Using Dark Web Threat Intelligence to Counter Financial Crimes

Looking to "shift left in the cyber kill chain"? Dr. Gareth Owenson, CTO of Searchlight Security, provides plenty of ideas on that... and more.

Cyberattacks don’t happen out of the blue. Cybercriminals first need to perform due diligence, obtain the tools or credentials required to get a foot in the door, carry out reconnaissance, and orchestrate their attacks.

They use the dark web for this activity, where they think they can operate anonymously. This presents a big opportunity for financial services organisations to proactively monitor the dark web for indications of imminent cyberattacks to help them take remediation actions. Doing so will not only help protect themselves, but also their customers from financial crimes.

Different Types of Financial Crimes on the Dark Web

One of the most prevalent financial crimes is the sale of personal financial accounts, with some studies putting the number of credit cards for sale on the dark web into the millions.

Marketplaces called “autoshops”, are dedicated exclusively to the sale of credit card, debit card or bank account information, as well as the credentials, cookies and remote access needed to takeover online accounts. Top autoshops include Blackpass, 2easy and Russian Market, which post tens of thousands of new listings per week – giving a clear indication of the scale of this problem.

The data sets that autoshops sell come from attacks against e-commerce sites, such as the infamous Magecart attacks against British Airways, Ticketmaster and Newegg; phishing sites; banking trojans and stealer malware like Zeus, Emotet and Trickbot; or even data stolen from employees at financial institutions.

Monitoring the dark web gives financial institutions crucial insights into these autoshops, as well as the activity being undertaken to supply them. For instance, stealer malware and banking trojans can be found for sale on markets and forums, as well as user guides for them. Spamming tools and phishing pages are also sold, along with reverse proxy servers (such as Modlishka and Evilginx) to bypass bank’s two-factor authentication (2FA).

Threats against Financial Institutions

Financial institutions tend to have a large dark web “footprint”. There is a lot of chatter on forums about how to target them. Moreover, because they are typically being large and complex enterprises – with staff across different departments, offices, and geographies, a large and intricate IT infrastructure, and many customer facing applications – there are so many potential vulnerabilities for cybercriminals to probe and exploit on the dark web.

Common threats against financial institutions that are visible on the dark web include (but are not limited to):

Leaked employee credentials: Databases including employee’s names, email addresses, and passwords can leave employees vulnerable to attacks. With just a name and email address, cybercriminals can conduct very effective phishing campaigns against employees. According to IBM, phishing was the most common attack vector into financial services organisations last year, responsible for 46% of attacks.

Vulnerability exploitation: Cybercriminals sell vulnerabilities in an organisation’s software, devices and even supply chain companies they use. According to IBM, vulnerability exploitation is the second most popular route into a financial institution, leading to 31% of attacks last year.

Dark web traffic: Incoming traffic from the dark web could indicate that the financial institution’s network is being actively scanned for vulnerabilities; and outgoing traffic is potentially even more serious, as it may indicate that an employee is doing something malicious or, worse, that a command-and-control server has been established so that cybercriminals can remotely execute their attack.

Dark Web Intelligence in Action

Having insight into criminal activity on the deep and dark web can allow financial institutions to take proactive action to prevent attacks against themselves and customers.

For instance, by searching for Bank Identification Numbers (BINs), a bank could find its associated credit card details that have been leaked on the dark web, block the cards, then use that intel to inform customers and the authorities to prevent fraud at scale.

Equally, monitoring the dark web for the company name, associate IP addresses and credentials could give important clues to staff being at risk from phishing attacks, business email compromise or if executives are being actively sought out by criminals on the dark web.

Financial institutions could also identify the software vulnerabilities or exploits for sale on dark web marketplaces that could be used to target their infrastructure or their customers with the likes of banking trojans or 2FA bypass tools, for example.

This intelligence can help them patch vulnerabilities before they are exploited and, with insight into where and by whom such tools are being sold, gain an understanding of the adversarial landscape.

Visibility into dark web traffic can also help an organisation take defensive action to protect the specific part of the network that is being targeted or where data is potentially being leaked.

Dark web monitoring enhances cybersecurity strategies, giving financial institutions the ability to pre-empt the actions of threat actors. It helps them shift left in the cyber kill chain, to identify potential attacks against their infrastructure or their customers before they are launched, rather than trying to mitigate them after the fact.

By Dr. Gareth Owenson, CTO of Searchlight Security.

Do you want to learn more about cybersecurity? Check out these courses from TechRepublic Academy.

Guest Contributor
Guest Contributor
Follow on Twitter @eWeekUK

Popular Articles