The nation’s banks may have little business in common with the nation’s paper of record, but the recent hijacking of The New York Times’ website contains a few teachable moments for banks that host their websites through a  third-party registrar.

Hackers recently took control of the Times’ website by a spear phishing attack on the company’s third party domain name registrar. Spear phishing, as the name suggests, is a phishing attack directed at a specific person or entity. The hacker learns some information about the person they want to target – for example, learning his or her manager’s name via LinkedIn – and then sends an email tailored to look like it originated with said manager in an attempt to gain credentials or access.

“You’re not just blasting it out and hoping you’ll get some takers. You’re trying to social engineer at a much deeper level, essentially,” said Matt Lidestri, the manager of internet services at the Avon, Conn.-based COCC.

In the New York Times attack, hackers were able to use spear phishing to gain access to the newspapers’ domain name server (DNS) in Australia, and from there, wreak havoc. According to one report, hackers used a link disguised as a news story to entice two staff members at Melbourne IT – a reseller of DNS services – into divulging their login information via a link disguised as a news story. The Syrian Electronic Army claimed responsibility for the attack.

Bankers Take Notice

While most banks host their domain names on a third-party server, Doug Johnson, vice president of risk management policy at the American Bankers Association, said those companies doing business with financial institutions are generally held to a higher regulatory standard, and that spear phishing will more often target a bank’s customers, who may be persuaded into giving up sensitive information.

Spear phishing is hardly the only type of cybercrime banks should forestall, though.

Distributed denial of service (DDoS) attacks have also targeted at least 46 American financial institutions in more than 200 attacks since this time last year, according to the FBI. A group calling itself the cyber fighters of Izz Ad-Din Al Qassam claimed credit for attacks against Charles Schwab, American Express and State Street, among others.

DDoS attacks work by overwhelming a server with a high volume of requests at once. While a server might be able to fend off multiple attacks from a single IP address, DDoS attacks have evolved to originate from thousands of different IP addresses, and the large-scale consumption of the network’s resources renders the service unavailable for legitimate users.

While those attacks are apparently politically motivated, that doesn’t mean bankers should rest easy, as denial-of-service attacks are sometimes used as a diversionary tactic to, say, finish the job begun on a customer’s account, Johnson said.

“Every time we see a denial-of-service attack, financial institutions are looking to see if there’s been any unusual wire transfers or ACH activity,” he said.

Cybercrimes are increasingly expensive, too. A recent study from the research firm Ponemon Institute found the annualized cost of cyber crime to be $8.9 million for 56 organizations it surveyed in 2012, up 6 percent or $500,000 from a study it published the previous year. Cybercrimes are ever more common, too. The companies Ponemon studied experienced 102 successful attacks per week (1.8 per company), up 42 percent from the 72 attacks experienced during the previous such study.

“I think that what really matters to bankers in terms of protecting their database and customers’ security is what the attack looks like,” Johnson said.

For that reason, he said, the ABA belongs to, and endorses, the Financial Services Information Sharing and Analysis Center, through which it receives alerts and information about new attacks on financial institutions.

Lidestri also had some specific suggestions for shoring up a bank’s defenses.

“First and foremost, if your domain registrar or DNS hosting provider has any sort of alerting capability for changes, that should be sent to a distribution list or an active account,” he said. “That way, if a change occurs, somebody at the financial institution gets notice of it right away. The disadvantage of sending it to one person is when that one person is on vacation or no longer works there, they’re flying blind.”

Another option, Lidestri said, is to host the DNS on servers you can control and have access to, rather than using a hosting provider, and patch them regularly.

Last, but not least, financial institutions should train their employees and customers to not fall prey to possible cyberattacks. Don’t open suspicious emails, for example, and be cautious about where you enter your login information.

A key piece of that, Lidestri said, is emphasizing the “why” behind these security policies.

“If people understand there’s some value to it, rather than resisting the measure, they’ll respect it and understand,” he said. “Users do learn in places that have security built into their culture.”

Email: lalix@thewarrengroup.com