Q&A with Cyber Threat Research Analyst Pablo Castillo
The impact of COVID-19 on the cybersecurity of businesses and individuals alike is well documented. Organizations that hold treasure troves of data, such as financial institutions, are especially vulnerable during this time. To learn more, I recently met with Pablo Castillo, Cyber Threat Research Analyst at Constella Intelligence, to gain insight into cybersecurity in the financial world amid COVID-19.
Pablo is passionate about cybersecurity and keeps himself abreast of trends and developments of cyberattacks and applies this knowledge to each of his investigations.
Below is Pablo’s perspective on COVID-19’s impact on cyber threats at financial institutions.
Have you seen a surge in cyberattacks targeting financial institutions since the onset of the pandemic?
Absolutely, and this is not just something that we at Constella Intelligence have noticed. The House Financial Services subcommittee held a hearing in June 2020 regarding cyber threats facing financial firms. “In this time of suffering and hardship for so many, we are seeing criminal actors here and at home and around the world redoubling their efforts to target families, financial institutions, and even governments,” said subcommittee Chairman Emanuel Cleaver (D-Mo.). “It is abundantly clear that our financial security systems are being taxed right now.” Further, software company VMware reported a 238% surge in cyberattacks against banks between February and April of this year.
Cyberattacks carried out by criminal groups/networks against almost all high-activity sectors have increased in the wake of COVID-19, according to experts from organizations such as Europol and Interpol. Financial institutions, however, are an especially attractive target for criminal groups whose objective is to profit during this uncertain time.
As time is running out for cybercriminals to take advantage of the vulnerability that comes with teleworking, they are tripling their efforts in all types of fraud cases. As a result of these attacks, Constella has observed an increase in activity in dark web forums and markets, namely the sale of stolen credentials and documentation, credit cards and even tools to exploit physical devices (e.g., ATMs for carding) or communications software (e.g., “Zoom” messaging application).
What are the most common types of attacks facing financial institutions?
Constella has observed that most of the attacks facing financial institutions have started from “malware infections” infecting devices with malware through other types of attacks, like phishing, to later take advantage of having access to an individual’s personal or corporate device. Cybercriminals are mostly using phishing scams, card vendors, ransomware and DDoS attacks against financial institutions. But, these are not the only threats. News of banking malware that affects users of online banks is increasing in frequency, and threat actors base their infection mechanism on the fact that almost everyone is using video conferencing software to replace work and personal meetings. For instance, domain registrations with “Zoom” included in the name have increased during this lockdown period; many of these sites supposedly offered the download file (installer) of this software when what they were really doing was offering an executable file (malware) that guaranteed the threat actor complete control over the victim’s computer. As a result, threat actors are able to perform bank transfers while remaining undetected.
Phishing attacks have not changed in terms of content or form, but have taken advantage of the COVID crisis so that people who are susceptible to this issue act recklessly and provide an entry vector for their company’s assets. For example, Constella has identified an increase in cases of CEO phishing to employees, where the identity of the CEO is impersonated (to gain access to confidential data or redirect bank transfers to malicious bank accounts). In terms of “cost-effective fraud,” this is the most profitable type of attack for cybercriminals, along with the recently well-known BEC attacks (Business Email Compromise) that use email fraud to target commercial, government and non-profit organizations.
DDoS attacks on all types of institutions (health, energy, education, stock trading and banking sectors) have also increased dramatically. Cybercriminals are taking advantage of the fact that many offices are under siege and IT support is being provided, in many cases, virtually. This has been a wake-up call for these companies to update their “mitigation” security measures for an attack of this nature. It is simply a matter of investment, as maintaining an infrastructure for mitigation of DDoS attacks is costly. However, companies should consider that, as with antivirus software, these services are not contracted to solve a “current” problem, but rather to prevent a future attack in an undetermined time frame.
We should, however, not only focus on how a company’s corporate network can be affected (Cybersecurity) but expand this concept to what we call Cybersafety, which aims to encompass the human facet of companies (customers and employees); customers are the direct and indirect targets of many of these types of fraud. For example, a DDoS attack against a financial institution can freeze the operations of many customers. A mass phishing email impersonating a banking branch can put the accounts of many customers of that bank at risk.
Last but not least, companies in the financial sector should be aware that, due to these incidents, the volume of banking information (customer bank accounts) for sale on the Deep and Dark Web has also increased in recent months, thus becoming another concern of such institutions during the pandemic.
Are there long-term effects to the recent spike in cyber-attacks?
When observing fraud incidents, most attacks are not going to be isolated incidents in terms of time, resources employed and data obtained. Rather, these attacks are the prelude to future, more sophisticated attacks that use information obtained from a previous cyber-incident to give credibility to future attacks. For example, companies that have their employees access the company network or corporate resources from their homes and specifically from their personal devices. This is one of the typical use cases where a company can be affected by malware due to a “single” worker accessing the company’s resources from an infected personal computer on their home network. This puts the entire company at risk of becoming the main attack vector for a subsequent ransomware attack, in which all the computers and servers of a company are encrypted and the attackers demand a ransom from the company to recover this information.
What are the opportunities for an offensive approach to prevention versus a defensive approach using an identity intelligence platform?
While it is true that there has been a sharp increase in cyber threats due to this pandemic, I firmly believe that, if you had to identify a silver lining, companies are beginning to act more proactively in terms of threat monitoring, training and awareness of their employees in cybersecurity. Monitoring is the key to detecting incidents in time and being able to act accordingly. This must become a key pillar and investment for companies in the coming months and years if they want to armor themselves against this type of threat. We must always remember what “Adversary Driven Intelligence” means; behind a cyber-attack, there is always a “threat actor,” so knowing your adversaries is the best defense possible to fight these threats.
Also, teleworking should not be an excuse for companies to neglect cyber training. If we have learned anything from this situation, it is that in order to avoid many of the threats that base their success on the human factor, more time/resources must be invested in cybersecurity training for both workers and the board of directors of any company.
How can banks and financial services organizations identify, prevent and detect cyber risks at this time?
Training employees is key to preventing cyberattacks. However sophisticated these attacks may be, many of the fraud attempts we see today depend on “human error” to break down a company’s defenses and access confidential information. It is important to be able to identify these attacks so that a situation as unusual as this current pandemic, which forces companies to have a large part of their staff teleworking, does not become the beginning of a continuous chain of attacks against them.
It is also clear that not all threats can be avoided through “education.” As we have already mentioned, now more than ever, it is essential to have a tool that can monitor the most recent security incidents so that a threat can be identified before being exposed to it. That way, there is some room for maneuvering so that the company (e.g., in cases of phishing) can act proactively and take down the sites even before they become a high threat. An example is the recent banking malware (Vizom) that has affected online banking users in Brazil through a masking technique called DLL hijacking to sneak into legitimate directories on Windows-based machines.
In any case, the risk of suffering a cyber attack or being affected by fraud is always there. As we have seen, you are never completely protected against the large number and variety of attacks from which you can suffer, not only as a company but also as an individual. Today’s cybercriminals have a wide range of new corporate software and hardware that can be exploited at any time (after a security update to these applications, as an example), and if the current pandemic continues, all companies will have to establish protocols to deal with these growing threats, in order to be as well informed as possible and anticipate such attacks.
What is Constella Intelligence doing to help financial institutions during this challenging time?
Constella has tracked a significant increase of cyber-attacks on financial institutions during this pandemic, through our investigations platform with the largest breach data collection on the planet — over 100 billion attributes and 25 billion curated identity records.
Read more about how Constella Intelligence can help you prevent cyber-attacks and Protect Thousands of Employees & Executives with Dome.