Cyber-attacks on the financial sector have increased by 53 per cent due to the rise of online banking services

• S21sec's Threat Landscape Report guarantees that cybercriminals have adapted their techniques to online banking systems, causing a total of 4,414 attacks on the financial sector globally during 2023.
• These new tactics, focused on the online scenario, have led to a 40 per cent decrease in attacks against cash machines in recent years
• Malware is the main cyber threat that affects the financial environment, and its main form of distribution is through emails that contain a malicious link to trick the user
• Lack of awareness in cybersecurity has made the human factor a key element in this type of attack, as it is they who authorize the entry of the malware by accessing the harmful URL.

Cyber-attacks have become a real threat to the financial stability of countries. The banking sector has established itself as one of the main targets for cybercriminals, due to the high potential for obtaining large sums of money, as well as accessing confidential customer information. Thus, during 2023, there was a 53 per cent increase in cyber-attacks on the banking sector compared to 2022. This data is revealed by S21sec, one of Europe's leading cybersecurity service providers, which was acquired by Thales Group in 2022, in its Threat Landscape Report, which analyses the evolution of cyber-attacks at a global level.

Due to the massive digitalization that has taken place in the banking sector in recent years, cybercriminals have adapted their techniques to the online banking system, causing a total of 4,144 attacks on the financial sector globally in 2023, with 2,930 occurring during the second half of the year. This new online target has caused a 40 per cent decrease in attacks on cash machines in recent years.

Among the most used attacks against the financial sector, S21sec highlights malware activity, a type of malicious software designed to damage or exploit any network, device or service. In the case of the financial sector, these attacks aim to collect personal and banking information that can allow the recovery of funds from accounts or even cryptocurrency wallets. Cybercriminals use various techniques to obtain this information, such as skimmers, web injections, malspam or phishing emails.

Sonia Fernández, head of S21Sec's Threat Intelligence team, emphasizes the importance of the human factor in this type of attack, “in most cases, it is people who open the malicious link, thus allowing the attacker to enter the device and start their operation. It's very important to have a  global awareness around cybersecurity to guarantee people's financial stability, and the first step is to never access a URL without first contacting your bank.”

Danabot, ToinToin and JanelaRAT are the most dangerous active malware for the banking sector

The company highlights the activity of one of the most active malware in the last six months of 2023, known as ‘Danabot’. This type of attack stands out for its use of web injections, a technique that allows malware to modify or inject malicious code into the content of websites visited by users, often without their knowledge or consent. ‘Danabot’ is often used for various activities, such as distributed denial of service (DDoS) attacks, spreading spam, stealing passwords, stealing cryptocurrencies and as a versatile bot for several purposes.

On the other hand, S21sec highlights the presence of ‘JanelaRAT’, a type of malware that mainly steals access credentials to banks and cryptocurrency wallets. The most significant credential-stealing features of this malware is that it creates fake forms when it detects access to a banking or cryptocurrency website, capturing mouse clicks, key presses, screenshots and collecting system information to carry out the cyberattack.

The distribution method used are emails containing a link which, once visited, shows the user a fake page, automatically downloading the first stage of this malware, which will create a file through which it can remain on the device or website. Another of the most frequent attacks has been the so-called ‘ToinToin’, which is part of a sophisticated campaign that manages to distribute malware and infect through several stages. This type of attack is also distributed via emails containing a malicious URL from which a connection is established to start stealing information.

About the report

S21sec has developed the Threat Landscape Report with the aim of raising awareness among companies and society in general. S21sec's Cyber Threat Intelligence Unit has analysts and engineers with intelligence knowledge of the indicators and sources of threats detected by other clients in our MISP. In addition, we have a counter-intelligence team with access to privileged sources, we collaborate with Europol, the FBI and police forces, patented technology owned by S21sec and we are the only Spanish company to appear as a collaborator in Verizon's prestigious report on Cybersecurity.