Penetration Testing, Social Engineering, Bank Security

Thursday, January 03, 2008

Sophisticated Attacks on Community Financial Institutions Increasing!

By Gale Yocom

©2007

In today’s high tech world, maintaining the privacy and protection of customers and employees’ information grows more and more difficult particularly for many financial institutions. These days’ scammers are getting bolder and more brazen in their abilities to get personal information from banking customers as they aggressively target the smaller locally owned community financial institutions.

In fact, a recent customer reported a complex, malicious, and targeted attack took place on their institution’s customers and employees. A well-recognized phishing activity trends website reported that financial institutions saw a continuing rise in phishing activities with 92.5% of attacks targeted on financial institutions.

On average, a phishing site stays online for 3.8 days. The relevance to the number of days online is that the longer it remains online, the more possibilities for the scammer to gather personal information. It is imperative that we are prepared for this type of incident and the response that is needed.

Phishing and Pharming Attacks

There was a time when only the larger financial institutions such as Wells Fargo bank were targeted for phishing and pharming scams, but that’s no longer the case. The increase in phishing attacks on community financial institutions stems from the fact that smaller financial institutions are simply more profitable and are usually less protected from fraudulent activities.

As mentioned above, one of our local community financial institutions was hit with a complex and sophisticated vishing/pharming/phishing telephone scam that focused on customers as well as on the bank’s employees. Fortunately, we have been preparing our client for years for these types of attacks, and therefore they were on the alert, so the attack caused minimum disruption.

Sharp customers and employees recognized that the e-mail messages were a scam because of poor grammar and content in addition to the salutation being addressed to "member" or some other non-descript person. A genuine message from a financial institution always addresses the customer by their full name. Furthermore, the scams did not provide a means for contacting the institution if there were any questions, but instead told the customers and employees in the e-mail message not to reply. No legitimate institution would ever tell you not to reply.

But even with preparation and after years of working in the Internet security arena, we were surprised at the combination of attack vectors used.

Combination of Attack Vectors

The scammers’ used a variety of strategies starting with a mass email and pharming scam as an attempt to steal personal information using a Do-IT-Yourself Phishing kit. The initial attack was then followed up with telephone calls to certain area codes with spoofed numbers and using a technique called Vishing. Besides, using pharming, phishing, and vishing tactics aimed at stealing valuable information such as credit cards, social security numbers, IDs and passwords, the attackers didn’t stop there.

The scammers also included Spear Phishing, an email spoofing fraud that targets financial institution employees in an attempt to gain unauthorized access to confidential data. Because of the banks watchful eye, they caught it in time, but these types of attacks are getting bolder and more commonplace and require a great deal more vigilance in keeping personal information away from scammers.

Why Customers Are Fooled

Approximately 19% of recipients respond to Spear-Phishing, which today is one of the most menacing threats to Internet users. Unfortunately, users do not clearly understand the importance of checking for authenticity, which should include specific indications that the site they are being sent to is secure.

As a busy society, we are so focused on getting the job done quickly and efficiently, we often don’t check for important clues, which is why many users receiving messages or paying bills online don’t watch out for the clues that indicate whether an e-mail message or site is fraudulent.

An Incident Response Plan

As these scams are on the rise in financial institutions, if a financial institution is prepared, and in today’s world, they have to be, the consequences will be minimal. In the event of phishing and pharming scams, staff members in a financial institution should know how to deal with this type of situation effectively.

To ensure the customer’s safety and privacy, an incident response plan should be in place and is required by examiners to be in place. Included in the plan should be an organized approach as to how the problem is going to be handled as well as having a clearly laid out plan to address the situation.

The following should be considered in regard to an Incident Response Plan:

1. Start by assessing the situation so that you know exactly what your bank is dealing with; if an incident has occurred, it’s usually up to the CEO and CIO to handle the overall incident response along with members of a CSIRT.
2. Fight the attacker
   1. Educating the end user
   2. Redirecting pharming clicks to an education page (most attacks are pulling images from your site)
   3. Attempt to shut down the phishing site yourself
   4. If needed have a competent vendor to respond to the situation for counter attack; this helps identify who will take down the website as well as which agencies to contact.
   5. Exploit the phising website
   6. Communicate with customers
      1. Post Bulletins on Website to ensure customers are aware of the situation
      2. Have employees assure customers that security controls are in place for the institution.
   7. Contact authorities such as Secret Service, FBI; in addition, contact Financial Service Vendors for support on abnormal activity on customer accounts.
   8. Feed bogus information to the pharmed sites.
   9. Review abnormal activities on Customer Accounts and bogus accounts
   10. Implement 3rd party monitoring companies

This is not intended to be a complete incident response plan, but trigger the thought process on items to be covered.

Preventative Actions

At one time or another your institution will be affected by a fraud scam, therefore being prepared with a good response plan for employees as well as providing customer education, in addition to having the resources (either in-house or outsourced) to handle the problem efficiently and effectively are the most effective preventive actions.

Prevention of course is primary insofar as keeping phishing and pharming scams at bay, and therefore as a preventive measure, customers who use online banking in any financial institution should be warned to use caution when opening any type of email with links that appear to come from their financial institution. Even if the message looks legitimate, prudence is always best. Educate customers to be proactive rather than reactive.

Alert customers not to click any links that come in emails, especially if they appear somewhat suspicious. In addition, if the customer has any doubt about the e-mail message, alert the customer to call their financial institution directly to determine whether it could potentially be a phishing or pharming scam.

Provide customers with Security Awareness Training by developing a web page about information disclosure in addition to providing a closely monitored email address for this activity should be set up by your institution where customers can send suspicious activities.

About the Author

Mr. Gale Yocom is a recognized technology expert and President of the Dallas-based security specialist company Covetrix. For the past ten years his company has provided full service networking and security solutions to government entitities, financial institutions, and commercial businesses across the U.S. Performing security audits, penetration testing and implementation of security controls, he brings a wealth of knowledge and information to Internet security.

Mr. Yocom is known for effectively uncovering weaknesses in institution’s security practices and has impressively strengthened the security posture of many financial institutions. Mr. Yocom can be reached by contacting him at gale@covetrix.com or by visiting him on the web at www.covetrix.com