Malware found in 75% of top 20 commercial banks in the US, says SecurityScorecard

US financial organisations are at increased risk of falling victim to cyberattacks, according to a new report by cybersecurity rating and continuous risk monitoring firm SecurityScorecard. The firm's research revealed that 75% of the top 20 commercial banks in the US were infected by malware.

Several malware families, including Ponyloader, Vertexnext and Keybase were detected among many of the top 20 banks. "Over 422 malware events over the past year were detected in just one of the commercial banks. A total of 788 malware events were detected in all 20 commercial banks over the past 365 days," SecurityScorecard said in its report.

SecurityScorecard chief research officer Alex Heid told IBTimes UK, "Malware poses a diverse set of risks to financial institutions. All aspects of information security are affected by malware: Confidentiality, Integrity, and Availability. Everything from data theft, espionage, extortion, data destruction, denial of service attacks, unauthorised service use, and fraud are risks faced by financial enterprises in the modern era."

The report also disclosed that financial organisations across the world suffered from 22 "major publicly disclosed data breaches" over 2015-2016. "This is an issue that is becoming more and more common since the massive 2012 LinkedIn data breach recently surfaced again, where over 100 million user accounts and passwords were leaked," the firm said. Cybercriminals are taking advantage of the scores of leaked data, in efforts to compromise systems.

Risk of cyber heists

"From a technical perspective, the US financial sector is very much at risk for a Bangladesh Bank-style hack," Heid said. He added that institutions are now on alert for such attacks, thanks to the attention the hack garnered. However, he cautioned: "The increased vigilance on the part of the financial sector does not mean there is immunity; it simply means attackers will eventually develop a way to evade any newly implemented secondary analysis procedures."

Researchers found that a majority of US's top financial institutions have been using insecure email service providers (ESP), leaving many at risk of spam email campaigns and other targeted cyberattacks.

"The ease of use and standardisation of the ESP service across multiple unrelated enterprises can create an environment whereby attackers can target attacks to bypass known ESP configurations. For example, if it is known that an enterprise is making use of Gmail/Hotmail/etc as their ESP, then attackers can tailor their attack to evade that service's default antivirus signatures, malicious link analysis, and spam detection mechanisms.

"Through the process of trial and error, attackers will send malicious emails to their own personal ESP accounts repeatedly until they find a way to get their malicious message to deliver. Once the message has delivered, the attacker will know that the same message will deliver to ANY enterprise using the same ESP, and can then launch a spear phishing campaign with high deliverability, and delayed detection. For the victim of the compromise, this can result in reputation damage, fees for unauthorised service use, and the potential termination of the ESP account." Heid explained.

Coincidentally, the firm's report also detailed that most financial institutions were found to be running on outdated operating systems. Given that cybercriminals are wont to constantly test networks to identify and exploit vulnerabilities, it is imperative that organisations be vigilant in updating their security systems.

Heid pointed out: "Financial institutions can reduce their risk of attack from malware by ensuring that all endpoints are running the latest, secured versions of their operating systems and browsers, as well as ensuring all web browsing plugins are up to date, such as Flash and Java. When faced with properly configured endpoints, attackers will then use spear phishing and social engineering to persuade a user to manually execute malicious code. To reduce the risk of spear phishing and social engineering, regularly scheduled security awareness training is recommended."