Cybercriminals have begun targeting all sectors – however, the financial sector still remains a primary focus. Financial institutions provide cybercriminals with many weak points – employees, customers and infrastructure – causing them to have a high return on investment.
DarkArmor research analysts discovered that cybercriminals are targeting personally identifiable information (PII), banking login credentials and employee credentials. This allows cybercriminals to create fraudulent accounts and creates a market in the darkweb to resell these records. Analysts at DarkArmor identified cybercriminals advertising compromised accounts, allowing other cybercriminals to extract the funds. Our research team sees this trend continuing into and throughout 2021.
Attack Types
In 2020, DarkArmor sampled a small set of financial institutions (mid-size to large) and discovered their customer data available in the dark web. The sum of the account information we found was over $113 million and 2,772 accounts. These accounts were available for sale; the cybercriminals provided the online banking screenshots as proof. The metrics provided during this report are currently only limited to the sampled set of financial institutions.
Compromised Credentials
Data breaches have significantly increased in the past couple of years. This allows cybercriminals to build a database of credentials and use them for account checking (verifying the username and password for the financial institution) and to take over accounts. Cybercriminals use the verified credentials and sell them in the dark web. DarkArmor observed an increase in brute-forced credentials, phishing and using malware as an attack vector to gather the data. While these methods require expertise they provide cybercriminals with a high return on investment.
2,847 customer credentials were observed in our findings. These credentials were gathered by cybercriminals through phishing, social engineering and malware.
Credit Cards/Debit Cards Found on the Dark Web
Debit and credit card information can be skimmed, the data can be taken through successful social engineering attempts and data breaches. Skimmers are usually attached to ATMs and card machines at gas stations and stores. Cybercriminals use the stolen data to create a card clone and conduct fraudulent activities on the stolen card. During our research, analysts at DarkArmor correlated the BIN numbers from our sample set of financial institutions and discovered 11,956 credit/debit cards being advertised on the dark web/numerous forums.
Accounts for Sale
Compromised accounts are accounts that have been accessed by an unauthorized party. These accounts are used to take over customers’ financial accounts. Cybercriminals gain access to these accounts through malware, brute forcing user credentials and through harvesting data (phishing). These accounts are sold on the dark web for other cybercriminals to conduct fraudulent activities.
Some of the fraudulent financial institution-related activities that are subsequently observed include:
1. Check Fraud
2. Fraudulent Wire Transfers
3. Complete Account Takeover
COVID-19 Impact
The global COVID-19 pandemic has had a substantial impact on the financial sector. Due to the COVID-19 limitations and restrictions, many users adopted online banking which increased cybercriminal interest for those platforms. Cybercriminals also identified weaknesses in government relief programs and found ways to exploit these for financial gain.
These programs are created to provide assistance to individuals and businesses impacted by the pandemic. These malicious actors have created tutorials and shared their techniques on how to take advantage of the government relief programs.
Small Business Administration (SBA) loans are designed to help small businesses stay afloat during the COVID-19 pandemic. Our research found 2.9 million dollars of approved SBA loans and 74 fraudulent loan applications postings.
This is only one exploited government and state relief programs. Others include:
1. Fraudulent Unemployment Application
2. Paycheck Protection Program (PPP)
3. Pandemic Unemployment Assistance (PUA)
Conclusion
The general public’s increased use of online banking platforms to conduct transactions have led cybercriminals to heighten their focus in the financial sector. Research on COVID-19’s impact on financial institutions suggests that fraudulent wire transfers, account takeover fraud, fraudulent account opening and synthetic identity fraud are on the rise. Cybercriminals use accounts available for sale in the darkweb to conduct these fraudulent activities. This correlates to DarkArmor analysts research findings. DarkArmor analysts observed threat actors sharing their best practices and techniques on evading security precautions when creating fraudulent accounts. For the same financial institution sample set, within the first 5 days of 2021, the DarkArmor team observed 48 accounts being advertised, 133 credit cards and over $1.5 million dollars in potential loss. With fraud within the financial sector on the rise in the coming year, we look forward to helping customers protect their assets. Please drop us a note on our contact page if you would like to get more information.
