Cybersecurity attackers in the large value payments chain are adjusting their modus operandi, lowering the value of transactions and running fraudulent instructions during normal operating hours in an attempt to blend in with regular payment flows and avoid detection, according to a new report from banking co-operative Swift.
The report ‘Three years on from Bangladesh: tackling the adversaries’, provides new insights into the evolving nature of the cyber threats facing the global financial community.
The key findings show that four out of every five of all fraudulent transactions were issued to beneficiary accounts in South East Asia, and that the value of each individual attempted fraudulent transaction decreased dramatically - from more than $10m to between $250,000 and $2m.
Based on investigations over the past 15 months, the report reveals that attackers are adopting extended reconnaissance modes, operating ‘silently’ for weeks or months after penetrating a target, learning behaviours and patterns before launching an attack. Timings are also shifting: malicious actors previously favoured issuing fraudulent payments outside business hours to avoid detection but have more recently turned this approach on its head, acting during daytime hours to blend in with legitimate traffic.
The infamous raid on Bangladesh bank in 2016 spurred Swift to launch its Customer Security programme in a concerted effort to drive industry-wide collaboration against the cyber threat.
The approach is paying dividends, says Swift, with closer industry collaboration resulting in the quick identification of financial institutions targeted by cyber criminals - in most cases, before attackers were even able to generate fraudulent messages. In particular, the exchange of relevant and timely cyber threat intelligence has proved critical in effectively detecting and preventing attacks.
Dries Watteyne, head of cyber security incident response team at Swift, says: “Sswift’s threat intelligence sharing has highlighted the changes to cyber criminals’ tactics, techniques and procedures used in attempted attacks, enabling industry participants to understand and respond to the increasingly sophisticated nature of cyber threats. It is encouraging that detection rates of attempted attacks are increasing, but we need to be mindful that malicious actors adapt rapidly. The industry must continuously strengthen and diversify its defences, investigate incidents and share information.”