Risk
10/8/2008
08:15 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Financial Crisis Leaves Bank Branches Open to Social Engineering, Targeted Attacks

Social engineer gained access to branch manager's office while he was out - with no questions asked

Heightened concern over the growing financial crisis is making banks more vulnerable to targeted social engineering and spear-phishing attacks, researchers said this week.

Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare.

“It’s definitely easier now to do some of these client-side attacks [on banks] because people [bank employees] are paying a lot of attention to their internal emails about the [financial] status of the bank,” says Chris Nickerson, who performs so-called “red team” testing of physical and electronic security as well as social engineering weaknesses for banks and other organizations.

Nickerson says he’s seen an increase in his bank clients’ employees falling for these targeted or spear-phishing attacks in his testing. “It used to be around 60 to 70 percent, and now it’s a 70 percent” rate of users falling for the phony scams he conducts, says Nickerson, CEO of Lares Consulting.

And breaching a bank’s physical security is also easier now, according to Errata Security. In a social engineering ploy for a mid-sized bank last week, Errata CTO David Maynor was mistaken for a federal auditor and allowed access to the branch manager’s unoccupied office. He made off with a computer backup tape containing account transaction data.

“I shaved, wore a suit, and carried a briefcase full of a lot of papers,” says Maynor, who knew through some earlier reconnaissance work that the bank manager would be out of the office at the very same time he arrived at the branch. “I walked in and talked to the teller, who pointed me to the shift manager’s” office so he could "leave a note." But instead, Maynor found the exposed backup tape and walked out of the building with it.

No one asked for Maynor’s auditor credentials -- they merely assumed he was a federal auditor and let him enter the office. “We saw the panic in their eyes when Dave walked into the bank, because of the banking crisis. They panicked, so we could have asked for anything,” says Robert Graham, CEO of Errata.

“There’s a huge danger of anyone walking into a bank now and saying ‘I’m with the FDIC,’ and then [the employees] panic and won’t check credentials,” Graham says.

But fooling bank employees was way too easy even before the banking crisis, Lares’s Nickerson contends. “Usually, I say I’m an auditor, and that gets you into any bank, anywhere."

Nickerson argues that it’s targeted electronic attacks like spear-phishing that are simpler in this nervous financial climate -- his team has duped bank employees with phony emails from the “bank” about the latest news in the financial markets, as well as with links purportedly to information on how their bank is doing better than its competitors in this crisis, he says. It’s not just browser exploits or Web-borne exploits, but also infected spreadsheet, PDF, and Word attachments supposedly providing information on the crisis or the bank itself, he notes.

Some social engineers are worried that the bad guys will soon start preying on bank employees’ fears to wage real targeted attacks. One researcher, for example, has decided to hold off on releasing a powerful open source hacking platform he created for targeted email and phishing attacks that includes payloads for popular Web threats.

“I think phishing and social engineering [are] the highest risk currently faced by the financial industry,” says Joshua Perrymon, CEO of PacketFocus, who’s afraid the bad guys would abuse his so-called Lunker tool for targeted phishing attacks. “I am currently working on a way to release it as a training tool that could be integrated into internal security awareness programs,” he says. (See Hacking Tool Lets You Target Your Own End Users and Free Spear-Phishing Tool on Tap.)

“The problem with spear phishing is that we don’t have the appropriate technology or means to stop it right now. This makes us rely on users’ judgment, which is a bad thing unless it’s been pounded into their head how these attacks work and what to look for,” Perrymon says. “You can be totally anonymous when doing these attacks.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.