- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
Indirect targeting of financial institutions
Introduction
During the last weekend, The Wall Street Journal published information that intruders had penetrated computer systems controlled by the company that runs the U.S. Nasdaq Stock Market. Nasdaq handles around 19% if all stock trading in the U.S. The trading system itself should not have been compromised.
A few days later, it was confirmed that the compromised systems were the so-called Directors Desk, a system allowing company leaders and board members to share information in a (supposedly) secure way. Allegedly the systems had been compromised for several months, before the breach was discovered.
Complete details about this incident are not known to us, and it is unlikely that everything will ever be publicly disclosed.
Nevertheless, the facts that already are in the public domain are interesting in several ways, which will be discussed in this security article.
The evolution of cybercrime
Incidents during recent years have shown that cybercrime has evolved from focusing primarily on simple fraud attempts, to conducting more and more sophisticated targeted attacks.
Tricking small sums from many individuals is no longer seen as the only viable way to commit cyber fraud. Fewer targets, which each have a much larger potential, are growing increasingly popular. This shift in focus requires increased resources and sophistication from the cybercriminals. On the other hand, cybercrime has grown immensely, and is now among the top criminal activities with respect to money involved.
A shift from individuals to corporations is logical from this point of view.
Moreover, when money is involved, financial institutions of different types (including stock exchanges) of course spring to mind. The "bigger is better" axiom applies.
Tangential approaches
Financial corporations, any type of corporation for that matter, tend to focus their security on the core business - the systems that are crucial for normal operation. This is even the correct approach to the security mix that should be applied.
However, the result may be that while the core systems are very secure, other systems are rather insecure. One may tend to focus too much on the most important systems only, and insufficiently on the rest.
The clever cybercriminal will consider this in her approach to target a corporation.
Social engineering techniques will often be instrumental when a financial organization is targeted. By researching the companies and their key employees the cybercriminal can use the gathered information to either gain access to systems or even restricted buildings, Typically she would use personal information to pretend to be e.g. a colleague to gain access to important systems . Once access is gained the cybercriminal can leave behind backdoors or create hidden accounts to keep access to the system for a long time.
Two different tangential tactics may be applicable.
1. The stepping stone approach
This is a traditional cracker's tactic. A weaker system is targeted, compromised, and subsequently used as a stepping stone to the "really good stuff".
One typical example is to exploit a software vulnerability for escalation of privileges. Exploitation of the vulnerability grants increased access. Another example is to target non-privileged user accounts, and thereby getting (some) access to a system. Next more privileged access potentials may be explored and obtained.
2. The affiliated target approach
Another way to obtain financial advantages through malicious activity is to redefine the target. Instead of going after the most secure assets, a cybercriminal realizes that the second-best target suffices.
In the "case study" in this article, it is obvious that information shared between high-level executives and board members may be relevant for predicting stock prices. A cybercriminal who is able to obtain such inside information has a significant advantage over the average stock trader when she places her investments.
Other financial institutions will have other information that is valuable to obtain.
The point we are stressing here is that the information available may be the asset to target, rather than the organization's core business system.
An additional advantage is that a compromised information system may be unnoticed over a long time, as nothing tangible is stolen - only information astray. The cybercriminal may therefore commit the crime over a longer period.
Concluding remarks
Cybercrime has become a more sophisticated business, with more sophisticated participants. The obvious consequence is that more advanced targets are at peril.
Vulnerable organizations should beware not to concentrate too much effort in securing their core business systems. Other organizational assets may be the target for the wise cybercriminal.
