Advanced Persistent Threats (APT): The Silent Parasites in Payment Networks

In the critically acclaimed, Oscar-winning 2019 film Parasite, a family’s cunning scheme to infiltrate a wealthy family’s home is a vivid metaphor for the stealthy and calculated maneuvers of advanced persistent threats (APTs) in the digital realm. Just as the Kim family (spoiler alert) meticulously plots their way into the Park family’s residence, bit by bit, under various guises, APTs silently penetrate payment networks, often going unnoticed until they’ve firmly entrenched themselves and ultimately attack. The movie’s narrative, where each member of the infiltrating family assumes a role to gain trust and access, mirrors the multi-staged approach of APTs: initial breach, establishment of a foothold, privilege escalation, lateral movement, and data exfiltration. As the Kim family’s deception unravels with unforeseen consequences, it’s a stark reminder of the damaging aftermath that businesses face when APTs are finally detected within their payment infrastructures.

APTs have forced payment network providers to step up their game significantly, with notable attacks over the last decade attacking companies such as a major South African bank and Target. Gone are the days when simple firewalls and antivirus programs were enough. Companies need sophisticated security systems to detect and reduce the resulting harm from these attacks. With the cost of fraud rising yearly, if companies haven’t started investing in next-generation payment security infrastructure, it is time to bolster their defenses.

When considering APT threats, I had to ask myself, “How can businesses arm themselves against these relentless cyber adversaries?” To get answers, I sat down with one of INETCO’s subject matter experts, Stephen Lazenby, Senior Marketing Advisor and former VP of Product Management.

Understanding the nature of APT

One way to describe APTs is to compare it to a quiet, unseen burglar who slips into your house unnoticed. They don’t just barge in and grab what they can and run; instead, they take their time, carefully observing your habits, understanding your patterns, learning how to continue to conceal themselves in your house, and then strike when you least expect it. APTs on payment networks are particularly concerning because they target the financial core of businesses and can destabilize payment networks. The primary goal of these sophisticated attacks is to penetrate the network without detection, maintain access over a long period, and siphon off sensitive data related to financial transactions. This can lead to fraudulent transactions, theft of customer financial information, and potential sale of this information on the black market.

“Advanced persistent threats are a brand of cyber-attack often orchestrated by a highly-skilled, well-funded criminal organization,” Stephen said. He added, “These threats are notoriously sophisticated, characterized by their stealthy tactics and long-term presence in a network. Unlike ordinary cyber threats focusing on quick gains, APTs are used by patient fraudsters, often lurking undetected in networks for months or even years, carefully mining valuable data or setting the stage for a large-scale, potentially ruinous attack.”

As their name indicates, the key aspect that sets APTs apart from other attack vectors is their persistent nature. Once they infiltrate a network, they establish a strong foothold and don’t make waves that raise flags until the final attack, when it’s often too late to detect them. This makes removing them difficult, if you can find them at all. Fraudsters will employ various techniques to maintain their presence and continually evolve methods to bypass security measures.

“So, there are two sides to APTs. The first is how the access is gained. This is the attack vector, such as insider fraud or a spear phishing attack that can install malware on the network,” explained Stephen. He went on to say that it could be as simple “as a bad actor leaving a USB device on a table at a workplace with an executable virus on it.” Now, we all know better than to plug in a random USB device, but people, being people, will make mistakes. “So when that USB device is plugged into a company computer, malware, such as a Trojan Horse, can be embedded on the device and can then perpetrate the network, giving access to the bad actor.”

The second part of the threat is when they extract the data. “Once the criminals are ready to extract the data or cash out, whether that’s after a few days or a couple years, as in the case with the South African bank, fraudsters will often employ a diversion tactic, like the use of a DDoS attack, then proceed with the main attack while IT and cyber teams are distracted by the diversionary attack.”

These attacks are often the work of organized groups, often state-sponsored. Fraudsters using APTs often have access to significant resources, allowing them to continually innovate their attack strategies. This makes them a formidable adversary for businesses and banks, especially those dealing with sensitive payment network data.

Impact of APTs on payment networks

With a better understanding of what APTs are, I dove a little deeper with Stephen to talk about the impacts that APTs have on a payment network.

“These threats are usually aimed at stealing information or disrupting the network’s operations. The impact on payment networks by APTs can be severe, leading to financial losses, bad publicity, erosion of customer trust, and potential regulatory penalties and lawsuits. “In the realm of payment networks, APTs pose an alarming threat,” said Stephen.”

Moreover, APTs can also disrupt the operation of payment networks. Sometimes, these threats may not even aim at theft but seek to create chaos by disrupting services. Such disruptions could result in significant business downtime and loss of revenue. Also, the recovery process can be costly and time-consuming, further escalating the financial impact. Businesses cannot afford such breaches in an era where data security is a significant concern for consumers, and customer loyalty isn’t guaranteed.

To better explain how bad these attacks can be, I spoke with Stephen about a couple of use cases that illustrate just how bad these attacks can be in the financial industry.

The African bank theft is a prime example of an APT attack. “When the criminal organization targeted the bank, the malware was put on their system and was used to override the switch and put it on standby mode,” Stephen explained. “When a switch is in standby mode, it automatically approves transactions without going to the backend authorization host. Once this was done, many members of the criminal organization took cloned cards, created from data gathered by the malware within the system, and went to ATMs all over the world to withdraw cash. The bank’s losses were nearly 20 million US dollars. Because the switch had been put on standby, the fraud systems couldn’t see what was happening, so nothing was flagged or blocked.”

This case underscores the immense threat posed by APTs and highlights the need for businesses to have ever more robust security measures.

How APTs infiltrate payment networks

APT groups use a variety of techniques to gain entry into payment networks. Typically, they start with reconnaissance, researching their target to identify vulnerabilities. This can involve various activities, from scanning network ports to social engineering tactics such as phishing.

Once they’ve identified a vulnerability, they’ll exploit it to gain entry into the network. This could involve malware, zero-day exploits, or even physical intrusion. After they’ve gained a foothold, the criminals work to stay undetected. By the time they unleash their attack, it is often too late to do anything about the threat on your network.

APT groups are also known for using living off-the-land tactics. This means they’ll use legitimate tools and processes within the network to carry out their activities, making it even harder to detect their presence. For example, they might use a network’s management tools to move laterally through the network or use encryption to hide their activities.

Methods to detect APTs in payment networks

Given the stealthy nature of APTs, detecting their presence can be a complex task. Traditional security measures like firewalls and antivirus software are often insufficient, as APTs are designed to bypass these defenses. With this in mind, I asked Stephen how we can mitigate these threats and reduce damages once cyber crooks have infiltrated a system.

“Cybersecurity and fraud protection today can’t depend upon just one tool. These crimes are multifaceted machines, so the approach to protection must be as well. It requires multiple layers within a payment system,” Stephen advised. “Take what we do here at INETCO; we see everything on the network. This means the entire round-trip traffic going through the network from the client, out to 3rd parties, to the back end, and back to the client. We know exactly what a properly formed message looks like and can very quickly detect if there is an anomaly. In the example we spoke about earlier, we could have detected that the switch was approving all these transactions when nothing was happening at the back end. This wouldn’t look right to our system and would be flagged. Although we don’t catch the malware, we are catching the secondary attack’s irregular behavior and can block it.”

So, while an APT detection system may not initially flag the malware, you can mitigate any further damages by selecting technology capable of flagging anomalous transactions.

How INETCO Can Prevent Fraud due to APTs

INETCO has created a unique solution to help businesses protect their payment networks from fraud from an APT attack. “We are at the payout stage, which means that when fraudsters try to test the payment network to make sure their malware is going to work on a larger scale, we could catch that test as it occurs, where the rubber hits the road,” Stephen says, referring to INETCO BullzAI. “If a business doesn’t have systems that can detect the malware or inappropriate behavior in their system, we are there to pick up the slack and stop the money from being irrevocably lost.”

Using advanced, self-training machine learning, INETCO BullzAI detects anomalous transactions on the network and can automatically move to block those transactions in addition to raising an alert. “Our transaction firewall looks at every transaction in detail.  It leverages associated network, application, and transaction field-level data and recognizes if they align with what each entity has done in the past. If it doesn’t look right, it will say let’s block it before it goes through and will send a notification about the issue to the correct team.” Stephen concluded by saying, “We are catching stuff that happens when attackers have gotten through these other lines of defense and are there to ensure our client’s money stays where it belongs. At the end of the day, we defend at the point where money is in flight, making BullzAI a key solution for any payment network.”

To learn more about INETCO BullzAI and how it can help bolster your fraud prevention strategy, request a demo and talk to one of our subject matter experts today.