
  • Disruption of governmental websites and services through a distributed denial of service (DDOS) attack
  • Corruption of the source code of a financial application widely used in the equities market
  • Degradation of the credibility of an industry group by sending a phishing email to harvest user names and passwords and submitting false information on the attack
  • Disruption of technology service by unleashing a custom virus with the goal of degrading post-trade processing

    The recommendations issued by SIFMA after the tests were:

    • Enhance the existing sector response playbook to better account for a securities industry specific incident with the goal of strengthening the integration among industry groups, market participants, and government agencies.

    • Improve coordination between business and technology leaders during cyber-incident analysis and response.

    • Enhance the role of exchanges, clearing firms, and trusted government partners in cyber incident response and crisis management. Increase awareness about government resources available to assist the sector.

    • Augment existing guidelines and decision frameworks to determine if cyber-incidents are systemic in nature.

    • Invest in next-generation capabilities to support systemic risk analytics, information sharing, and crisis management.

    • Institutionalize procedures for the market open/close decisions during times of cyber incident response and crises.

    • Enhance protocols to promote increased communication and information sharing among market participants.

    • Formalize public awareness and communications strategies with a view to promote trust and confidence in the markets

Threats to the Financial Sector

Threats to the financial sector range from extremely complex to ridiculously simple; some of the major threats faced by the sector are given in greater detail below.

Distributed Denial of Service Attacks (DDoS)

DDoS attacks are the most common form of attack against financial institutions. Companies where customer support is required 24×7 are helpless if their website has been put offline. Huge amounts of money can be lost by even a minute offline; this makes DDoS attacks one of the most important types of attacks to mitigate. A DDoS makes use of several hundred thousand infected hosts or zombie computers to perform a massive attack against an entity on the internet. DDoS attacks are generally carried out by large botnets that can spam the victim computer. This makes it difficult for legitimate users to access the same website or service, as it is being inundated with bogus traffic.

Conventional traffic management software, such as routers and firewalls, cannot manage or block the massive amount of data that is generated by such attacks. The last year saw one of the largest DDoS attacks ever seen on the Internet; the DDoS was carried out against the anti-spam agency Spamhaus. The traffic seen this attack was around 300Gbs.

There are several types of DDoS attacks; some of them are listed below:


This extremely dangerous attack is used against web servers. It works by sending fragmented HTTP packets to the server to create a connection. Then this connection is kept open by sending more fragmented packets at fixed intervals, the web server thinks that the connection is legitimate and waits for the full HTTP header which never arrives. This process is carried out several times to use up the connection limit of web servers, thus preventing new legitimate users from accessing the website as all the connections in the queue are being used up by the attacker. The Slowloris attack was first performed as a simple Perl script but newer variants are popping up all over the web.

SYN Floods

A SYN flood is a commonly employed method when performing DDoS attacks. This attack makes use of loophole in the TCP protocol. The TCP protocol requires a three-way handshake to ensure that a connection can be established and this attack exploits that requirement. The attacker sends a flood of TCP/SYN packets, usually with a forged source IP. The victim server thinks that these are legitimate packets and sends an ACK to the source IP address in the packet. The ACK from the client never reaches the server because the source IP has been spoofed; the server unknowingly creates a half-open connection and continues to wait for an ACK. In a distributed scenario, hundreds of thousands of SYN packets hit the server, using up server resources quickly and denying service to legitimate users.

Phishing Attacks

A phishing attack is another very popular method employed by malicious hackers to gain unauthorized access to enterprise systems. Phishing attacks are relatively simple to execute but are very effective. The resources and skill required to perform such an attack are very low. A phishing attack employs a certain amount of social engineering to lure the victim into performing an action that may compromise the security of his/her computer. This action may be as simple as clicking on a link provided in an email that looks legitimate.

Email phishing is by far the most common variant of phishing attacks: Attackers try to trick users into clicking a link or button by mimicking an official looking email. Once the user clicks such a link, he will be redirected to another site of the attacker’s choosing. This can then be used to infect the user with all kinds of exploits.

Online Banking Fraud

Man in the Middle (MiTM) Attacks

This is a very common method for carrying out online banking fraud. In this method the attacker waits between the user and his/her destination. The user does not know that all his traffic is actually passing through a third party, so the attacker can then employ traffic capture software to store the victim’s traffic. This can yield all sorts of information, such as passwords for online banking services, credentials for credit card transactions, etc.

Man in the Browser (MiTB) Attacks

This attack is more difficult to execute and is also more dangerous. It involves exploiting weaknesses in a user’s web browser. Web browsers are applications that are used to access and view websites and many web browsers have vulnerabilities that can be exploited. This is generally done with the help of shellcode or malware; once the attacker has access to the browser, he can trick the user into entering his credentials for any online service by injecting HTML code. The beauty of such an exploit is that there is no way for the user to know if the page is legitimate or not, as the exploit works on the client side. Authentication mechanisms such as SSL/TLS are ineffective in stopping such attacks because they are server-based.

SQL Injection

Another extremely common attack is SQL injection. This attack works by exploiting database queries. When developers create websites, they may not properly sanitize user inputs. This allows a malicious attacker to inject his own sub-queries into legitimate queries coded by the programmer. Entire databases can be dumped by the attacker. This is extremely dangerous to the financial sector, as they constantly deal with large of amounts of confidential user data that is stored in these databases.

ATM Skimming

ATM skimming is another popular method of exploiting financial organizations, banks in particular. An ATM (automatic teller machine) is a popular method for withdrawing cash from bank accounts without the hassle of standing in a bank queue. This popularity also makes an ATM a prime target for malicious activity.

This is done with the help of ATM skimmers: A skimmer is an electronic device that is placed on ATM machines by malicious attackers. This machine is designed to look as if it is part of the ATM machine itself, but when an unsuspecting user uses the ATM, his/her card details are stolen. The attacker can then use these credentials for withdrawing money and online transactions.


Hackers will lure the customer to think they are from the trusted organization to get the phone number, name, expiry date, and credit card CVC number. These data will be used to purchase items internationally or will be sold to a third party for planned crimes. Security awareness needs to be taught to all users who own a credit card.

Preventing Financial Fraud

Financial fraud is very common, but our defenses against such attacks are inadequate. In order to prevent financial fraud, several mechanisms and standards must be put in place. Some of these are mentioned below.

PCI DSS Compliance

The payment card industry data security standard (PCI DSS) is an internationally approved security standard for payment card systems. It is defined by the Payment Card Industry Security Standards Council. The standard is used to ensure that payment card systems adhere to a set of strong security policies. The banking sector should ensure that it is PCI DSS-compliant to prevent external malicious actors from siphoning funds from their banks using ATM skimming, credit card fraud, etc.

The standard includes the following requirements

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

FIPS Compliance

The Federal Information Protection Standard was developed by the United States government for use in computer systems. Several FIPS standards have been released but the financial sector should work to ensure its compliance to the FIPS 140-2 mandate. The FIPS 140-2 mandate stipulates the use of high-end cryptography for all network communications leaving the network, i.e., all communications leaving the server should be encrypted using cryptographic ciphers mandated by the standard.

FIPS compliant cryptographic algorithms include AES, DES Rijndael, etc.

A network that is FIPS 140-2 compliant should have a mechanism to perform high levels of cryptographic computations for all of the traffic on the network. It is preferable if these operations are delegated to specialized pieces of hardware, such as hardware security modules. Such devices are tailored to handle large amounts of cryptographic permutations; this causes a significant increase in performance.

FIPS 140-2 defines 4 levels of security namely:

  • Level 1
  • Level 2
  • Level 3
  • Level 4

Increasing levels indicate a much higher level of security that is much more difficult to break compared to the previous level.

Phishing and DNS Poisoning Prevention

Phishing attacks, as mentioned before, are extremely popular with malicious hackers due to their ease of use. They can only be properly contained by user awareness, so employees must be trained to distinguish between legitimate and illegitimate information.

DNS poisoning is another type of attack that is used to redirect users to malicious websites. This is done by poisoning the cache of the DNS servers, thus these attacks are also called DNS cache poisoning attacks.

DNS poisoning can be prevented by ensuring that DNS servers are properly configured and are patched against the latest vulnerabilities. Making use of DNS security extensions (DNSSEC) allows DNS servers to authenticate DNS requests and thus prevents them from responding to bogus DNS requests from malicious actors. This works by adding an extra digital signature to DNS requests for certain types of DNS transactions are not spoofed.

DDoS Defense

DDoS defense is essential to any enterprise, but the financial sector is particularly susceptible to this line of attack. There are several mechanisms for DoS and DDoS prevention but none of these may be 100% effective if the volume of traffic exceeds a certain amount. We may not be able to prevent the attack completely, but we can mitigate its consequences. Some mitigation strategies are given below.

  • Firewalls can be used to act as a choke point for illegitimate traffic from botnets. However, they must be implemented in a manner that does not cause the rest of the network to suffer when the incoming traffic is too large for it to handle.
  • Use of load balancing can pass the load that occurs to the other cluster and maintain fault tolerance. The efficiency of the server also will not be degraded by using this method of protection.
  • CAPTCHA can be used to prevent DDoS to an extent; each time a CAPTCHA page is loaded, some processing is required to load the website completely.
  • Blackholing and Sinkholing—Blackholing involves sending the excess traffic entering a network to a location that is not existent, i.e., to an invalid location, hence the term black hole. Sinkholing is similar, but it sends excess traffic to a valid location that analyzes the packets and drops them if they are illegitimate.
  • Clean Pipes—”Clean pipes” refers to the method of cleaning all traffic by sending it to a clean pipe before entering the network. This traffic is then scrubbed/cleaned, using several methods, such as proxies, tunnels, etc., that detect legitimate traffic and send it forward while dropping illegitimate traffic. This is usually implemented at the ISP level.


Posted: December 3, 2013
Ryan Mazerik
View Profile

Ryan has over 10yrs of experience in information security specifically in penetration testing and vulnerability assessment. He used to train and mentor consultants of these offerings to expand security delivery capabilities.He has strong passion in researching security vulnerabilities and taking sessions on information security concepts.