Financial Institution Threat Analysis

There are only two types of companies: those that have been hacked and those that will be.
— Robert Mueller, Former FBI Director

Financial data is appealing to cyber criminals because of the speed at which it can be monetized, especially in an array of underground marketplaces like those found on the darknet. As discussed in our recent post, these darknet markets offer cyber criminals a platform via which stolen information can be sold to vetted buyers. Given that in 2016, cyber crime cost the global economy roughly $445 billion, the ability to quickly acquire and turnaround data enables criminals to maximize profits.

The information security risk to financial institutions is significant. Not only are malware, ransomware, cyber fraud, money laundering and ATM hacking direct threats, but the growth of the Internet of Things (IoT) and the move to mobile financial platforms have increased the overall threat level as the footprint of financial institutions moves beyond protecting brick-and-mortar infrastructure.

Common tactics, techniques + procedures targeting financial organizations

Tactics, techniques and procedures (TTP) refer to employing available means to accomplish an end and the methods in which they are applied. Below we take a look at six common TTPs seen in the financial sector.

Common Financial TTPs
Spoofing +
Financial-related sites that require a login, and the user credentials associated with those logins, are commonly at risk of compromise. Email spoofing attacks use similar URLs to impersonate legitimate sites. Multi-factor authentication methods are increasingly considered mandatory for financial institution sites involving online banking.
ATMs Various ATM-specific threats have been discovered over the past few years. For example, GreenDispenser malware infects an ATM and allows a criminal to withdraw large amounts of money without detection. Reverse ATM attacks which leverage "money mules" to reverse transactions to allow criminals to cover their tracks have recently emerged.
Mobile Apps The growing use of mobile devices for banking purposes exposes major vulnerabilities; public WiFi networks are inherently insecure, mobile applications lack encryption, poor reception increases the likelihood that banking transaction traffic could be intercepted by a third party and many fraudulent apps that harvest user and account data exist.
Third Party
Joint ventures, vendors, affiliates, brokers, payment systems and other third parties associated with financial institutions must maintain a strict level of security in order to protect the entire infrastructure. Managing third party risk is essential to the security of every financial institution.
EMV Cards:
Chip + PIN
EMV cards are now as easy to clone as their magnetic strip predecessors. Researchers recently demonstrated that they could withdraw $15,000 in cash from an ATM in under 15 minutes leveraging a simple chip-and-PIN hack. The Man-in-the-Middle (MitM) based attack collects chip-and-PIN information from a small device placed on a point of sale machine where a payment card is entered or swiped. The attackers can then simply access this stolen financial information with a smart phone and recreate the victim's card for fraudulent use.

In February of 2016, attackers stole $81 million from the Bangladesh Bank by hacking into the bank's network and sending fraudulent payment order requests through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment network. Similar to cyber attacks seen on other networks, the attackers were able to move laterally through the bank networks, compromise administrator credentials and leverage those credentials to execute further attack. (Source)

Who is attacking with these techniques?

Three criminal organizations are considered top players in cyber attacks on financial institutions. All three leverage spearphishing as their method of entry, their initial technique used to gain unauthorized access.


Atypical of the majority of attacks against banks and other financial institutions, which focus on targeting bank clients, the Carbanak criminal gang targets institutions themselves. Carbanak targets banks in the United States, Germany and China, and we're expecting expansion further into Asia. The gang's hackers leverage spearphishing attacks containing malicious Word documents, among others, through which a backdoor is installed. This backdoor allows Carbanak members to imitate bank employees and further access systems to escalate privileges. (Source)

метель, or Metel

метель, Metel, Russian for "blizzard," is a cyber criminal gang that, much like Carbanak, directly targets financial institutions via spearphishing email campaigns containing malware which directs users to a website hosting an exploit kit. This malware kit allowed Metel to steal data and access virtually any internal system. Metel was able to steal money from ATMs and spoof them into recording an untouched account balance. 


As with Carbanak and Metel, GCMAN leverages spearphishing to infect a target bank's network via executable attachments. Once inside a target network, GCMAN leverages common penetration testing tools (VNS, Putty and Meterpreter) to gain further access. GCMAN is believed to have compromised over 56 accounts from 139 attack sources over a year and a half period. (Source)

Where do these threat actors currently operate?

How are threat actors using the darknet to target financial institutions?

Threat actors commonly use the darknet as a means of eliciting information from insiders - disgruntled employees that themselves or via a third party cause damage to systems and data.

Consider insider trading, the illegal practice of trading to one's own advantage via access to confidential information. Threat actors often post sites on the darknet soliciting employees who may have access to key insider information. Most of these insider solicitation darknet sites require users to register.

A darknet forum where purveyors of insider information are offering their services.

A darknet forum where purveyors of insider information are offering their services.

phpBB appears to contain forums in which threat actors are seeking "someone who has non-public information concerning US Stocks, ETFs, Etc." Discussions of this nature continue to occur on the darknet.

phpBB appears to contain forums in which threat actors are seeking "someone who has non-public information concerning US Stocks, ETFs, Etc." Discussions of this nature continue to occur on the darknet.


What are some other ways in which threat actors leverage the darknet? As a simple case study, let's take a look at the world's second largest bank, Wells Fargo. Leveraging our database of DARKINT, we can generate a snapshot of any organization's darknet footprint.


As seen above, Wells Fargo data is present on the darknet in many ways, as are other banks of a comparable size. Often times, the easiest way into an organization's environment is through the "front door."

Just as our security services team analyzes an entity's digital footprint to determine attack vectors, so does a real world attacker. Financial organizations the size of Wells Fargo or JPMorgan Chase have a myriad of domains, IP blocks, email domains and physical addresses associated with them.

When looking at this digital footprint, from an attackers perspective, it is simply a matter of identifying the most vulnerable entry point.

Leverage DARKINT to protect your organization. 

Facing ever more sophisticated and coordinated attacks, information security has been primarily focused on building higher and thicker walls. However, as evidenced by Wells Fargo above, financial institutions must look beyond their four walls at their darknet footprint. Leveraging our continually updated database of DARKINT, financial institutions can shorten the timeframe to detection of their sensitive data on the darknet, swiftly detect security gaps and mitigate damage prior to the misuse of their data.

Our automated DarkOwl Vision platform can be customized to meet the unique needs of every client. From our SaaS offering to a full on premise solution, our scalable platform allows us to find the right fit for your organization. If you have already begun to leverage the power of the darknet, the DarkOwl Vision engine can enhance current methods by pointing to and capturing the information of your specific areas of interest.