finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

As curiosity rises around this topic Equifax has devised this educational infographic which helps answer the fundamental questions; including what a money mule is, how money muling works and how to spot ads for money mules. Equifax explores what could happen if you’re involved with such suspicious activity highlighting the severity of falling victim to becoming a money mule. 

Educating the public is as crucial as ever, particularly as the latest Fraudscape report by Cifas found that in 2018, organisations reported over 40,00 cases of fraudulent abuse of bank accounts that bore the hallmark of money mule activity. This widespread issue only seems to be escalating as cases involving mule activity were up by 26% in 2018 compared to 2017.

The interactive infographic will lie within the Equifax ‘Knowledge Centre’ on their main website. This informational hub provides readers and customers with relevant content and guidance surrounding a variety of financial categories. You can read Equifax’s full interactive guide to Money Mules here.

Below, Thanassis Diogos, Managing Consultant, SpiderLabs at Trustwave, discusses with Finance Monthly the intricate planning and plotting behind the recent Eastern European cyber hack on banks, which combine both physical and cyber stealing methods. Trustwave believe that this attack has the potential to spread to the UK and around the world.

Earlier this year Trustwave was called in to investigate several security breaches which had affected banks in Post-Soviet countries. These attacks appeared to be a hybrid of physical and cyber techniques with people used as mules to open new bank accounts, and cyber specialists using their skills to hack into the banks systems. Banks which had been compromised suffered significant monetary losses, somewhere between USD$3 million and USD$10 million. Trustwave’s investigation also discovered that the attacks shared common features. These identifiers included large financial losses originating from apparently legitimate customer accounts and all thefts taking place at ATM locations outside of the banks originating country, where the money was withdrawn using a legitimate debit card.

In some cases, the banks were not aware they were being breached until the attack was complete. However, there were cases where the malicious activity was picked up by third party processors, who are responsible for processing credit and debit card transactions. Despite the large sums being stolen, the thefts were hard to detect thanks to the use of debit cards acquired legitimately through the standard in-branch application process.

A closer look

Upon investigation of the third-party processors and the affected banks, we found a completely unique modus operandi behind the breaches. The criminal gang had used innovative attack tactics, techniques and procedures to successfully complete the attack campaign. The attack itself comprised of two physical stages which top and tailed the attack – the mules opened bank accounts in the initial phase and withdrew the funds in the final ATM cashing out phase. The cyber-attack compromised four stages beginning with obtaining unauthorised access to the banks network, compromise of the third-party processors network, obtain privileged access to card management system and finally activate the overdraft facility on specific accounts.

Method in the madness

The criminals hired a number of mules and provided them with false credentials, so they could open new accounts in branch. On opening the accounts, the mules requested to receive debit cards with the account, and the cards were then passed on out of the originating country to a group of international conspirators. It is not unusual to request a debit card with a new account as the balance of the account is directly related to how much money is available.

Whilst these numerous bank accounts were being opened in branch, the cyber part of the attack was already under way. Members of the criminal gang hacked into the victim banks’ internal systems and manipulated the debit cards features to allow very high overdraft limits or no overdraft limit at all, and also removed any anti-fraud controls in place on specific accounts. Almost simultaneously the operation continued in the countries where the debit cards had been sent to. The cards were used to make large withdrawals from a number of ATM’s which had been carefully selected because they had high or no withdrawal limits. Locations were also chosen to be remote and have either no or obscured security cameras. During the following few hours the operation concluded with a sum between USD$3 million and USD$10 million being withdrawn from each bank.

Recommendations to banks

There are measures which banks can take to help mitigate these kinds of attacks. A proactive program such as managed detection and response (MDR), also known as threat hunting is recommended. Implementing a threat hunting program will allow banks to detect threats early on and mitigate them before they have the opportunity to do any real damage. Banks should also prepare incident response plans and have them well documented and tested so they are fully prepared to act swiftly if such incidents occur.

Unfortunately, the success of these attacks could be attributed to the lack of coupling between the core banking system and the third-party card management system. Had these two systems been integrated correctly the changes to the debit cards overdraft limits would have been red flagged much earlier on. A second example of non-technical control failure is that several accounts on the card management system were able to both raise a request for a change and approve the change. This process is a violation of a commonly used control used in banks and banking applications called Maker-Checker. Banks are therefore advised to undertake frequent cyber security risk assessments to detect and mitigate this type of control weakness.

Currently the attacks have been localised to Eastern Europe and Russia, however, we believe that they do represent a clear and imminent threat to financial institutions in Europe, North America, Asia and Australia over the forthcoming months. During the course of the investigation it was discovered that bank losses currently stand at around USD$40 million. However, this does not account for undiscovered or un-investigated attacks or investigations undertaken by internal groups or third parties, the total losses could already run into hundreds of millions of USD. We would advise all global financial institutions to consider this threat seriously and take necessary precautions.

Where do cyber threats begin? What is the root of the issue and how can we eradicate the source of any risk? What does this look like when you’re a maturing startup compared to a global corporation? Thomas Parsons, Sr. Director of product management at Tenable Network Security here takes to Finance Monthly back to the basics and gives his thoughts on the current global cyber situation.

Ransomware had previously been considered just another piece of nuisance malware that largely targeted unsuspecting consumers. However, the recent uptick of new variations, and their drastic impact in restricting access to enterprise systems and data, has catapulted this threat firmly into the spotlight. Events in the last few months have established ransomware as one of the most impactful and persistent global cyber threats.

Ransomware on the global stage

Increasingly in recent years, we’ve seen a shift from hackers using ransomware to target individual users to much larger attacks on enterprises. Top of mind is WannaCry, which wormed its way into networks around the world and encrypted data, closely followed by ‘Petya’ and also ‘NotPetya.’

Ransomware operates by compromising a system, infecting it with malware and encrypting data using a private key, preventing users from accessing the system. Hackers then send a message demanding payment to provide the key and restore the user’s data. Weaponising ransomware with worm capabilities, i.e. EternalBlue, has given hackers the opportunity to maximize the damage as the malware spreads from system to system. When ransomware latches onto systems that contain valuable company data, the systems become inaccessible, effectively bringing business to a halt.

For any organisation, the breach of personal data can not only impact the bottom line, but it can also cause irreversible reputational damage.

To pay or not to pay

WannaCry and Petya/NotPetya represent the new normal of today’s sophisticated threat environment. And with ransomware now impacting the global community, organisations must grapple with whether to pay the ransom.

Unfortunately, there is no guarantee that an organisation, which has its data held hostage by cyber criminals, will get a decryption key by paying the ransom – after all you’re dealing with criminals.

Paying the ransom also further funds the criminals’ antics, validating the business model and encouraging repeat infections – a practice that doesn’t benefit anyone in the long run, except perhaps the criminals.

However, the debate as to whether to pay cyber ransom shouldn’t be the focus, given that these attacks can be preventable.

Rather than a sophisticated attack or zero-day exploit, ransomware often takes advantage of well-known software vulnerabilities that organisations have failed to patch or update. The truth is attackers would much rather gain entry to the network by exploiting a known, but unpatched vulnerability, or a phishing email, because these techniques have a much higher return on investment.

But patching isn’t always that simple. Security teams can't control everything, and while it has become increasingly easy to deploy changes into environments, there are some mission-critical systems that can’t be updated with a click of a mouse or a simple script. For those systems that can’t be taken offline without disrupting business operations, security teams must implement compensating controls and make proper, risk-based decisions to mitigate the threat.

Cyber 101: Back to the basics

If we’re to leave ransomware in the past, organisations must get back to the basics, focusing on the foundations of strong cybersecurity.

To start, organisations need to implement security controls that prevent untrusted or unknown applications from being installed, while not impeding end-user productivity. This means security teams should use application whitelisting, blacklisting, dynamic listing, real-time privilege elevation and application reputation.

Organisations should also consider adopting the principle of least privilege, which gives privilege to users according to job necessities. In the event of an accidental link click or attachment opening that attempts to execute an application requiring elevated privileges (such as encrypting a hard drive, network share or folder), the user privileges would not allow those actions to be performed, stopping the attack immediately.

Even more important is end-user security training and awareness, backed by a solid understanding of attack methods used to gain information from users. Educating users on how to spot a phishing email and the dangers of sharing personal information and installing software from unknown sources can benefit them both at work and home.

In the modern computing environment, which now spans cloud, on-premises, IoT and operational technology, continuous visibility into the vulnerability status of every asset is critical to understanding the business impact of ransomware attacks and to fundamentally improve how organisations think about cybersecurity.

Here is a simple mantra to help focus the mind - If you can’t patch it, then you must protect it. And if you can’t do either, then you should prepare for the consequences.

The threat of cyber extortionists holding data hostage is significant. Symantec’s 2017 Internet Security Threat Report lists ransomware as the ‘most dangerous cybercrime threat facing consumers and businesses’.

Last week, South Korean web-hosting firm Nayana agreed to pay a $1m ransom to unlock computers frozen by hackers. Security experts warned that firms should not pay such ransoms or enter into negotiations with hackers. In addition, today several firms globally were held to cyber ransoms including banks, airports and government systems around the world. Even DLA Piper suffered an attack according to the BBC.

When considering high-risk industries like financial markets, the data and infrastructure at risk is both incredibly sensitive and complex. Once adversaries gain access to an environment, they can access everything from proprietary algorithms and trading strategies through to sensitive customer data.

This week, Finance Monthly received its biggest ever number of responses to the question ‘Should Companies Pay Cyber Ransoms?’ Below are just a few of the responses from top experts around the world.

Jack Bird, Content Specialist, Team Umbrella:

The magic of the internet and today’s cutting edge technology is based on a give and take relationship. To take all the lightning quick information and globalised communication, we have to give our personal details and highly sensitive information in return; like a sacrifice to the all-powerful cyber gods that we’re forced to trust so our crops might be more fruitful next year.

The easier things get for us, the larger the anvil hanging over our head becomes; and this form of cyber terrorism we’re seeing with Nayana is only going to grow. This might soon see a return to more physical forms of media to avoid the proxy-warfare of recent headlines, but for now, and it is a weak answer: it’s a matter of balances.

Maybe the correct move is to stand up to the bully and not give them your lunch money, because next week they might come back for your homework or the intricate details of your eight figure business plans. Giving in to demands, however, might result in you going hungry throughout the day – or, to put an end to that analogy, your work force of mothers and fathers going hungry because you can’t pay them anymore.

Films taught us to puff our chest out, but, even though this news story might resemble the plot line of a 1980’s Paul Verhoeven film – this isn’t a film. There is no simple answer because every question is different. Is the $1 million more valuable than the files they’re holding a gun to the head of? Maybe they’re outdated and you don’t need the information anymore?

There is no definite answer, which makes this a bad one – but, also, the right one.

Rafe Pilling, Senior Security Researcher, Counter Threat Unit, SecureWorks:

To paraphrase a well-worn bit of philosophy, all that is necessary for ransomware attackers to succeed is for well meaning

organizations to pay the ransom. In 2016, it became common for thought leaders to say “Never pay the ransom, but …” and that “but” was meant to allow wiggle room for instances when a $500 ransom was cheaper than the hassle of not paying, or when healthcare entities were dealing with true matters of life and death. But the problem with either of those scenarios is: As soon as one pays the ransom, then one has reinforced that the attackers made the right decision to attack. The only reason this crime thrives is because it’s profitable organizations (despite what they say publicly) continue to pay the ransom. When that stops, so will the attacks.

Eric Berdeaux, CEO, OXIAL:

If the situation has gone so far that an organisation has actually been breached, then paying can be the best option open to them. Ransomware is truly insidious and can often encrypt most, or if not all of an organisation’s data. This makes it completely unusable and puts a halt to any internal business and IT processes. Such is the professionalism and expertise of modern hackers, it can be very difficult to fend off Ransomware once it has taken hold. To try and clean the virus, delete all of the encrypted files and then restore them, would not only cost a lot of money but would require a number of highly skilled engineers too. Even then, there is no guarantee of success. That’s why I believe that when it has gone this far, the only way is to pay.

Of course, it would have been far better to spend this money in a different way – securing the data properly and effectively in the first place, and covering any residual risk with good insurance. Organisations do not always do this even when they have suffered an attack, believing lightening won’t strike twice. This is misguided. When it comes to cyberattacks, lightning can and will strike on many occasions - the security threat in 2017 is incredibly complex, varied and on-going. Without continuous protection, organisations will be hugely vulnerable and may find themselves facing expensive ransom demands.

Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, Fujitsu:

The news that South Korean web-hosting firm Nayana has agreed to pay a $1m ransom to unlock computers frozen by hackers is stirring a new narrative around whether we should be giving in to hackers. While industry experts have been preaching against this, companies are ultimately left facing the prospect of irreversibly losing valuable data, or paying a certain, often excruciating, amount of money to save their businesses.

Paying ransomware encourages the lucrative side of malicious cyber activity, which subsequently attracts more actors willing to engage for their personal gain. The truth is that many organisations probably don’t see themselves as ‘high value targets’ for attackers and it’s likely that they have very minimal protection or staff training and awareness. However, for many malicious actors finding vulnerabilities is their bread and butter, and they will look to hold organisations to ransom through a ‘soft attack’ that compromises its data.

Organisations should ensure they have good backups if they are infected. They must take a proactive and intelligence driven approach to security, by monitoring phishing campaigns which evade their mail gateway controls for example. Backups, risk analysis, staff training and further practical advice such as application whitelisting and incident response will ensure the risks associated with ransomware are as low as possible.

With this knowledge there is no excuse not to be prepared. Cyber criminals are entrepreneurial, well-sourced and motivated, and we shouldn’t be repaying their efforts in hefty amounts of ransom.

Sarah Adams, Cyber Risk Expert, PolicyBee:

Faced with not having access to your systems, data or website, it’s tempting to take what seems like the line of least resistance and pay a ransom straightaway. But there are good reasons why that might not be the best thing.

From a cyber insurance point of view, the most obvious alternative is to get in touch with your insurer. This kind of situation is exactly the sort of thing your policy is for. Your insurer has access to cyber security experts who will evaluate and deal with the problem for you.

Of course, if there’s no way around it, your policy will cover the ransom. But ideally your insurer will want to sort the situation by other, technical means if possible – there’s no guarantee paying up means case closed. Who’s to say you’ll get your files back, even if you cough up? Your insurer certainly doesn’t want to trust the word of a cybercriminal.

The point here is that two (or more) heads are better than one. You don’t have to deal with a ransomware problem – or any other cyber-attack – on your own.  Cybercrime is alien territory for most businesses, and it makes sense to get help when you need it most. A specialist insurer not only has the money to sort out these situations, it has the time and the expertise too.

Although undoubtedly unsettling and very much an unknown quantity, cyber-attacks involving ransomware aren’t always the business disaster they might first appear to be. Paying up doesn’t have to be a given and doing so, worst-case scenario, can risk turning you into a future blank cheque.

Preventing an attack in the first place can be equally expensive and time-consuming (and, given the odds, arguably futile), so it pays to have help and support on standby for if and when you’re targeted. You don’t need to be a cyber security expert to recover from an attack – you just need to know someone who is.

Dr Guy Bunker, Senior Vice President of Products, Clearswift:

This case sets an unfortunate precedent. Whereby larger organizations are shown to be prepared to pay significant sums of money to cyber-criminals. It will only stoke the fire of ransomware and the attacks on business if the perpetrators think they will get away with it. In the non-cyber world, we saw this with the Somali pirates, where once ransoms started to be paid, there was a huge rise in vessels and crew being taken hostage.

Our advice is always the same for both individuals and organisations: once you’ve been compromised, do not pay the ransom. By paying, you’re opening yourself up to further attacks as the criminals will see that A) the organisation has the willingness to pay ransom and B) the cash reserves to do so. Furthermore, in more than 30% of cases, access to the information is not returned, i.e. you still don’t get your data back in an unencrypted form. All too often, the cyber-criminals take the money and then re-encrypt systems a short while later – as the malware will still be lurking in the background, unless it has been fully removed.

This is not the only issue, negotiations between the criminals and organisation can take up valuable time and resources – according to reports it took Nayana over a week of back and forth with the hackers to come to an agreement. Ransomwares’ biggest impact is downtime of the organization, with several organizations requiring complete IT shut-down and the return to pen and paper while the issues are resolved.

The best defense against ransomware is firstly, to ensure all systems and applications are kept up to date with security patches being applied; secondly, ensuring that security systems are in place that strip hidden active content (the type likely to be ransomware) out of documents and emails coming into your organization; and thirdly, to regularly backup critical information. Backups are key and can ensure that even if information is encrypted, you won’t be in a position where you have to pay – minimizing the harm to you and the reward to the criminal to zero.

Robert Rutherford, CEO, QuoStar:

Ransomware is an increasing threat, and one which is here to stay. Although businesses may not like the thought of paying a cyber ransom, in today’s digital era if an entire business’s IT environment is frozen then they are unable to function, this loss of productivity can come at a far higher cost than the ransom itself.

When it comes to deciding whether to pay a ransom, a business essentially needs to understand how much an outage or a loss of key data assets is going to cost them. This information will allow a business to measure risk against cost and make an informed decision. If a cyber ransom is £500 for example, whereas loss of productivity could cost thousands, the decision can be made easily by those responsible for IT security within a business.

Furthermore, this information should also be used by a firm’s senior leadership team to determine which protections and solutions should be put in place to prevent the business from being infiltrated by ransomware again, or by another type of cybersecurity threat in the future. IT security must be a priority, however, and firms must not wait until ransomware strikes to conduct these risks versus cost reviews and act ahead of time.

Giovanni Vigna, CTO and co-founder, Lastline:

Companies should not pay ransom. However, there might be situations in which not paying ransom would cause irreparable damage to a company, putting the company out of business. In these cases, paying might be the only option, but these situations can be avoided by being prepared. Ransomware, in a way, is not very different from a catastrophic event. What if a room full of server is flooded and the machines damaged beyond repair? Would the company be ready to restore the service (and the associated data) after such an event? If the answer is “yes” the company could probably withstand a ransomware attack as well…

Andrew Stuart, Managing Director, EMEA, Datto:

Firms should never cave in to ransom demands from hackers. First of all, paying up does not guarantee the safe return of data. Datto conducted some research into this topic during the twelve months up until September 2016. We found that almost half – 47% – of the European firms which opted to pay ransoms, didn’t get all of their data back.

Secondly, firms that choose to cough up can quickly gain a reputation amongst cybercriminals for being a soft target. This leaves particularly susceptible to future attacks.

On a wider scale, each and every time a ransom is paid more money is ploughed into the criminal underworld. Today’s hackers work like businesses, with a portion of their income being invested in R&D. This extra cash could be used to develop new strains of malware or to exploit new vulnerabilities. While paying a ransom seems like a quick fix, it has negative, long-term consequences for all organisations.

Instead of paying ransoms – especially ones with $1 million price tags – organisations need to invest in better defences. Patching vulnerable IT systems is vital, as are perimeter defences such as anti-virus software and firewalls. But these alone are not enough. Firms also need to back up their data. If they call roll back their systems to a point in time before their data was illegally encrypted by hackers, firms can carry on as normal, with no dramas and no ransoms.

Andrew Bushby, UK director at Fidelis Cybersecurity:

An analogy often used to describe ransomware and whether to pay up or not is ‘protection racket’. In old-fashioned mob movies, two guys walk into a grocery store saying ‘Hey, nice store. Would be a shame if something were to happen.’ The reason the mob ‘insurance’ scams worked is because the value of the protection was higher than the cost of the insurance – and the mob delivered on their promises. In the case of ransomware, the value of the data is higher than the ransom and operators go through great effort to ensure users get their data back. Occasionally there are errors, but in general, people do get their data back.

In an ideal world, consumers and organisations would be better prepared. With sound backups in place, ransomware infections would merely be annoying exercises involving file restoration.  Ensuring backups of critical or valuable information has been a best practice for decades, but because reality rarely matches the ideal, this often doesn’t happen.  Consequently, a few tips can help those dealing with a ransomware attack:

Stu Sjouwerman, CEO, KnowBe4:

Ransomware has been called the most profitable criminal business model in history. Bad guys infect a workstation or whole network and hold the data hostage until a fee is paid to get it back. Last month, the WannaCry ransomware strain went global, impacting computers in more than 150 countries and wreaking havoc on Britain’s National Health Service, Spain’s Telefonica and France’s Renault automobile factory.

Ransomware has become a “when, not if” scenario for businesses of all sizes. Typically ransomware comes into a company through an employee– usually by opening the attachment of a phishing email which then gives cyber criminals the ability to download the malware onto the users’ computer or network without their knowledge.

Most antivirus programs do not detect it as it is rapidly changing with new variations every day. Being successfully hit by a ransomware attack can set a business back 50 years, using “pen and paper” management and the ransom amount can get very high. WannaCry charged $300/machine, which adds up very quickly, particularly for small and mid-sized businesses (SMBs)

Now to pay or not to pay – this is ultimately a business decision, and one which most organizations do not make lightly. There are different types of ransomware infections:

It is crucial to start with a so-called defense-in-depth strategy to protect your network, including weapons-grade backups that are regularly tested, ensuring all software is up to date, running antivirus software but not relying on it, identifying users who handle sensitive information and checking firewall configurations to make sure no criminal network traffic is allowed out and educating your users as your last line of defense so they can stop ransomware before it comes in.

Alex Manea, Chief Security Officer at BlackBerry:

Companies that experience ransomware attacks should never consider paying any ransom demand. Not only does it cause reputational damage and a loss in customer confidence, but once an organisation succumbs to paying a cybercriminal there is still no guarantee that full recovery will occur. Trusting cybercriminals to provide a decryption key can often take days, weeks or not happen at all.

Businesses should also keep in mind that cybercriminals are anonymous and they have no reputation to protect, which means they have no incentive to hand over the decryption key, as this could make them easier to trace.

In addition to this, there is now evidence that hackers are actually repeating other hackers’ successful ransomware activities. This not only suggests that businesses that are paying ransoms aren’t getting their data back, but are likely inspiring future attacks.

If a company does choose to pay the ransom, as in this case Nayana did, and they gain access to the decryption key or a tool which can help them to access their files again, there is still no certainty that the organisation is secure again. Indeed, in many ways the company is now more vulnerable to ransomware attacks, as it will have a reputation for paying and this could actively encourage additional ransomware attacks and even bigger financial demands.

We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram