Understanding Online Banking Cyber Crime

Media Division | December 2, 2013

Cyber crime revenue grew by leaps and bounds in the last few years, and will continue to grow, experts say. Online banking is one of the favourite, most lucrative playgrounds of such criminal activities, which now adopt ultra-sophisticated techniques to stay ahead. As the number of online banking users keeps growing, this is one of the sectors that most need awareness from consumers and stakeholders.

Although an estimation of losses is not easy (financial institutions do not disclose data related to cyber fraud), indipendent research led to shocking findings: the Financial Fraud Action UK reported online financial fraud losses reached £40 milion, a 12% increase if compared to 2011. Group-IB states Russian online banking suffered a $446 million loss in the same period.

What are the main methods of attack towards online banks? We’ll explain the most frequent cases.


phishing-industry Very high is the number of phishing attacks against financial institutions, especially banks. What cyber criminals are after are, of course, all types of sensitive information such as account credentials, transfer history etc.

A classic phishing attack consists in tricking the user into divulging personal banking data through fake emails. Attackers direct the recipient to a replicated website looking like the real bank site and encourage them to “login” or submit their information via ad hoc forms.

APWG Global Phishing Survey reports that almost half of 2012 phishing attacks targeted shared hosting spaces as cyber criminals seek large scale phishing attack opportunities.

phishing Pierluigi Paganini of Infosec Institute advocates prevention is better than curing in this case, and suggests a few guidelines to fight the phenomenon:

  • Verify online accounts regularly;
  • Never divulge personal information via phone or on insecure websites;
  • Don’t click on links, download files, or email attachments from unknown senders;
  • Beware of pop-ups. Never enter personal information in a pop-up screen.

Watering hole

Watering hole cyber crime is an evolution of phishing. Instead of trying to convince users to visit a certain website, this technique involves injecting malicious code onto specific web pages, and waiting for visitors to be “infected”. Exploit kits to compromise websites are available in the black market.

“Targeting a specific website is much more difficult than merely locating websites that contain a vulnerability. The attacker has to research and probe for a weakness on the chosen website. Indeed, in watering hole attacks, the attackers may compromise. Once compromised, the attackers periodically connect to the website to ensure that they still have access”


A famous watering hole attack is the one against South Korean banks happened in March 2013. Most banks had to interrupt their service due to data loss and servers issues, costing them millions and reputation damage.



What happens when cyber criminals want to target more web savvy users? Preventing is better than curing, but sometimes criminal techniques are just too advanced for 99.9% of online banking users. Pharming (from “farming” and “phishing”) is based on banks’ URL hijacking: when people try to enter their actual bank site, a redirection to another site occurs (see Palizine diagram).

Experts say it’s one of the most difficult and advanced cyber crime techniques, but still possible via:

  • DNS Cache Poisoning
  • Hosts File Modification

Credit card redirection

The nightmare of ecommerce websites is the redirection of their users to domains managed by cyber attackers. Credit cards redirection allows criminals to steal money and sell precious sensitive information in the black market.

MITB: Man In The Browser

Online banking experts say this is a huge threat to banks and their clients. MITB is regarded as one of the most effective cyber crime strategies, and costed billions to banks all over the world in 2012 and 2013. A malware infects the browser of the victim, looking like a plugin, browser extension or Active-X control, and modifies online transactions to steal funds, without being detected.


Here some of the most common trojans found:

  • Zeus is spread via phishing schemes and used to acquire illegally bank credentials via MITB techniques. First detected 6 years ago, it attacked US government websites and despite FBI intervention and hundreds of millions in damage, it is still a menace for online banking professionals. Real time statistics on Zeus malware can be accessed at Zeus Tracker.
  • Carberp is a famous bank account takeover malware which does not need admin authentication to be installed and therefore bypasses Windows security systems. The source code is leaked. Security industry experts say it’s a powerful menace to online banking. Watch this to learn more about it.
  • Sinowal is “a malicious application that allows hackers to remotely access you computer system letting them modify files, steal personal information and install more unwanted software” (AVG).
  • Clampi has been around since 2008, affecting Microsoft computers and stealing from thousands of websites. SecureWorks regards Clampi as one of the most professional and profitable cyber crime operations of all times.

DDoS attacks

DDoS attacks represent another threat to online banking sites. Operation “Ababil” by Izz ad-Din al-Qassam Cyber Fighters hacktivists attacked top US banks such as U.S. Bankcorp, PNC, SunTrust, JPMorgan, and Bank of America. What’s unique about DDoS attacks is that it does not employ botnets, but rather volunteers, making it difficult to detect anomalous traffic and deal with the attack.

DDos Attack size accelarating_v3

As clearly explained by Pierluigi Paganini, the main categories of such attacks are:

  1. Volume Based Attacks – The attacker tries to saturate the bandwidth of the target’s website by flooding it with a huge quantity of data.
  2. Protocol Attacks – The attacker’s goal is to saturate the target servers’ resources or those of intermediate communication equipment (e.g., load balancers) by exploiting network protocol flaws.
  3. Application Layer (Layer 7) Attacks – Designed to exhaust the resource limits of web services, application layer attacks target specific web applications, flooding them with a huge quantity of HTTP requests that saturate a target’s resources.

Is there a solution? Early warning to prevent and reduce losses

How can financial institutions prevent and reduce losses from cyber fraud? Security experts say it’s impossible to predict which kind of attack will be carried out. As banks need a reliable way to deal with the increasing number of online banking crimes, a global early warning system is what most institutions need to keep everything under control.

Strixus uses the most in-depth online data intelligence technology available to serve banks and financial institutions. With a government-level predictive intelligence system, and a full coverage of the Dark Web (TOR, I2P, IRC) and cloud storage in 26 languages, Strixus provides 24/7 monitoring to detect suspicious activities, warn immediately in case of breaches and mitigate the damage caused by the cyber attack.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.