Penetration tests are finding that banks are becoming guilty of web application vulnerabilities, and insufficient network security measures. As soon as the attackers access the internal network, they find that the network is secured no better than companies in other industries.

One weak element throughout banks, is the human factor. Attackers can bypass the best protected network perimeter using techniques, such as Phishing. The Phishing message can be sent to bank employees both at their work and personal email addresses. The Phishing method for bypassing the network perimeter has been used by almost every bank attacker.

Positive Technologies, generated a test which indicated – employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer. Penetration testers succeeded in obtaining access to financial applications in 58% of cases. At 25% of banks, they were able to compromise the workstations used for the management of automatic teller machines (ATM’s), which means the banks tested were vulnerable to techniques similar to ones used by Cobalt and other cyber-criminal gangs in actual attacks.

Moving money to criminal-controlled accounts through interbank transfers, a favorite method of the Lazarus and MoneyTaker groups, was possible at 17% of tested banks, while at the same proportion of banks, card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe.

An attacker collects the following information about the bank:

  • Information about network perimeter systems and software
  • Employees (including email addresses, telephones, positions, and names)
  • Partners and contractors, as well as their systems and employees
  • Business processes

Examples of preparatory actions:

  • Developing or adapting malicious software for the software and OS versions used in the bank
  • Preparing phishing emails
  • Setting up infrastructure (including domain registration, server rental, and purchase
  • of exploits)
  • Preparing the infrastructure for money laundering and cash withdrawal
  • Searching for money mules
  • Testing the infrastructure and malicious software


Penetration testing can indicate your organization’s weaknesses and how an attacker can wrongfully enter your system(s). Understanding how you can be hacked will help create a barrier to prevent breaches in the future. The key is to remember that if an attack is detected and stopped in time, intruders can be thwarted. Preventing losses is possible at any stage if appropriate protective measures are taken. Email attachments should be checked in an isolated environment (sandbox), instead of relying solely on endpoint antivirus solutions. It is critical to configure notifications from protection systems and react to notifications immediately. Therefore security events must be monitored by an internal or external security operations center (SOC) with use of security information and event management (SIEM) solutions, which significantly facilitate and improve processing of information security events. Cybercrime is continuing to evolve and advance quickly, making it crucial that instead of hiding incidents, banks pool their knowledge by sharing information on industry attacks, learning more about relevant indicators of compromise, and helping to spread awareness throughout the industry.