As the nature of financial transactions carried out by Indians has begun to change from physical currency to the electronic mode, cyber criminals are devising new ways to fool individuals and steal their money. More sophisticated attacks are expected in the future as the increasing user base adds to the complexity of operations. This is also accentuated by the convergent nature of the economy, where e-tailers have become banks (with mobile wallets), and banks have morphed into e-tailers. On the one hand, businesses are busy wooing consumers; on the other, hackers/fraudsters are looking to exploit banking platforms and tricking these customers.

Although financial organisations are working tirelessly to keep their systems and platforms safe and secure, customers also need to carry out their share of due diligence and be wary of the threats that lurk. In fact, many of the tricks that criminals use fall beyond the purview of banks; this, therefore, calls for users to acquire a greater understanding of the perils they face and the safety measures they need to adopt.

Malware

The development of financial malware is a significant threat for all users transacting with credit/debit cards, mobile banking apps or on similar platforms. Ransomware may have grabbed all the limelight, but banking malware tools are still siphoning off millions globally. In India, cyber criminals are using malware tools to gradually steal money. The credentials harvested from customers and the compromised IT systems of banks are often used to carry out the fraud.

Financial malware such as Zeus, Neverquest, Gozi, Dridex and Ramnit continue to haunt users and banks. In the year gone by, these malware played a key role in duping users of their money.

Besides, malware attacks at the point of sale and on mobiles are causing heightened concern for banks, especially when criminals chase higher returns by targeting high-value accounts held by individual users, corporates or business customers.

Social engineering

Social engineering is increasingly being used to manipulate users to get them to share confidential information, which helps cyber criminals get access to their passwords or banking details. Criminals also use the personal information to secretly install malicious software in a user’s system — which can then give them access to the user’s personal details, including financial details.

During the ‘demonetisation’ frenzy in November-December 2016, there were incidents in which cyber criminals were able to steal money from users’ wallet and transfer it to their own. In order to avoid being caught, a host of cyber criminals did not steal all the money at one go. Rather, they chose to siphon off the money in small chunks so that the users could not immediately find out about the stealthy operations. All of this was possible because several users were exposed to cyber criminals through various social networks or other platforms. Checking the balance on your mobile wallets or in your bank accounts periodically is therefore of vital importance. The alarm bells should start jangling if you see the depletion of even small amounts of money.

Another reason why it is becoming an increasingly common tool for threat actors is because there are improvements in online authentication methods, such as two-factor authentication or out-of-channel authentication, which are not easy to bypass. Malware alone does not work. Therefore, criminals pair malware campaigns with social engineering tactics. Social engineering is generally targeted at customers, although there have been examples of criminals targeting bank employees by directly utilising their online accesses or by tricking them into installing physical devices into the networks.

Deployment techniques

Cyber criminals are also exploiting vulnerabilities that normally exist in mobile applications to steal critical information. They use exploit kits to carry out their attacks. The deployment of malware is optimised through the use of exploit kits by tricking users to click on a link. The exploit kits automate the process of identifying vulnerabilities in victims’ web browsers and plug-ins (notably Java and Adobe) to enable the installation of malware.

Less technical methods such as phishing emails, online adverts and social media baits are also used to deliver malware directly (through attachments) or indirectly (through hyperlinks to compromised websites). Users need to be wary of any emails, messages that are laden with suspicious-looking attachments or hyperlinks. A bit of rudimentary caution when you receive such such messages can save users their money.

Botnets

Fraudsters are now using botnets to control systems without their owners’ knowledge. It is important that users know how these bots work and control their systems. In layman’s language, a botnet is a network of compromised systems whose control lies with a malicious actor or hacker. A bot is formed when a computer gets infected with malware that allows hackers to take control of it.

Once established, botnets can facilitate further infections, denial of service attacks, spread of skyware/adware, data theft and anonymisation of criminal activities.

Botnet attacks can happen in organsations and firms where many users work. If users have their banking credentials stored in their systems, it is highly likely that hackers will take hold of them and steal the money. These attacks are a nuisance for the banking sector. Organisations need to have proper applications in place that deter botnet attacks.

Users should also be cyber-aware and update themselves regularly with knowledge of the tactics that hackers use to take away money in just seconds. While cashless transactions give us a lot of freedom and ease, there is always a threat lurking. Negligence in the matter of sharing password details and personal details with others may result in losses.

The author is Leader, Cyber

Security, PwC India

comment COMMENT NOW