Anatomy of a cyberattack

22 May 2019

In the second of a series of three articles focusing on fraud, we look at the steps taken by fraudsters to perpetrate a cyberattack.

Cybercrime is big business. The global impact now exceeds $450 billion a year as crime, extortion, blackmail and fraud move online.

And as technology becomes more sophisticated, so do hackers and the tools they use to get their hands on sensitive data. Criminals are targeting the systems and operating software of businesses, governments and key infrastructure in a coordinated and systematic manner.

The financial services industry is a routine target for cyber criminals, more so than any other. Over the past few years, we’ve seen a rise in cyberattacks and data breaches, as cyber criminals successfully infiltrate companies using everything in their toolkits - from malware and ransomware to social engineering tactics.

There has been a 1,700% increase in cyberattacks reported to the FCA since 2014.

Source: Financial Conduct Authority

Banks under attack

There have been numerous attempted cyberattacks aimed at manipulating bank payment systems - often with a similar modus operandi. These attacks are followed by compromises of the bank systems over a period of many months, allowing attackers to become familiar with the bank security defences and best cash-out channels.

Cyber criminals seek to corrupt the local environment and payment processes of financial institutions by obtaining valid operator credentials and injecting fraudulent transactions directly into back-office systems. This compromises the back office itself and defeats the very business controls that would ordinarily prevent fraudulent activity.

What is the modus operandi of a cyberattack?

Cyber attackers don’t want you to understand what they’re doing. The less you know, the more opportunity they have to fraudulently extract funds from your organisation. A skilled and determined cyber criminal can use multiple entry points to navigate around defences, breach your network in minutes and evade detection for months.

This is how they do it.

FCC Reconnaissance and compromise 
The initial reconnaissance period prior to an attack involves criminals researching and gathering information about the target organisation. They look for network ranges, IP addresses and domain names. Attackers also try to find the email addresses of key players in an organisation, or identify vulnerable employees by sending phishing emails. They also scan for network vulnerabilities. These activities can take months, but the attackers are patient.  
FCC Obtain credentials
After accessing the network, criminals try to infiltrate further into the network by acquiring access privileges. Attackers use various tools to help them steal credentials, allowing them to upgrade their access to administrator level, and penetrate back-office and operational networks silently. 
FCC Submit fraudulent messages
Attackers infiltrate the network using malicious programmes that allow them to hide in multiple systems and inject malware into critical systems. At this point, they can start to submit fraudulent payment instructions by impersonating an operator or approver. 
FCC Hide evidence
Once fraudulent payments have been sent, attackers proceed to cover their tracks, hiding evidence of their actions. Using various tools and techniques, they delete or manipulate records, and corrupt systems to confuse forensic experts. 
FCC Reconnaissance and compromise 
The initial reconnaissance period prior to an attack involves criminals researching and gathering information about the target organisation. They look for network ranges, IP addresses and domain names. Attackers also try to find the email addresses of key players in an organisation, or identify vulnerable employees by sending phishing emails. They also scan for network vulnerabilities. These activities can take months, but the attackers are patient.  
FCC Obtain credentials
After accessing the network, criminals try to infiltrate further into the network by acquiring access privileges. Attackers use various tools to help them steal credentials, allowing them to upgrade their access to administrator level, and penetrate back-office and operational networks silently. 
FCC Submit fraudulent messages
Attackers infiltrate the network using malicious programmes that allow them to hide in multiple systems and inject malware into critical systems. At this point, they can start to submit fraudulent payment instructions by impersonating an operator or approver. 
FCC Hide evidence
Once fraudulent payments have been sent, attackers proceed to cover their tracks, hiding evidence of their actions. Using various tools and techniques, they delete or manipulate records, and corrupt systems to confuse forensic experts. 

 

Compliance
Last update: 
30 January 2019

[ebook] Preventing institutional payments fraud

Understanding the changing tactics used by fraudsters is key to prevention. Download the ebook and get the full picture...
Download (111.4 KB)
  • Collateral
  • ebook
EN

Related

  • News
  • Cyber Security

5 ways you could fall prey to payments fraud

  • News
  • Cyber Security

SWIFT report shares insights into evolving cyber threats

  • News
  • Compliance

Combatting cyber fraud in Asia-Pacific

Fraud control

Payment Controls

Protecting your payment operations against fraudulent attacks.

Payments fraud

Download our free ebook

ebook