A Q&A with Sherri Davidoff, CEO of LMG Security and BrightWise, Inc.
One of the most disturbing developments in financial cybercrime is the advent and increasing popularity of banking Trojans, which pose a grave risk to both consumers and financial organizations. To find out more about banking Trojans and how to avoid them, we spoke to Sherri Davidoff, cybersecurity expert, author, speaker and CEO of both LMG Security and BrightWise, Inc.
What is a Banking Trojan?
A “banking Trojan” is malicious software designed to monitor activity and capture your online banking passwords and other financial information. Modern banking Trojans have evolved into sophisticated commercial hacking tools that attackers can use to:
- Steal your banking password as you type it into a bank’s login page
- Capture payment card information and other financial data as you type it into a webpage
- Copy any passwords that you have stored in your web browser
- Remotely login to your computer
- Search your computer for financial data and steal your files
- Scan your organization’s network and spread to other computers
Have there been any recent examples in the public/media reports?
Banking Trojans are an epidemic, infecting businesses, public entities, and nonprofits around the world. Just last month, Kaspersky Lab published a report on “Financial Cyberthreats in 2018.” The security company reported that nearly 900,000 users were attacked with banking Trojans in 2018, up 15.9% from the year before.
The city of Allentown was famously overtaken by the Emotet banking trojan in 2018, which severely impacted the city’s operations and cost over $1 million in damages and repairs. The malware spread beyond desktop computers; even the city’s security cameras were infected.
Why should a credit union or community bank and their customers care about this threat?
Modern banking Trojans such as Emotet and Trickbot are used by organized crime groups to steal money using scalable, sophisticated tactics. Popular banking Trojan software includes built-in phishing and transaction capabilities designed to interface with hundreds of financial websites and mobile apps. Criminals target not just large banks, but also smaller community banks and even credit unions.
Once criminals have infected a user’s computer, they can immediately capture passwords that the user enters, steal files containing sensitive financial data, and initiate transactions on behalf of the user. These transactions may not be detected for days or even weeks, in part because some banking Trojans include advanced features such as the ability to display an inflated account balance to the user, if viewed from the infected computer.
Customers that are infected with a banking Trojan typically suffer cash loss and may also fall victim to identity theft and other forms of fraud. For corporate customers, losses can be hundreds of thousands of dollars (or more), and usually the financial institution is not required to cover the loss. This also places banks and credit unions in a tough position, since they want to help their customers but simply cannot absorb the large losses caused by banking Trojans.
If the bank outsources banking applications to a cloud service provider would this threat still be a concern?
Yes. Criminals typically infect customer computers with banking Trojan software. Regardless of whether data is hosted by the bank itself, or in the cloud, criminals can still steal the customer’s password as it is typed into the infected computer and leverage these stolen credentials to steal funds.
What are some key safeguards or best practices that can mitigate this peril?
Here are LMG Security’s tips for defending against banking Trojans:
- Think before you click. Make sure all employees receive regular training to defend against phishing.
- Deploy effective antivirus. Install antivirus software on ALL computers. Use it, and keep it up to date. Check at least monthly to make sure it is running properly on all systems.
- Limit privileges. Limit what staff can do on their desktop. Make sure they cannot change the system configuration or install any software without prior approval.
- Protect against spam. Make sure all spam filters are working and kept up to date.
- Update your software. Install all of the latest patches at all times. Software updates include new security fixes that can save you money and hassles.
- Segment your network. Separate systems on your network so that a high-risk workstation is less likely to infect an important server.
- Backup . Backup your data. Test your backups. Store a copy securely offsite. Repeat.
What else should customers think about?
Time is of the essence when it comes to banking Trojans. The longer your computer is infected, the more damage a criminal can inflict. If you suspect a banking Trojan:
- Act quickly. If you suspect that a computer has been infected, don’t wait! Act right away.
- Quarantine infected computers. Unplug the network cable immediately to stop the spread.
- Don’t stomp on the crime scene. You may need to rule out a data breach. Don’t run antivirus or reformat the computer until a trained forensics professional has examined the system. Keep a copy of the malware if you find it, so that forensic analysts can examine it if needed.
- Call a forensics professional. Involve a professional forensics examiner right away to ensure that the right evidence is preserved. This can save you a lot of time and money in the long run.
- Plan your response. Develop your response plan before you get hit with an infection. Banking Trojans are an epidemic. Be prepared.
I’d like to thank Ms. Davidoff for her expert insights into the cyber risk issues facing many of our clients in the financial services sector. Our insurance carrier partners that offer wide-angle cyber coverage to banks, credit unions, traders and other entities are equally concerned about sophisticated banking trojans/malware. Sherri offered some concise, effective safeguarding and risk management recommendations to prevent or mitigate these perils and related cyber claims. Often, as we’ve seen, if one or two of the most basic prevention measures are missing, disaster is soon to follow.
One final comment on Sherri’s last point: The value of response planning cannot be overstated for any business, but especially one in the financial sector. These types of morphing cyber crime threats will eventually impact all organizations to some extent—the question is how severe the damages will be. Your organization can contain and mitigate the damage by leveraging tested processes and the services of your third party breach response experts (which are often recommended by your cyber risk insurance carrier). An effective data breach response plan—one that is actionable and accessible 24/7—can go a long way to keeping these threat exposures in the nuisance category.