How cybercriminals use the deep and dark web to target financial organisations

By Josh Lefkowitz | 26 June 2017

Financial organisations face a barrage of threats from a range of different sources online. There is no doubt that the industry is a prime target for threat actors ranging from cybercriminals, to hacktivists, to nation states. In response, financial organisations should prioritise and implement effective cybersecurity processes, technology and people. Since most of these threats, actors, and compromised financial information are intertwined with the deep and dark web, there is also a critical need for businesses to be aware of and understand these unindexed regions of the Internet.

Cyber threat actors have recently executed a number of well-publicised attacks on financial organisations, including as a result of the WannaCry ransomware attack. These attacks clearly pose a significant corporate risk, especially at a time now when regulators are stepping up and imposing harsher penalties on banks that suffer breaches. Following these recent attacks and harsher regulatory penalties, the issue of cybersecurity is gaining a greater presence both in the boardroom and in the minds of C-Suite executives.

What is the deep and dark web?

The dark web refers specifically to a collection of websites that exist on an encrypted network; they cannot be found via traditional search engines or visited using traditional browsers. The deep web meanwhile refers to all web pages that search engines cannot find.

The role of the deep and dark web in threats targeting financial organisations

The main threats posed by the deep and dark web can be broken down into three primary concerns:

a) It allows the sharing of best practices

Wherever people congregate, they talk. Although cyber-criminals like to compete, they also often share best practices. This information-sharing is why the deep and dark web facilitates so many of the dangerous threats targeting businesses.There is an interconnected, agile nature to the cyber-criminal ecosystem, and regardless of their language, skills, location or affiliation, cyber-criminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship.

b) It provides a way to sell and monetise criminal gains

The deep and dark web is home to many illicit marketplaces that enable cyber-criminals to monetise the crimes they commit. Often the exchange is data for financial remuneration like Bitcoin but it can take on a wide variety of forms. At its simplest, however, the deep and dark web facilitates an underground economy for cyber-criminals.

c)  It acts as a network and communications portal

The deep and dark web is ripe with illicit marketplaces and forums that serve as anonymous places in which cyber-criminals, terrorists, and other malicious actors often communicate and collaborate. As new forums and marketplaces emerge, some may decline whereas others continue to attract new members.

What are the threats financial organisations face?

Financial organisations face a myriad of threats, some of which include: corporate data theft, credit card fraud, corporate insider threat, emerging malware and emerging fraud techniques.

Emerging malware, like all of these types of threats, is prevalent on the dark and deep web. Malware is malicious software specifically designed to disrupt, damage, or gain unauthorised access to a computer system. As cyber attackers of all forms seek to stay ahead of security measures aimed to defend financial institutions, the malware they deploy continues to evolve. There is a constant cat and mouse game as cyber attackers’ innovation tests organisations’ defences. Analysing the deep and dark web enables those tasked with defending networks and data to gain an advantage by helping them to mitigate emerging malware and other evolving threats.

Threats can also be internal. How does a financial organisation stop an employee from selling confidential, highly valuable data? Unfortunately, some employees are willing to do this for a variety of reasons. It has happened in the past, and there is no shortage of buyers for this information on the deep and dark web. As this insider threat activity is illegal and poses substantial risks to organisations and their stakeholders, having visibility into the areas from which many of these threats emerge -- the deep and dark web -- is crucial.

How can these threats be countered?

The number one way to mitigate the risk emanating from adversaries who are utilising the deep and dark web is to understand and effectively monitor their activity in that space. If you know what your adversary will do before he or she does, then you can act to mitigate the threat and implement the defences needed to guard against an attack. 

Linguistic and cultural expertise are also vital to using the deep and dark web for defensive purposes. Understanding how criminals speak and the true meaning behind their interactions is crucial; the most successful analysts have spent years immersed in the deep and dark web working to acquire and hone their skills.

Outside of the deep and dark web there are a number of actions financial organisations can take to address threats proactively and bolster their security. I would advise strongly that CISO and CIOs implement robust systems to ensure that people, processes and technology all are up-to-date and aligned. Defence requires constant vigilance and agility. Practically speaking, using two-factor authentication, patching and updating software regularly, maintaining firewalls, changing default passwords, raising employee awareness of cybersecurity best practices and creating off-the-grid-backups will all help in protecting an organisation from the many threats they face.

We know that cyber attackers motivated by financial gain are using the deep and dark web to coordinate attacks on financial organisations. For them, the rewards following a successful breach can be significant. On the flip side, the damages incurred by the breached institution could be catastrophic. It is therefore critical that cybersecurity -- including effective monitoring of the deep and dark web -- remains a priority.