«June 2011 BITS A DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE 1001 PENNSYLVANIA AVENUE NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 ...»
However, hospitality and retail breaches also have negative consequences for FIs. Account balance targets in FIs represent the closest possible approximation to actual cash for the cybercriminal. FIs are not only targets, but they are also more likely than firms in other industries to detect and report cybercrime. Regulatory controls imposed on transaction reporting and risk management in the financial industry make it more probable that a breach will prompt forensic investigation than if the same breach occurred in another industry.
The Verizon/USSS set of data breach cases are reported using structured data that Verizon has suggested should be the basis for incident analysis metrics. Data on each case is decomposed into four major categories, and each of these have subcategories . An incident is considered to be
fully described if reliable data exists to fill in the framework. For example:
breach frequency, associate controls, link impact, and many other concepts required for risk management. The framework has been supplemented with an online repository available for other investigation teams to contribute data . Its tacit endorsement by the USSS suggests that it may be expected to be used by both public and private sector investigators and assessors going forward.
4.1 Malware Infection Vectors
The Verizon data breach classification suggests that malware paths are an important consideration in the criminal decision on technology choice, and this decision reflects the criminal assessment of FI vulnerability to a given attack vector. Figure 7 shows the relative percentages of infection vectors identified in the Verizon report.
Each of these vectors is explained in the sections that follow.
4.1.1 Installed/Injected by Remote Attacker This type of attack is accomplished by a perpetrator with access to internal operating systems from an external source. It may be accomplished by exploiting vulnerabilities that allow remote command execution via exposed software (e.g. SQL injection into web URLs, see ). It may also be accomplished via commands issued by malware via remote perpetrator command and control interfaces.
4.1.2 Email The discussion of malware propagation techniques in Section 2 highlighted phishing as a vector .
Phishing techniques originally were used to impersonate a bank or other institution with which a user may have an account, and encouraged the user to click a link in the email that would bring them to a site that looked like their banking site, but was actually fake. That site would either directly collect credentials, or download malware that would later collect them. As less easily detectable techniques for installing malware have been developed, random phishing techniques for malware propagation have become less common. Nevertheless, these techniques still exist and are increasingly customized as part of an overall campaign of attack.
© BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report 4.1.3 Web/Internet Auto-Infection The web is a popular attack vector for the simple reason that its use is ubiquitous. Malware injection processes that are generally classified as auto-infection occur without any overt action on the part of the user, such as inclusion of malware that automatically exploits a browser vulnerability in the iFrame example of Section 2. The propagation and infection both occur without the user’s active participation or knowledge. Malvertising, the practice of placing malware in fake (or real) online ads, is also an increasing source of auto-injection attacks . Malware operators may place ads with links to malicious sites in order to spread malware or the ads could also contain scripts which execute code on the PC.
High default trust settings on browsers and users operating with administrative privileges increase the effectiveness of this attack vector, which is enabled via a combination of vulnerable software and infected websites. These websites may be owned and operated by criminals, yet not conspicuously enough to be blocked by commercially available security services. They are often legitimate sites on which criminals have installed malware propagation code. Figure 8 provides an example of the types of software and search engines that are common delivery mechanisms for auto-injection attacks. It identifies the percentage of attacks per source in customer traffic observed by Cisco.
Figure 8: Sources of Drive-By Vulnerable Source 
4.1.4 Web/Internet User-Initiated Malware writers use creative methods to lure random users into executing malicious injection code.
Drive-bys can happen by simply visiting a compromised or malicious website, viewing an email message and also by clicking on deceptive pop-up windows. Many of the latter incorporate a social engineering aspect to persuade the user to follow a malicious link. (For example, a pop-up that reads, “You are infected with a virus, click here to clean your system!”).
These attacks rely less on browser vulnerabilities, but do require administrative access to infect at a level that will escape detection. Figure 9 classifies drive-by exploits by their Common Vulnerabilities and Exposure (CVE) number as assigned by a CVE Candidate Numbering Authority (CNA) for the exploit that it uses (for a complete description of each CVE, see ). This clustering is presumably due to the prevalence and ease of use of the exploit kits used to deploy attacks. Because exploit © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report kits are easily modified, even if patches were immediately deployed for this set of CVEs, the kit could be effective in exploiting a different set of vulnerabilities once new CVEs become available.
4.1.5 Installed by Other Malware In any of the above attack vectors, malicious software may be planted within the internal network.
Although most FIs block most inbound traffic, it is rare for a commercial institution to block outbound web browsing. Malware with command and control capabilities will often connect back to the malware operator’s site using common browsing protocols, and this allows malware on the internal network to receive both software and commands from the outside. Bots will often be equipped with multiple URLs so that if a malware operator site is taken down (whether due to maintenance or by law enforcement), another will be contacted which will have the same ability to issue commands to bots. Data collection networks are supported with a large number of proxy servers configured to relay data to the malware operator and to update bots with new addresses for data collection servers as the malware network evolves .
4.1.6 Network Propagation Network periphery security is the first line of defense in keeping out hackers, and yet it is common for network firewalls to change and network engineer and operator mistakes, whether intentional or unintentional, sometimes have the consequence of allowing unfiltered Internet traffic into private networks. Even where firewall rules have not changed, changes to configurations of Internet-facing equipment behind firewalls may have the effect of allowing unauthorized access. Malware operators constantly attempt connections to addresses within the Internet address range owned by targets to see if the opportunity for unfettered access may exist. Although the network propagations attacks that took advantage of vulnerabilities in common network protocols (e.g. SQL Slammer) have not been prevalent recently, the potential for such attacks still exists.
© BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report 4.1.7 Portable Media and Devices Although portable media and devices are currently used in a small percentage of attacks, this vector category was a new addition to the 2011 Data Breach Report in recognition that the vector has unique properties for attack enablement. Where FIs approve a set of mobile devices for authorized network and data access, that device becomes a target of attacker reconnaissance. There are typically not mature security processes in place to identify and patch vulnerabilities in mobile devices, and their operating systems are purposely designed to allow ease of communication at the expense of access control. As more and more mobile devices are equipped with browsing capability, their utility as a platform from which to launch malware attacks may be expected to grow to the level of Web/Internet attacks [34-36]. Figure 10 shows the results of a McAfee Labs study on the number of separate malware instances identified by mobile platform. While the total number of mobile malware instances does not approach that of desktop computer or servers, Figure 10, in comparison with previous years, demonstrates that both the number and variety of mobile malware is increasing. This indicates a growing interest in the mobile environment by malware creators and operators.
Figure 10: Mobile Malware Platforms 
A paradigm example of desktop malware is spyware that evades detection while transmitting keystrokes and other observations on the desktop environment to a remote observer; it is considered even more insidious if it allows commands to be entered into the device from a malware operator. Yet this type of spy capability software is distributed through legitimate software distribution channels for mobile devices . The openness of the Bluetooth protocol by which many of these devices communicate further blurs the line between legitimate and illegitimate observation of mobile communication.
© BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report 4.1.8 Coded into FI Software In order to embed malware into FI software, insider access is generally required. There are cases where insiders behave corruptly on their own in acts of fraud or revenge ; however, insiders may be compromised by outsiders to behave corruptly via bribery or social engineering. Insiders may also unintentionally create cyber risk and access to sensitive data for outsiders.
While cases often involve malicious insiders who developed the code or administer the system on which it runs , some known cases of this type were committed by outsiders. One of these involved an external agent that had access to the system for over six months. During this time, he studied the input/output process and developed custom malware to provide ongoing access to newly created internal data .
4.1.9 Social Media A significant 19% of cases (Figure 11) cannot be ascribed to any of the attack vectors so far mentioned, and while none of the categories recognize social media as the primary source of cyber attacks, social media has been cited as a source of malware in very significant cases . Social media is a generic term for Internet sites that allow users with similar interests to create web content in a collaborative manner. Examples of these sites are Facebook, Orkut, Hi5, MySpace, LinkedIn. They are also generically referred to as social networking sites, as the groups of people that collaborate on any one site are called a social network. With the increasing popularity of social media and the large communities of Internet users that it attracts, social media sites have become fertile hunting ground for malware operators.
Social media applications include functions that open communication channels with friends and acquaintances, and allow users to develop networks of people with like interests. It relies, for its operation, on trust between users. Whether or not a user on a social networking site has ever met the people with whom they communicate in person, there is an assumption that the people in a social network are friends rather than foes. The Internet provides a cloak of anonymity for people with malicious intent and allows them to use social media to masquerade as friends.
Friends in a social network frequently post links to a shared web page, and others in the group follow those links to view the shared content. Hence, one successful method of malware delivery via social media is to join a group of which the target is a member and post a link leading to a malicious site on a web page shared by the group. As in the Web/Internet User-Initiated attacks described in Section 4.1.3, the link takes the reader to a malware operator’s website which automatically triggers a malware propagation and infection. Social networking attacks also may be launched from a trusted social networking site itself. As many of these sites allow collaborative application development and sharing, any member of a group may deploy malicious code that would likely be executed by the others.
Another option for using social media is to attack a primary target in two stages. In stage 1, the © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report malware operator targets friends of the primary target user, infects their computers, and captures the friend’s login credentials for email and social media. With this information, the malware operator will then log in to the friend’s accounts and post innocuous-looking links that lead to malware infection. They may also impersonate the friend by sending direct emails or instant messages to the primary target, encouraging them to select malicious links.
4.2 Internal Targets
As described in Section 2, the first step in a cyber attack is reconnaissance, the step in which an adversary surveys a target to identify points of vulnerability. It is an attack planning phase. However, in targeted attacks, this phase may be expected to continue throughout the lifetime of the malware install. Command and control facilities described in Section 4.1.5 will typically be used to continue reconnaissance within an internal network. Results will fuel further attack plans.
Malware authors mining an internal network for information have been creative. During 2010 an increase in focused attacks has shown attackers to package open source, toolkits and well architected botnets as part of their approach. In the past several years, malware professionals have been known to develop custom exploit code intended for a specific target after learning about the environment on their internal networks. Custom code increases overall malware effectiveness because it may exploit legacy protocol weaknesses that are not usually found on the public Internet, and often overlooked because internal networks are trusted. Custom code also allows malware operators to incorporate features to avoid internal monitoring systems to evade detection. Internal malware Internet communication is typically encrypted to evade content filters that may be installed in FI perimeters. Figure 11 lists some malware capabilities that may be expected to continue within an internal network once malware has gained a foothold.
5. Securing the Ecosystem
No FI is an island, and neither is the financial services industry as a whole technically self-sufficient.
Successful malware attacks on FIs and FI customers often are traced to vulnerability exploits that originate from devices, components, and agents across the ecosystem in which the FI has deployed service. The vulnerabilities may be due to human or automated responses to attack, and are often outside of the FI’s direct influence. Therefore, a key element of FI anti-malware strategy must be to acknowledge and face the problem of vulnerable ecommerce infrastructure. It is incumbent upon the financial industry to support cross-industry engagements to reduce systemic risk of malware by leveraging its collective influence on external entities.
There are at least five different types of security risks introduced by malware to financial institutions,
including risk of attack on:
1. the financial institution directly
2. a financial institution service provider © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report
3. a financial institution customer
4. multiple financial insitution customers
5. the financial services industry