Botnets increasingly prey on small banks and credit unions

Computer gremlins with zombie-like powers called botnets continue to spread through financial services systems, increasingly targeting smaller banks and credit unions, a new study says.

The problem is widespread in the business world. From January to April of this year, there were roughly 3.2 billion attacks each month on all industries by botnets — malicious code that spreads through a network of devices to surreptitiously act in unison, shooting out spam or conducting massive numbers of login attempts, according to the study conducted by the digital security firm Akamai.

Attacks spiked in May and June to 8.3 billion combined, the study said.

It did not specify how many of these attacks involved banking companies but said they are a common problem there.

The researchers highlighted the example of a credit union that came under botnet attack earlier this year. The code worked in waves: One botnet drew quick attention, spawning 8,723 attacks per hour. A second also joined in. But there was a third botnet which only attempted 797 attacks per hour. This sneakier botnet was the real danger, said Rich Bolstridge, Akamai’s chief strategist of financial services.

“While a particularly noisy botnet caught [the credit union's] attention, the discovery of a botnet that had been very slowly and methodically trying to break in created a much bigger concern,” the study said.

BOTNET-9-19

A popular tactic is to take stolen login information and use botnets en masse to key in this information at various websites, an act called “credential stuffing.”

“Credential stuffing is becoming more prevalent in the [financial] industry,” Bolstridge said. “There are sophisticated bots all around the world. Russia, Vietnam, and the U.S. are the top three countries with the largest bot traffic.”

Akamai chose to highlight credit unions in the report because they and smaller banks are especially vulnerable to cyberattack, Bolstridge said. Some credit unions may believe they are small enough to fly under the radar and will not be targets. But the weaker electronic defenses at these institutions are inviting the interest of cyber crooks, he said.

“Criminals understand that all they need is one good username and password,” he said.

Smaller institutions are often too reliant on outside vendors to manage digital security, said Scott Ramsey, managing principal of cybersecurity at Capco, a global consultancy. The reason being, Ramsey said, is that talented developers and engineers gravitate toward big financial institutions, which have the prestige and cutting edge tools they want to work with.

However, representatives of smaller institutions disputed the characterization that they are more vulnerable to cyberattacks than larger institutions.

Security controls are scrutinized often at credit unions, said Lance Noggle, senior director of advocacy for payments and cybersecurity at the Credit Union National Association. One of the steps that institutions have taken against botnets, he said, is installing processes on login webpages to verify that users are legitimate.

There is some misconception about the security around smaller institutions, said Idrees Rafiq Jr., vice president of IT consulting, financial and technology resources at Credit Union Resources, a subsidiary of Cornerstone Credit Union League.

Larger financial institutions are actually more vulnerable, he argued, because they rely on more digital technology applications, thus they have more places for botnets to attack. A large bank may use an intranet timesheet portal for vacation scheduling, he said, while a small institution will likely just inform staffers about fellow employee vacations either on paper or simply by telling each other in person.

Cyber criminals are like businesspeople, Rafiq said, in that they chase the biggest returns from big databases at bigger banks.

Another credit union official, who asked for anonymity due to the sensitivity of the issue, argued that smaller banks and credit unions are less vulnerable since many of their critical systems are hosted in cloud infrastructures, overseen by big tech companies, rather than in onsite legacy systems.

While the security of smaller institutions may be debated, Akamai's Bolstridge recommended that they share intel with each other and work with vendors to minimize the threat. Capco's Ramsey said smaller firms can at least press the issue with their vendors.

“An ounce of prevention is worth a pound of cure,” Ramsey said. “Don’t be afraid to ask questions.”

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Malware Community banking Credit unions
MORE FROM AMERICAN BANKER