How UK banks contain threats from cybercriminals
The UK's banks are regularly being caught out by cybercriminals, BBC research suggests.
Data from three sources indicates that spam, viruses and other malicious messages regularly emerge from machines sitting on banks' corporate networks.
It is likely that the computers were compromised when bank staff and contractors were caught out by booby-trapped email attachments.
They may also have visited sites seeded with code that infected their PCs.
Some of those infected machines are also likely to have been enrolled in a botnet - a large network of hijacked computers that are used by cybercriminals to distribute spam and viruses, attack other websites or as a source of saleable personal data.
But, say experts, banks are doing a better job than most at protecting their machines from malware.
The BBC found that in 2013 there were more than 20 incidents involving UK bank networks indicative of malicious activity. Similar, though lower, numbers were seen in 2012 and 2011. Some incidents involved addresses that have been sending junk for months but others were addresses seen sending spam for the first time.
Further analysis revealed that some of the junk was benign in that it was the banks' own marketing messages arriving at email addresses set up to capture spam. In most of the other cases the spam was distributing malware, involved in phishing or "pump and dump" scams or sought to trick people into visiting dangerous sites.
A separate dataset for 2012/13 shows fewer incidents year-on-year but revealed that seven corporate bank networks are regularly sending out junk, five are home to machines that are part of the well known Conficker botnet and eight are regular sources of malicious activity.
In addition, sources inside UK banks told the BBC that they deal with up to a dozen incidents a month of employees' machines getting infected with malware.
James Lyne, global head of security research at security firm Sophos, said evidence of a botnet on a bank network would be "exceptionally concerning".
"It would give attackers a foothold that they can exploit," he said.
The BBC was aided in its research project by an organisation that runs a huge collection of "spam traps" that log the sources of junk mail and also by researchers at Delft University of Technology, in the Netherlands, who study botnets. Anti-spam firm Cloudmark provided corroboration of some of the BBC's findings.
"There should be no spam coming out of these networks," said Prof Michel van Eeten from Delft who leads the team gathering data on botnets, adding that some of the bank networks studied had a "relatively consistent" problem with infections.
He was also worried about the continuing presence of machines that were part of the Conficker botnet because the exploit used to create that network has been known about and fixable for five years.
"If they are vulnerable to that you have to wonder what else they are vulnerable to," said Prof van Eeten. "This might show they can fall victim to a targeted attack more easily because those are much harder to avoid falling into."
One example of the types of targeted attack finance firms have to deal with is malware that only springs to life when it spots that it has infected a machine sitting on a bank network.
"It's a constant battle," said Matt Allen, director of financial crime at the British Bankers' Association, adding that the UK's banks had some of the strongest systems and controls in the world to defend themselves against cybercriminals.
"The criminal use of cyber-techniques is an integral part of financial crime offending," he said.
Banks' defence mechanisms operated both within and between individual institutions, he said, and involved them pooling information about recent attacks, tactics and methods.
"The challenge in this area is that as banks develop their controls in line with new criminal methodologies, new techniques will emerge," he said.
"We're not complacent," said Mr Allen. "We know it's changing and evolving quickly."
Most of the UK banks and building societies contacted by the BBC about its findings declined to comment. Most said they never talked publicly on security matters to avoid the accidental release of operational details.
Those that did respond said the net addresses appearing to send out spam were on corporate networks isolated from the systems that handled customer data and online banking transactions.
Statistics gathered by security firm OpenDNS suggest that up to 900 botnets are active in late 2013. These crime networks typically involve many tens of thousands of machines. The biggest count millions of PCs as victims.
Botnets have become the standard tool of the cybercrime underground, said Mr Lyne from Sophos.
"Botnets used to do something very specific and were just associated with spam," said Mr Lyne. "Now what we are seeing is that from these botnets attackers will jump in and look for other opportunities."
Now compromised machines sitting on botnets tended to be more actively managed, he said. Some botnet owners would probably analyse addresses that machines report in from seeking out high value targets such as banks and government departments.
Often access to compromised PCs sitting on business networks are sold off on underground marketplaces to thieves who specialise in using those machines as a way to delve deeper into a corporate's computer systems.
Mr Lyne added that it was not surprising that banks were regularly having to find and flush out infected machines as they typically ran systems serving tens of thousands of users and a similar number of computers. Defending all those people and PCs against the 250,000 novel malware variants produced every day was a herculean task, he said.
"Complexity is the enemy of security," he said.
Despite finding that UK bank networks were regularly sending out spam, Prof van Eeten from Delft said the data showed that banks were doing a good job of defending themselves.
"Retail ISPs have infection rates that are several orders of magnitude higher," he said. "This is peanuts compared to that."
The BBC would like to thank Michel van Eeten, Hadi Asghari, Qasim Lone and Payam Poursaied from the Delft University of Technology for their help with this research project,