Computers inside many of the UK’s largest banks and building societies are being used to spew malicious botnet spam, research conducted on behalf of the BBC has shown.
Using research from the University of Delft in The Netherlands, security messaging firm Cloudmark and one unnamed organisation running spam traps, the BBC found that there were 20 spam ‘incidents’ connected to bank networks in 2013, slightly up from the levels seen in the preceding two years.
A separate cut on the data over the same period showed that the networks of seven banks were regularly sending out the gamut of spam from pump-and-dump stock scams to straight phishing lures.
Although it’s not a major surprise that bank networks have been compromised in this way – the phenomenon of enterprise botnets is long established – research on the topic has been thin on the ground as researchers have tended to focus on more newsworthy threats such as Advanced Persistent Threats (APTs) and Android mobile malware.
"There should be no spam coming out of these networks," said Delft University’s Professor Michel van Eeten. “If they are vulnerable to that you have to wonder what else they are vulnerable to. This might show they can fall victim to a targeted attack more easily because those are much harder to avoid falling into."
The BBC has not named the banks involved although coming up with a list of candidates would not be hard. When contacted, most banks had not wished to comment on the revelations, the BBC said. The few that did claimed the infected PCs were corporate computers not connected to the networks used for customer online transactions.
The danger, of course, is that compromised PCs and servers inside bank networks could also be used for purposes other than spam. Once a botnet has control of a PC it has effectively opened a temporary backdoor that can be used to attempt to compromise other systems
Separately, banks are still smarting from the attempted and foiled KVM raids publicised by police earlier this year. This showed that not all weaknesses in bank security are digital.
Trend Micro figures reveal that spam designed to steal online bank account credentials using phishing spam has recently surged to an all-time high. Banks are under attack but so are their customers.
Last week regulators and banks took part in a major security exercise, Waking Shark 2, designed to test the readiness of the UK’s financial institutions to resist cyber-attacks. Designed as a high-level test, this was not focussed on how well banks cope with mundane, everyday problems such as bots or retail banking attacks.