Dr Gareth Owenson, CTO of Searchlight Security

Financial institutions that are concerned about cybercrime could find the early warning signs of attack where cybercriminals organize themselves: on the dark web.

Our last blog looked at financial crimes against consumers that are visible on the dark web. This blog examines evidence of cyberattacks directly targeting financial services companies themselves.

The Dark Web Footprint of Financial Institutions

Financial institutions tend to have a large dark web “footprint”, meaning that there is a lot of information on the dark web around them. Firstly, this is because they are a popular target for cybercriminals for the obvious reason that they handle money, which means there is a high volume of chatter on forums about how to target and exploit them. 

Secondly, this is a result of financial institutions typically being large and complex enterprises - with a lot of staff across different departments, offices, and geographies, a sizable and intricate IT infrastructure, many customer facing applications, and third party integrations. This creates a very big attack surface for cybercriminals to probe and attempt to exploit on the dark web.

Common threats against financial institutions that are visible on the dark web include (but are not limited to):

Leaked employee credentials

Leaked databases including employees' names, email addresses, and passwords can leave employees vulnerable to a number of attacks. With just a name and email address cybercriminals can conduct very effective phishing campaigns against employees, which - according to IBM - was the most common infection vector into financial services organizations last year (responsible for 46 percent of attacks).

With an email address and password, a criminal could potentially login to a corporate email account and conduct fraud attempts against other employees, which is known as Business Email Compromise (BEC). BEC is often underestimated as an attack technique, with the FBI last year releasing its own statistics which showed that BEC accounted for 37 percent of reported attacks against organizations, with financial losses from BEC far outpacing the far more highly publicized attack vector of ransomware. 

Financial institutions are particularly vulnerable to BEC because of their size and the types of internal communications that take place. If a junior employee is asked over email to transfer funds to an account by an executive in another office, it is very reasonable to expect that they might not think to - or want to - question the legitimacy of the instruction.

Vulnerability exploitation

The size of financial institutions’ infrastructure - as well as the multitude of customer-facing solutions they may have - means that they are particularly exposed to network intrusion through unknown or unpatched vulnerabilities.

Cybercriminals looking to exploit these may well be looking to gain access to the network to conduct the dreaded ransomware attack. Alternatively, they may be Access Brokers, criminals who specialize in breaking into a network and then sell that access for other groups to exploit, rather than take the risk themselves. Indeed, it is possible to observe cybercriminals selling vulnerabilities in an organization’s software, devices, and the supply chain companies they use on the dark web. 

According to IBM, vulnerability exploitation is the second most popular route into a financial institution after phishing, leading to 31 percent of attacks in 2021.

Dark web traffic 

There are virtually no good reasons why a financial institution would have traffic from the dark web to its network, which makes it the perfect tell-tale sign to identify potentially malicious activity. 

Incoming traffic from the dark web could indicate that the corporate network is being actively scanned by cybercriminals for vulnerabilities. Outgoing traffic is potentially even more serious. It is either an indication that an employee is visiting the dark web, and possibly doing something malicious (we established that bank’s employees were one potential source for leaked customer account details in our last blog). Or, worse, outgoing traffic to the dark web could indicate that a command and control server has been already established from within the organization’s network, so cybercriminals can remotely execute an attack.

Actioning Dark Web Intelligence

Visibility into criminal activity on the deep and dark web can allow financial institutions to take proactive action to prevent attacks against them. An obvious first step would be to monitor the dark web for their company name, IP addresses, and credentials, to identify when staff are at risk from phishing attacks. 

In particular, searching for executives’ credentials on the dark web could help to identify the potential of BEC - as it may indicate that criminals have access to their account and could impersonate them. In some cases, dark web chatter around a certain executive may also be because they are being actively targeted by criminals on the dark web and are potentially at personal risk.

Financial institutions could also monitor dark web marketplaces to identify commodities for sale that could either be used to target their organization (e.g. software vulnerabilities and exploits) or their customers (banking trojans or 2FA bypass tools). This intelligence can help them patch vulnerabilities before they are exploited and, with insight into where and by whom such tools are being sold, gain a greater understanding of the adversarial landscape. 

Furthermore, visibility into dark web traffic can help an organization take defensive action to protect the specific part of the network that is being targeted, or where data is being potentially leaked from.

Moving Left in the Cyber Kill Chain

One of the benefits of dark web monitoring is that the intelligence is specific to the organization. If a bank CEO’s personal details are on a dark web forum, or a vulnerability in their software is for sale on a dark web marketplace, there is no gray area - they are at risk and there are clear preventative actions that need to be taken. 

This ability to pre-empt the actions of threat actors means that financial services can move to defend much earlier in the “Cyber Kill Chain” and identify potential attacks against their infrastructure before they are launched.

Gareth will be giving a keynote talk on “Threats to Financial Services from the Dark Web” at the Securing Financial Services Summit in London on Tuesday July 5, 2022. Find out more about the event or sign up to attend here.