A recent Congressional Research Services report on cybersecurity in the financial services (finserv) sector has highlighted the elevated IT risks that banks and fintechs face. The report found that 25% of malware attacks target finserv companies and that cybercrime costs are around 40% higher in this industry compared to the average for all commercial sectors.
All told, the financial industry ranks as third-most targeted sector by adversaries, with threat actors preying on finserv customers, employees, institutional vendors, and increasingly, the firm’s IT stack itself. In this threat landscape, a recent survey found more than 70% of financial institutions (FIs) reported losing at least $500K to fraud last year. Within the finserv category, fintechs that specialize in online lending are most often compromised by threat actors.
But it’s not just bank customers who are being targeted. Lasting labor and IT shifts fueled by the COVID-19 pandemic have made financial firms and their personnel more vulnerable than ever. In the hybrid-work and ‘bring-your-own-device’ (BYOD) era, bank and fintech employees increasingly find themselves targeted by a plethora of different phishing lures and business email compromise (BEC) scams. Today, cybercriminals linked to North Korea have even been identified posing as legitimate job applicants to get hired by crypto exchanges.
There have also been cases where North Korean threat actors offered employees at decentralized finance (DeFI) firms fake jobs to successfully compromise their devices, steal their credentials, and steal over $500 million worth of crypto. The lasting legacy of the pandemic has vastly expanded the enterprise attack surface, as financial organizations have been forced to accept trends like hybrid work, BYOD, and digital-first operating models are here to stay.
Accompanying these labor and digital consumer shifts are the cyber-risk tremors left in their wake. In the first case, remote networking technologies like RDPs and RDS’ are being aggressively targeted by ransomware actors, who scan for unpatched applications with special software, or who use stolen employee credentials purchased on the dark web. Another prime target category on the operational side are the firms’ IT supply chains.
As financial organizations have gone increasingly digital, so too have their dependencies on third-party applications and API partners, amplifying their exposure to their partners’ intrusion vectors. In this piece, Resecurity will offer cybersecurity predictions for the finserv and payments sector in 2023, homing in on mobile malware, rising attacks targeting digital identity onboarding and authentication portals, and the rapidly evolving supply-chain risk landscape.
Malware Targeting Banking & Payment Apps Gains Persistence
As Resecurity’s research has shown, mobile malware actors are becoming more innovative and artisanal in the design of malicious smartphone applications. Threat actors’ growing focus on mobile banking malware aligns with post-pandemic shifts in consumer financial behavior, as recent studies have shown nearly three-quarters (72%) use a mobile banking app today.
Dovetailing with this study, are separate findings revealing how 44% of U.S. consumers use peer-to-peer (P2P) payment apps like PayPal and Venmo once a week. Lingering cost pressures caused by rising inflation are leading to even greater payment app usage by adults in the U.S. and beyond. Savvier financial threat actors are simply tailoring their attack methods to rising consumer adoption of mobile fintech.
InTheBox, the only darknet e-commerce community focused exclusively on mobile malware, represents the most significant threat in the new world of mobile-first finserv. Far beyond the basic ‘infostealers’ ubiquitously promoted on standard hacker forums, webinjects trafficked on the InTheBox website signal an evolutionary leap in adversarial technology and tradecraft. Webinjects are effectively ‘man-in-the-middle’ attacks that alter website or mobile app content before it renders on a victim’s screen.
When victims enter their account credentials into counterfeit login forms, webinject malware swipes privileged user access data and transmit it to threat actors, enabling them to conduct Account Takeover (ATO) fraud. In 2021, ATO fraud siphoned $11.4 billion from consumers across all industries, according to research published last year.
Assessing attack-rate data from the third quarter of 2022, ATO losses could be higher than last year’s, with fintechs leading the way, recording a 71% annualized increase in attempted takeovers through the reporting period, according to a separate study. More troubling still, security journalist Brian Krebs reported last Fall on how large U.S. FIs are “stiffing” ATO victims, citing a Senate inquiry into consumer complaints about fraud on the Zelle P2P payment app.
InTheBox webinjects have been particularly effective because the developers who sell their malware on this forum constantly monitor and adapt to the latest bank app design and interface updates. This fastidious craftsmanship has yielded expert-level forgeries of the end-user experience across a plethora of mobile banking, crypto, e-commerce, and payments platforms.
Beyond meticulous UX knockoffs, some InTheBox vendors offer value-added services like customer support and rapid customization. The latter is particularly helpful in the event of a sudden or unanticipated mobile app update. Some vendors also encode their webinjects with the backconnect proxy, previously popularized by the Trickbot gang, enabling their customers to steal additional user data.
Meanwhile, more specialized webinjects even empower adversaries to establish remote control over a victim’s device, enhancing the likelihood that thieves will be able to bypass bank and fintech anti-fraud filters. Successful circumvention of anti-fraud fingerprinting technologies can be difficult, as some of these solutions cross-reference over 100 digital and device fingerprints to authenticate user identity.
Obviously, if a threat actor has both the required login credentials and remote control over a victim’s execute, they will be much better equipped to execute a successful theft.
Aggravating the threat is the convergence of improved quality of fraudster tooling with the parallel trend of diminished barriers to entry for less sophisticated threat actors.
Reduced friction in mobile malware accessibility all boils down to cybercriminal economics. InTheBox vendors only charge $50-to-$200 per webinject, depending on how popular the FI being targeted is. This pricing model makes InTheBox malware highly accessible to a wide range of threat actors, provided they are accepted as members of the forum by the website’s discerning administrators.
Ultimately, the triad of superior customized malware, improved adversarial market accessibility, and macro-adoption of mobile banking and payment apps by consumers only amplifies the risk of more persistent attacks targeting smartphone-based finserv platforms this year. Krebs reporting suggests that bank customers are likely to suffer the brunt of these losses, absent continued pressure from consumer-protection oversight agencies in Washington.
Attacks on Digital Identity Will Proliferate
Dovetailing with finserv ATO threats posed by next-gen mobile malware, is the broader theme of adversaries targeting the foundation of digital identity itself. In fact, total identity fraud losses are projected to hit $635.4 billion this year, according to recent research from finserv consultants Aite Group. In banking, online lending, investing, payments, and e-commerce, the exploitation of digital identity goes beyond the compromise of legitimate, active accounts.
Instead, emergent threats like new account fraud (NAF) and synthetic identity fraud (SIF) are aggressively undermining the integrity of the financial system. The growing adoption of these fraud typologies were fueled by the pandemic-era shifts in online consumer behavior, combined with the proliferation of data theft and the monetization of these stolen account holder credentials on the dark web.
NAF is an attack vector where threat actors use stolen or synthetic identity credentials to open merchant, banking, credit card, lending, and other accounts. Traditionally, NAF has been a popular conduit to use a victim’s bankable credit history to obtain loans and payment cards.
But recent research illustrates how this attack vector is being repurposed to exploit authentication vulnerabilities in increasingly popular buy now, pay later (BPNL) retail models and in mobile telephone services.
While 2022 NAF data is still being compiled and analyzed, research published last year indicated how this fraud typology increased 109% in 2021, scamming American consumers and FIs out of $7 billion. Alarmingly, more than half of the consumers in this survey (55%) reported that threat actors opened fraudulent accounts in their name at victims’ primary FIs. Meanwhile, merchant accounts like Amazon, Grubhub, and Instacart were the most popular platforms exploited by NAF threat actors in 2021, with 35% of victims reporting that fraudsters impersonated them there.
SIF, on the other hand, is a staging technique that enables the opening of fraudulent new accounts, typically to obtain loans or credit products, using totally false identities cobbled together from a mix of real personally identifiable information (PII) and a variety of false credentials.
Traditionally, SIF schemes have been used to perpetrate ‘bust-out’ fraud, where threat actors establish a new account, slowly build up a credit profile, and even make small payments along the way, until they qualify for a high-enough credit limit, typically $10-$15k. Once fraudsters are eligible for this amount of credit, they bust out and never pay back the FIs or card issuers they borrowed from.
Bankable synthetic identities depend on skillfully manipulated social security numbers (SSNs). Threat actors have increasingly exploited loopholes created by the Social Security Administration’s modification of the way it issued SSNs in 2011, as the agency pivoted to a ‘randomized’ number assignment system.
Today, these random SSNs are frequently issued to newborn children and America’s fast-growing immigrant population, making threat actors’ incorporation of these identifiers in their false profiles difficult to detect with existing anti-fraud technologies. SIFs that use a stolen or marginally altered randomized SSN are particularly difficult to spot because these authentic credentials typically belong to Americans with thin to non-existent credit histories.
The lack of depth and dimensionality in their data and credit profiles means some identity authentication engines, which verify customers using probabilistic trust-scoring matrices, often miss bad actors exploiting blind spots in onboarding systems. The challenge FIs face is that SIF fraudsters often resemble applicants that are just starting to build their credit histories. Thus, if institutional onboarding filters are too stringent, FIs face the risk of losing out on new business.
Last year, SIF scams reportedly scammed $2.4 billion from the unsecured credit card sector alone. But recent research also suggests that direct deposit accounts (DDAs) could account for an additional $2.48 billion in SIF losses, with many of these frauds conducted via P2P apps in the wake of the pandemic.
DDA estimates bring total projected SIF losses last year to $4.48 billion – and the problem is only projected to get worse in the coming years. Overall, a projected 1-3% of accounts held at FIs and fintech DDAs are believed to have been compromised by synthetic IDs, according to studies.
Growing Digital Dependencies Expand Supply-Chain Attack Surface
While attacks on mobile apps and identity have a more direct impact on consumers, supply-chain attacks pose an existential threat to finserv enterprises and their operational continuity.
As the high-profile exploits of SolarWinds, Kaseya, and ongoing compromise of unpatched Log4J vulnerabilities show, the digital supply-chain increasingly finds itself under attack from a more sophisticated breed of adversary than the average cyber-fraudster.
For example, U.S. investigators attributed the 2020 cyber-espionage attack on database management platform SolarWinds to Russia’s Foreign Intelligence Service (SVR). SolarWinds also counted numerous financial firms as clients, including the two largest credit card companies, at the time of the breach, although it’s unclear how many FIs were impacted.
With the pandemic forcing legacy FIs to accelerate their digital transformation journeys, firms had to rapidly embrace new customer onboarding technologies, automation solutions, remote networking partners, cloud vendors, risk data-sharing integrations, and a host of other API-based providers. In finserv, the adoption of cloud and API technologies is broadly referred to as ‘open banking.’
Legacy finserv organizations had to rapidly adopt open banking models to service the new wave of digital-first customers, satisfy the risk and compliance obligations associated with virtual banking, and to accommodate their remote workforces. Neglecting digital transformation would have otherwise put legacy FIs at risk of losing business to upstart neobanks and fintechs that could offer more user-friendly mobile banking options for consumers on one hand.
On the other hand, these same digitally native competitors also continue to threaten legacy FIs’ ability to retain and attract young talent, if incumbent firms fail to offer their employees adequately flexible remote-work options. Ultimately, FIs’ and fintechs’ all-encompassing shift to agile, composable API-based technology stacks in the cloud has vastly expanded digital interdependencies and related vulnerabilities throughout finserv.
APIs are central to this threat model, they emerged as the most frequent attack vector for adversaries last year, according to research consultants Gartner. In finserv, 2020 research from consultants McKinsey & Company found that 20% of banking APIs were already being “used externally to support integration with business partners, including suppliers.”
By 2025, McKinsey survey respondents said they planned to double the number of these external banking APIs. As such, adversaries will increasingly target third-party software vendors and weakly secured API nodes. The growing proliferation of API integrations in finserv thus offers a greater array of intrusion vectors for threat actors to deploy malicious code to finserv vendors’ customers via infected downloads or updates.
This threat model leads to more systemic attacks that can compromise multiple banks and fintechs in one malicious software deployment cycle. As a recent Federal Reserve paper on cyber-risk in finerv cautioned: “Cyber shocks can lead to losses hitting many firms at the same time because of correlated risk exposures (sometimes called the popcorn effect), such as when firms load the same malware-infected third-party software update. And the interconnectedness of the financial system means that an event at one or more firms may spread to others (the domino effect).”
In 2023, Resecurity anticipates supply-chain attacks against finserv firms will increase. Based on recent research, threat actors this year will likely continue to focus their attacks on the leading finserv intrusion vectors spotted last year, namely the 2015 remote code execution (RCE) vulnerability impacting Microsoft Windows (CVE-2015-1635) and a 2021 vulnerability that affects Microsoft Exchange server (CVE-2021-31206).
Not to be overlooked, however, are lurking vulnerabilities in the finserv open-source supply chain. With FIs and fintech relying heavily on tech stacks derived from open-source repositories like GitHub, threat actors, emboldened by the discovery of exploitable flaws in Log4j and Spring Core, will seek to penetrate FIs using even more insidious, supply-chain intrusion vectors.
The Importance of Proactive Cyber-Financial Intelligence & Risk Mitigation
Other trends that Resecurity analysts have assessed to pose significant risks this year include the use of SIF staging techniques and NAF to register fake businesses and even offshore shell companies. Additionally, Resecurity also assesses that credit providers for the growing small e-commerce business sector will also be increasingly targeted by SIF and NAF fraudsters as they pursue bigger-ticket thefts.
Further enabling SIF and NAF attacks is the growing adoption of deep fake technology, which can be leveraged by threat actors to pass digital Know Your Customer (KYC) onboarding checks at neobanks and other fintechs. Deep fakes will be increasingly used to perpetrate (BEC) scams, including more lucrative capital call scams, targeting the registered investment adviser (RIA) sector. On the finserv compliance side, the most significant legacy of the pandemic is the new singularity between online fraud and money laundering.
To illustrate this concept, consider that higher-value threats committing ATO, NAF, and SIF thefts across mobile banking, and P2P portals necessarily must launder the proceeds of these crimes to avoid detection by tax enforcement agencies. Also note that a meaningful percentage of the adversary types described above operate as sophisticated transnational networks, employing scores of money mules and bank accounts in different countries to exploit jurisdictional arbitrage opportunities.
In this finserv threat environment, anti-fraud and anti-money laundering (AML) processes must be proactively merged into one optimized financial crime compliance (FCC) unit. Enter the era of Cyber-Financial Intelligence (CyFI), a conceptual shift in how FCC organizations must operate in the 21st Century. Today, finserv firms must proactively seek to prevent fraud by leveraging the power of continuous cyber-threat intelligence collection and monitoring.
FIs and finetchs must also vigilantly work to safeguard the identity of their personnel, perpetually scanning the dark web for any leaked employee credentials that may be listed for sale there. While the cyber-attack surface has undoubtedly deteriorated, finserv organizations that arm themselves with the right CyFI and risk-management provider will realize a competitive edge over a new breed of tech-savvy fraud and AML threat actor.