Ransomware Group attacks Financial Service Companies with a Phishing Campaign

Dubbed as TA505, the Russian-based ransomware group has been executing several phishing attacks against various global industries for almost a dozen years. Now, it seems, financial industries are their latest targets.

Ransomware group attacks financial service companies with a phishing campaign

After making several modifications in its trademark malware and scripting languages, the hackers’ group has set its sight on credit unions, North American banks, and other financial services for quite some time.

They are perpetuating a mass phishing campaign called “MirrorBlast,” against them, where a link redirects a user to a deceitful website where employees unintentionally install malware onto their office devices.

That said, follow our cybersecurity awareness campaign where we inform our readers about how to identify and prevent phishing attacks.

Ivan Tsarynny, CEO and co-founder of Feroot, a Toronto-based security vendor, highlighted that since these financial services have been “under siege by cybercriminals,” they have deployed advanced cybersecurity programs to prevent their systems from any such mishappening.

“FSIs are much better prepared than most other types of businesses to thwart ransomware attacks,” he explained. “This means loss of internal cybersecurity training, strong passwords, enterprise-wide multi-factor authentication, well-defined vulnerability and patch management strategies, and more. Ransomware is one of the dozens of attack vectors.”

But despite that, a notorious ransomware group like TA505 has been dominating for a while and should not be taken lightly. According to the U.S Department of Justice, this group has caused over $100 million in losses in recent years. Even the department sanctioned some of the members of TA505 in December 2019 on account of potential threats they already posed.

Turns out it’s not the U.S FSIs that are affected, in fact, financial firms in Canada, Europe, and Asia are also under fire, as described by the cybersecurity firm Morphisec in their recent report.

“Cybercriminals are finding they can easily deploy malicious third-party JavaScript on FSI web applications and web pages and can skim user data,” he said. Tsarynny “Criminals don’t have to use traditional server-side attacks like phishing or ransomware attacks to collect FSI customer data. Instead, they can skim the information from banking websites and web applications from the user’s browser.”

Regardless of how ransomware threats are executed, these security risks also raise compliance and privacy concerns. As per the European Union’s General Data Protection, companies are legally bound to protect customer data by any means.

In case if a customer is in a state where there are more aggressive privacy laws, “all it takes is one frustrated FSI customer who is a European national to make a complaint to launch a GDPR investigation,” said Tsarynny. He said the company has to pay a minimum 20 million euro fine, or 4% of their annual turnover if customers’ data is stolen during a ransomware attack.

In addition, the affected FSI might also have to bear litigation and incident response expenses, along with the reputation damage that comes with it. In addition, attacks like this also cause customer loss, as nobody wants to risk their sensitive data with a cyberattacks-susceptible company.

“A ransomware of client-based attack might drive customers to switch in droves,” Tsarynny highlighted. “If a criminal can deploy a keylogger script on a bank’s website, they can capture usernames and passwords and then can control the FSI customer’s bank account. Criminals can make a quick buck without much effort.”

Phishing attacks have been on the rise since business operations have started operating remotely due to the coronavirus pandemic. To prevent yourself and your business from these financially destructive attacks, make sure to adopt healthy cybersecurity habits during remote work.