Banks confront new type of phishing: 'Salami' attacks

Financial services providers and security companies have recently begun noticing a new pattern in email fraud. Criminals are launching so-called “salami” attacks, in which they siphon small amounts of money from thousands of bank accounts at once. Fraudsters are also turning phishing initiatives into big-dollar wire transfer fraud.

Criminals generally target big dollars with email scam phishing attacks, but also have no problem stealing far smaller amounts from thousands of victims at the same time in salami attacks. And once enough credentials and network access points are compromised, even more serious ransomware attacks can unfold. 

Just like a sandwich maker might cut a real salami into thin pieces, a hacker "slices" away small sums of money from multiple accounts. By the time victims realize they are being ‘sliced,’ it is too late to halt that process or try to recover whatever had been stolen.

The fintech Dwolla has seen a rise in salami attacks.

"When we see these types of salami attacks it is generally someone going after a large number of bank accounts — [attackers] just make up routing and account numbers and try to make micro deposits of a few cents to see if that account 'works' for them," said Ben Blakely, director of information security at Dwolla, which is based in Des Moines, Iowa. Dwolla doesn't provide a security service per se, yet it monitors its financial services network for which types of fraud attempts succeed or are blocked.

Once they identify vulnerable accounts, fraudsters then take them over or create an application such as a music or video service a consumer would subscribe to and draw small amounts of money from the stolen accounts to funnel into their own accounts.

The other strategy, Blakely explains, is for the attacker to have a legitimate bank account and use that account to pull money from a platform by creating numerous "users" on that platform from the vulnerable accounts previously discovered. The attacker seeks to place "potentially thousands of micro deposits" into his own account, he added.

"It may be less than 10 cents per instance, but you do that across 10,000 accounts that were created on that platform, and it can add up pretty quickly," Blakely said.

Phishing remains major woe

At the core of digital fraud, email phishing and business email compromise continue to plague banks and other companies.

Criminals request $1.5 million per wire transfer on average when they target a U.S. bank or other company through a compromised business email account, according to research from the San Francisco-based fraud prevention provider Area 1 Security, which analyzed 31 million discovered threats it blocked from May 1, 2020, to April 30, 2021.

Even though targeted business email compromises made up only 1.3% of overall attacks Area 1 observed during that year, the research noted that if those attacks had been successful, victims would have suffered $345 million in direct losses. Those attackers generally hack legitimate conversation threads, gain access to banking details and initiate wire transfers by requesting payment for outstanding invoices.

Impersonations of well-known brands fuel about 56% of spoof phishing attacks, as fraudsters pretend to be from companies like LinkedIn, Facebook, T-Mobile, Amazon, Target, Google or Microsoft, the research found.

Banks can be in the crosshairs often because fraudsters "look for you to be the juicy center of something, and the best potential victims are in a position of power, authority, trust or deciding on financial payments," said Area 1 CEO Patrick Sweeney.

If a hacker steals credentials of an accounts payable employee at a bank or an airline, he could "hunt them in the background for days, weeks, months or even years," Sweeney said. "And at some point, you are going to see a thread coming down in which they [the bank employee] is going to be in a position to make a decision or do something involving financials."

Fraudsters like to breach email threads of accounting department employees at banks so they can keep an eye on the business at hand until the moment when a significant money transfer is pending.

"At that critical moment, the fraudster inserts himself into the conversation and takes the money into a direction in which it was not intended," Sweeney said.

The huge amount of data banks collect related to transaction descriptions and routing makes it difficult for banks to detect problems.

"You don't want to trust the bad data, but you don't want to just trust the good, either," Sweeney noted, referring to suspected fraud attempts versus transactions that appear to be normal. "You have to understand all things happening because these are the things happening around your ecosystem that are going to create financial fraud in the banking system."

To be sure, phishing attacks have plagued financial institutions and businesses for the past several years. But in the the past year and a half, fraudsters have aggressively taken advantage of the work-at-home world resulting from the global coronavirus pandemic. Email attacks rose dramatically during the first quarter of 2020. It put the concept of phishing attacks at the top of the fraudsters' playbooks because they are fairly easy to deploy.

"The simplest and most common phishing attack against fintechs and banks is the 'spray and pray' type of attack in which the criminals buy a ton of email addresses for credential harvesting," said Selim Aissi, former senior vice president and chief information security officer at the mortgage application processor Ellie Mae in Pleasanton, California.

"It can start as an innocent-looking email from your bank, just saying your password expired and you need to log in and redo it," said Aissi, a member of the National Technology Security Coalition and the Financial Services Information Sharing and Analysis Center boards. "They then collect that information, and maybe then go for straight financial gain in trying to get your credit card number."

There are also cases in which attackers breach security systems of title agencies that work with the banks, because they tend to have weaker security standards than the banks, Aissi said.

A ploy that is difficult for employees at a bank to ignore is when fraudsters impersonate the security team via email, using calendar invitations to lure employees to malicious websites that ask for personal credentials to access accounts at the bank.

It's hard to say what types of criminal organizations are behind phishing attacks or salami attacks because those going for huge amounts of money with ransomware attacks tend to be far more sophisticated, Aissi added.

"Evasion techniques are improving — it's almost like Ph.D.-level stuff," he said of the various methods fraudsters use to hide their identity. "Salami attacks target a lot of individuals and it can lead to larger attacks, but maybe not at the same level of adversary [expertise]."

Thwarting phishing, salami

Determining whether a phishing or salami attack is seeking access to a specific account as part of a multiaccount scheme or setting the stage for high-value money transfers or demands of a future ransom is difficult to initially identify.

"Phishing is a prime targeting mechanism for advanced attackers and ransomware gangs alike," said Peter Firstbrook, research vice president at Gartner, responsible for endpoint detection and remediation, extended detection and response and secure email gateways.

"Generally, phishing is a technique used in a large percentage of attacks," Firstbrook said. "However, some attackers are dedicated to the business-email-compromise type of phishing attacks and do not stick around long. Others just use phishing as the targeting mechanism."

Account takeovers are on the rise — with fraudsters clearly finding phishing and salami attacks as an easy way to do that because of human indifference when it comes to changing passwords or monitoring accounts. The 2021 Verizon data breach investigations report stated 65% of breaches they investigated were caused by account misuse, while only 4% were caused by vulnerabilities.

Verizon also cited 85% of breaches in 2020 involved the human element, as phishing was present in 36% of breaches, up from 25% in 2019. Though not citing a specific number, Verizon noted business email compromises doubled in 2020 and were part of an increase in social engineering threats.

"Filtering for these one-to-one emails from legitimate senders is very difficult and requires machine learning that can spot the fraudulent email without causing too many false positives," Firstbrook said. "Typically, dedicated quarterly phishing training can get the click-through rates on simulated phishing attacks down from 30% to around 5%, but it is never zero."

However, business email compromise-type attacks are often not included in training. "Additionally, the BEC attackers often have taken over the [business] partner's email account, they already know the transaction details, so the messages are well crafted and relevant to a specific payment so it is hard for the victims to spot," Firstbrook said.

Gartner focuses training on email-compromise attacks to remove as many of those types of transactions as possible out of email, Firstbrook added. For instance, employees might be trained to log into another service to change a bank account number, rather than do that task through an email to human resources.

For banks, the security focus has to fall squarely on the fundamentals and basics of understanding your network and having all employees well versed on best practices, Aissi said.

"You have to patch your systems. How can you have end-of-life servers still lingering in your network?" Aissi asked. "Do you know all of the end-of-life systems that you have and which have not been patched?"

Every attack on a bank "starts with somebody's laptop computer," Aissi said. "If you don't have the proper protection on your laptop, it makes it easy for an attacker to insert malware or obtain vital information."

For reprint and licensing requests for this article, click here.
Cyber security
MORE FROM AMERICAN BANKER