Like large banks, these firms hold valuable financial data but often have smaller security budgets and fewer staff, says Digital Shadows.
Asset and wealth management (AWM) companies play an important role in handling finances and investments for different clients throughout the world. For that reason, these firms can be tempting targets for cybercriminals who smell an opportunity to compromise accounts and steal financial data. A report released Thursday by digital risk company Digital Shadows examines why and how AWM companies are vulnerable to cyberattack and how they can defend themselves.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Global assets controlled by money and wealth managers are expected to grow by as much as 5.6% a year by 2025, reaching $147.4 trillion, according to Digital Shadows. Beyond possessing client data, AWM firms hold critical intellectual property as well as proprietary investment strategies and mechanisms.
This level of wealth and these type of data represent an alluring target for cybercriminals. However, these firms typically have smaller security budgets and smaller security teams compared with large financial institutions, leaving them more vulnerable.
In the fourth quarter of 2020, data from AWM companies was discovered leaked on public sites run by the Sodinokibi and NetWalker ransomware gangs. In such cases, ransomware operators steal sensitive data from organizations and then demand payment in return for not publishing that data. The Sodinokibi criminal gang even auctions data on Dark Web forums.
Last November, a post on the Happy Blog website used by Sodinokibi announced that a financial services and consulting company was likely hit by a cyberattack. The post even contained employee files, IT files, audit files, financial files, payroll files, and client files.
In December, a post was found on NetWalker Blog intimating that a financial management company was the victim of an attack. This post displayed screenshots of financial files, client files, payroll files, bank files, application files, administration files, and marketing files.
Looking ahead, Digital Shadows said it believes that ransomware demands will rise as a greater number of large companies are targeted. However, attacks also will increasingly hit small and midsized businesses such as AWM companies. Such firms are often favored as they have fewer resources devoted to such standard cybersecurity practices as patch management, user awareness, and intrusion detection/prevention (IDS and IPS) tools.
Business email compromise attacks
2020 saw an increase in business email compromise (BEC) complaints in which criminals spoof accounts of business executives and managers to steal money through wire transfers and other means. Most of the complaints from the final quarter revealed that HR and payroll departments were most heavily targeted with spoofed emails requesting changes to employee direct deposit accounts as a way to steal financial information.
Some of the emails distributed to AWM companies were sent through legitimate employee accounts, which criminals were able to harvest by tricking people into signing into phony login pages.
In one case of BEC invoice fraud, an AWM firm in the US received a phony invoice that tried to steal $80,000. Impersonating a known client, the attacker asked for money for home renovation (a common request from the actual client) and even attached a real invoice from a contractor to make the ploy seem legitimate. The firm only discovered the scam when it called the actual client for confirmation.
In other instances, a Russian cybercriminal group called Cosmic Lynx targeted AWS companies and other types of businesses in more than 200 BEC campaigns. These attackers used a dual impersonation scam in which they spoofed the CEO of a company to be acquired by the target organization to ask for someone to act as an external legal counsel. They then hijacked the identity of an actual attorney to carry out the attack.
Looking forward, Digital Shadows expects BEC campaigns to continue to adapt to current events. In 2020, attackers took advantage of the coronavirus pandemic with phishing emails related to COVID-19. As 2021 progresses, cybercriminals will likely exploit any changes with the pandemic, lockdown, and rollout of the vaccines. AWM companies should be on the lookout for attackers targeting their remote workers with dedicated phishing campaigns.
As cybercriminals increasingly tap into artificial intelligence and machine learning techniques, Digital Shadows sees more voice phishing attacks on the horizon. By using AI and MI, criminals can bypass traditional security defenses to make phishing phone calls look and sound more legitimate.
To combat ransomware, most of your planning needs to happen before an actual attack, Digital Shadows said. As part of this planning, you need to identify what information is stored on backups, how they’re stored, and whether you can revert to these backups during an incident. Other steps include cybersecurity risk analysis, training staff on cybersecurity best practices, and performing penetration testing to evaluate and bolster your security defenses.
Ransomware attacks typically start by sending malicious attachments in phishing emails or targeting accounts that use remote desktop protocol (RDP). Restricting RDP behind an RDP gateway and enabling Network Level Authentication will tighten your security if RDP needs to be internet-facing.
Further, you should prioritize patching based on the impact a vulnerability has on your data, the types of systems that would be impacted, the number of systems that are affected, the access level required to exploit the vulnerability, and how widely known is the vulnerability.
To combat BEC attacks, executives and managers responsible for fund transfers should be aware of seemingly legitimate emails that request a transfer of funds to other financial institutions. They should also look out for spoofed emails that seem similar or identical to legitimate emails from company contacts. Further, beware of spoofed domain addresses that appear in malicious emails, typically with only one extra letter added or changed in the domain name.