spear phishingSusan, a bank employee, sits down at her computer and logs into her bank’s system. She’s going about her work, moving from screen to screen, perhaps checking customers’ account information. Susan is accessing information that perhaps only she is supposed to have to access to. As far as she knows, her server is secure. So is her clients’ data.

Little does Susan know, someone is looking over shoulder—so to speak. Because of a little malware dropper that has embedded itself in her server, screenshots of the system, of private screens, of her customers’ most sensitive financial information, are being transmitted to a hacker. He will then use that information to remotely rob her bank. Susan has no idea.

This is “Silence,” a new malware targeting financial institutions across the globe. The virus gains access to bank servers by way of sophisticated spear phishing emails: once bank employees click the link embedded in the email and enter their banking site, the “Trojan” malware enters with them. From there, it probes the server for information which it then transmits back to the hackers. And that’s not all—it can use its access to the bank’s server to send more spear phishing emails, thus spreading the malware to as many employees as possible. Silence has already targeted 10 institutions, primarily in Russia, and continues to expand. American banks haven’t been targeted yet, but it’s only a matter of time until Silence—or perhaps a copycat—turns its attention to the United States.

Financial security threats are continually evolving. The biggest issue facing banks used to be physical security and robbery prevention, but now that so much data is dealt with online, the focus is shifting away from bricks and mortar and toward web infrastructure. Where secure tils and safes used to be the highest priority, system and email security now occupy the top spot. And the stakes are getting higher and higher: even the best bank robber only has access to some amount of the physical cash on the premises of any given bank. A virus like Silence, on the other hand, can infiltrate the system of an entire institution, eventually gaining access to the financial data of perhaps thousands of customers. One link clicked by one user in one phishing email can have catastrophic consequences.

Which begs the question: what can financial institutions do to prevent these sorts of occurrences? Well, first things first: Trojan malware hacks like this one start with a phishing email. Specifically, a spear phish: this type of social engineering scam claims to be from a trusted party, like a coworker or a friend. Spear phishing tends to be incredibly effective, because it pretends to come from a verified source. This makes it harder to spot as phishing, and thus increases the likelihood that an individual—a bank employee, for instance—will not only open the email, but also use less discrimination when clicking embedded links.

Because spear phishing is so sophisticated, it makes education in how to spot it even more critical. Almost anyone knows a phony email from a Nigerian prince when they see it: realizing that an email apparently from your supervisor is actually coming from a malware virus is a different story. There is an entire subset of security awareness that specifically covers spear-phishing scams and best practices for recognizing and dealing with them. Of course, no one thinks they need this sort of training until they become a victim—but by then it’s too late. Prevention is key: especially in high-profile organizations that are likely to be the targets of more sophisticated scams, users need to be educated and tested in every aspect of not just social engineering avoidance, but also in overall system security.

Which brings us to the second piece of this scam: once the virus enters the system initially, it camps out on the server and goes to work downloading more payloads and transmitting data to the hackers. While the situation appears to be more complicated than the virus merely taking advantage of weak or compromised systems, overall system security does play into it. As Business Standard recommends, “[Eliminating] security holes altogether, including those involving improper system configurations or errors in proprietary applications,” would keep organizations safer against these sorts of breaches. So would using threat detection services to spot the breaches before they get advanced enough to cause massive damage. Additionally, “strict email processing rules” would help cut off threats like Silence right from the start, by identifying and halting phishing emails before they can wreak havoc.

All these measures are reasonable and doable, especially with the help of security experts like the ones at GLS. We understand the current threat landscape. We also have the expertise necessary to create tailored and scalable training solutions to help keep your organization secure, at both the individual and organizational level. If these scams concern you—and they should—ask for a consultation. Strong security starts with education, and our team is committed to offering the most comprehensive and effective security training in the market. Contact us today.

What Can You Do?

Learn more about organizational security and how GLS’s Anti-Phishing Simulation Tool Can Help

Phish Testing and Simulation Tool