June 25, 2015 By Douglas Bonderud 2 min read

It should come as no surprise that criminals looking to steal money often target banking and other financial industries. And while the number of brick-and-mortar bank robberies is in steep decline, cyberattacks are on the rise as criminals look for new ways to access user login credentials and grab as much cash as possible. According to CSO, reporting on a new Websense Security Labs study titled “2015 Industry Drill-Down Report,” the number of malware threats plaguing banks isn’t just high, it’s four times greater than any other industry. Bottom line? There’s not nearly as much money in the vault, but digital currency carries the same value; the form may have changed, but the function remains the same, and malicious actors are looking to break down the wall.

Show Me the Money

Websense noted that career criminal Willie Sutton supposedly told reporters he robbed banks “because that’s where the money is.” It doesn’t get any simpler than this thought, and it is often the driving force behind malware attacks on financial industries. Banks, for example, still handle massive volumes of digital money that offer a tempting target for criminals looking to redistribute this wealth.

Along with simple cash grabs, however, the Websense study also found that 33 percent of all initial reconnaissance malware attacks were carried out on banks, and a growing number of threats focused on bank employee impersonation. By compromising a legitimate bank email address, attackers are often able to convince clients that they’re sending urgent, actionable information that in turn prompts them to provide personal details or download malicious software. What’s more, these email addresses often foil antivirus and malware scanners that are looking for typos and other markers of spoofed email addresses.

Full-on malware attacks, probe efforts and email theft conspire to create a new normal for banks, one where IT personnel are constantly bombarded by low-level attacks designed to keep them busy, wear down their defenses and catch them unaware when a full-scale campaign rolls out. In other words, they’re never bored.

Beyond Big Bucks

Money is just the beginning. Cybercriminals are also hoping to use the larger attack surface created when banks pour resources into online, mobile and other self-service options. This bigger area provides ample opportunity to grab user authentication data, which is then leveraged to crack online retail and credit card accounts or impersonate users on government websites. This is often more successful than it should be, in large measure because customers prefer to use similar username and password combinations for multiple sites. In many cases, their banking information serves as a nexus for all other accounts.

Industries Answer the Challenge

For banks and other companies tied to financial industries, the Websense report points to a consistent pattern rather than an emerging trend. Simply put, banks will always outdistance other organizations when it comes to malware attacks since the value of even a single successful breach is staggering. Consider, for example, that one of the first bank-focused malware products, ZeuS, was responsible for more than $100 million in stolen funds, and newer malware tools are constantly being reinvented, repackaged and then reappearing on banking networks across the globe.

Ultimately, banks have a choice: ignore the obvious and hope that new technologies will account for the persistence of malicious actors, or spend on security efforts designed to take a proactive rather than reactive role in the defense of customer-facing financial systems.

More from

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today