Evolutionary trends in bank customer-targeted malware

Abstract

Vast sums are spent by banks on their defences – besides, they have the money. Measures have been applied such as multi-stage anti-virus, host and email hardening, as well as patch distribution and control. Yet attackers have been training efforts on a weak link: the countless devices used by customers to connect to online banking services. Technologies which can be used to check the malware and update status of client machines are immature, invasive and may not work reliably across corporate firewalls. Customer education is neither fully reliable nor comprehensive. This is obviously compounded by the lack of sanctions which can be used against customers. But attacks are being commissioned and executed for a purpose with high motivation: to make money. Banks are at the sharp end of malware protection, so how do they react? We hear from a security practitioner in a large European bank. Banks, like most other organizations, have been dealing with internal infections of malware since they became mainstream. As a result, copious expenditure has been devoted to various protective measures: multi-stage anti-virus; host and email hardening measures; patch distribution and control measures – not to mention end-user education. These have been, more or less, effective. Certainly the damage that has occurred has been largely to service availability, rather than to information release or the introduction of fraud enabling ‘services’ or vulnerabilities. During the last couple of years, the attackers have begun to pick on the weak under-belly of the online banking system: the myriad of devices used by our customers to connect to bank services.