The Lure of PSD2

<h2>Overview</h2><p>The Payment Services Directive (PSD) was adopted within the European Union in 2007. PSD is a directive aimed at regulating payment services with the intention to make cross-border payments in the EU as easy, efficient and secure as payments within a member state. PSD2 builds on the previous legislation in the following three areas:</p><ul><li>Increased customer rights</li><li>Enhanced security through SCA (Strong Customer Authentication) criteria</li><li>Enablement of third-party access to account information</li></ul><p>Although the majority of PSD2’s requirements became law in January 2018, the SCA compliance has been delayed by a further 18 months to ensure industry has extra time for implementation. The UK Financial Conduct Authority (FCA) has agreed to a phased roll-out plan to full compliance by 14 March 2021^[1]. It is expected that other European regulators will aim for this timeline also. As efforts within the financial sector works towards implementation, cyber threat actors and groups are using PSD2 as an opportune theme to target and strike. Anomali Threat Research (ATR) continue to observe suspect domain registrations and active sightings related to using PSD2 as a malicious lure. This blog will highlight recent notable findings to raise awareness of this activity across financial institutions, electronic money institutions and payment institutions throughout Europe.</p><h2>Findings</h2><p>The use of social engineering and targeted phishing campaigns as a primary infection method is a seemingly constant observation. Symantec states that spear-phishing emails are the most popular avenue for attack and were used by 65% of all known cyber threat groups^[2]. The Google Transparency Report graph below gives an indication of the explosive growth in phishing site activity over the past 10 years. There are a number of factors that contribute to this long standing rising trajectory, but fundamentally, the overarching driver for seeing this trend is the low technical barriers and cost to attack, and the susceptibility rates and financial rewards for successful campaigns by cyber threat actors and groups.</p><p style="text-align: center;"><em><img alt="Number of sites deemed dangerous by Google Safe Browsing (November 2009 - November 2019)" src="https://cdn.filestackcontent.com/Jcz7x2tsQxS6XtYeyt3b"/><br/> Figure 1. Number of sites deemed dangerous by Google Safe Browsing (November 2009 - November 2019)</em></p><p>Anomali Threat Research analysed domain registrations from 2016. There has been an expected consistent rise in registrations with “psd2” in the domain name (Figure 2) as the legislation was announced and efforts began to implement.</p><p style="text-align: center;"><em><img alt="Domain registrations containing “psd2”" src="https://cdn.filestackcontent.com/C8A8XwGRNC8Kqt8ar0Sg"/><br/> Figure 2. Domain registrations containing “psd2”</em></p><p>Focusing the lens on the usage of PSD2 as a theme to target financial institutions and customer data, Anomali researchers found a large number of illegitimate login pages which were hosted on domains that had “psd2” as part of the registered name. The common credential harvesting tradecraft is typically observed, whereby a web page is created mirroring the exact layout and style of the intended targeted organisation, in an attempt to lure unsuspecting users into disclosing their credentials (Figure 3 and 4).</p><p style="text-align: center;"><em><img alt="Credential harvesting page targeting Poste Italiane, the Italian postal service provider who also provide a range of financial services, hosted on a crafted “psd2” domain" src="https://cdn.filestackcontent.com/tPXqyRoeSfmbdug01leW"/><br/> Figure 3. Credential harvesting page targeting Poste Italiane, the Italian postal service provider who also provide a range of financial services, hosted on a crafted “psd2” domain</em></p><p style="text-align: center;"><em><img alt="Credential harvesting page targeting Sparkasse, a German savings bank, also hosted on a crafted “psd2” domain" src="https://cdn.filestackcontent.com/gRhOoaDGRLOB6rocmF8B"/><br/> Figure 4. Credential harvesting page targeting Sparkasse, a German savings bank, also hosted on a crafted “psd2” domain</em></p><p>Aside from testing victim susceptibility with rogue authentication portals to obtain username and password data, which is frequently observed in the targeting of entities across all sectors globally, one observable was recorded which targeted the individual(s) by requesting them to complete an illegitimate process of adaptation to PSD2 web form (Figure 5). This form requested a payment card number, expiration date, CVV2, and even the account balance amount.</p><p style="text-align: center;"><em><img alt="Adaption to PSD2 web form targeting Monte dei Paschi di Siena (MPS), an Italian bank" src="https://cdn.filestackcontent.com/TrB05JKvRmOROunTiogn"/><br/> Figure 5. Adaption to PSD2 web form targeting Monte dei Paschi di Siena (MPS), an Italian bank</em></p><h2>Concluding Remarks</h2><p>The PSD2 legislation is bringing wholesale changes to the financial industry, with a core underpinning to reduce payment fraud losses. Trend Micro have documented an excellent research paper^[3] considering the potential threats after a fully rolled out PSD2 implementation is in place, covering attacks on APIs, greater visibility and therefore targeting intent to those smaller FinTech organisations that don’t have robust cyber risk management programmes, and ultimately attacks on the user, which is relatable to the findings in this blog piece. In this analysis Anomali Threat Research observed findings which explicitly included “psd2” in the registered domain entity and also pivoted from these. There will obviously be other tactics and techniques employed by cyber threat actors to target individuals and institutions, however we hope these findings assist in highlighting PSD2 as a lure to attack, and that the financial sector can take the necessary steps to proactively monitor and reduce the potential impact of such activity.</p><h2>Endnotes</h2><p>^[1] Barclaycard, “What is PSD2 and will it affect how merchants take payments”, accessed November 11, 2019, published June 25, 2019, <a href="https://www.barclaycard.co.uk/business/news-and-insights/what-is-psd2" target="_blank">https://www.barclaycard.co.uk/business/news-and-insights/what-is-psd2</a></p><p>^[2] Symantec Security Response Team, “Internet Security Threat Report 24”, Symantec, accessed November 11, 2019, published February, 19, 2019, <a href="https://www.symantec.com/blogs/threat-intelligence/istr-24-cyber-security-threat-landscape" target="_blank">https://www.symantec.com/blogs/threat-intelligence/istr-24-cyber-security-threat-landscape</a></p><p>^[3] Feike Hacquebord, Robert McArdle, Fernando Mercês, and David Sancho, “When PSD2 Opens More Doors: The Risk of Open Banking”, Trend Micro, accessed November 13, 2019, published September 17, 2019, <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/when-psd2-opens-more-doors-the-risks-of-open-banking/" target="_blank">https://blog.trendmicro.com/trendlabs-security-intelligence/when-psd2-opens-more-doors-the-risks-of-open-banking/</a></p><p style="text-align: center;"><a class="button button-xlarge button-rounded button-blue-grad" href="https://www.anomali.com/resources/whitepapers/the-lure-of-psd2-anomali-threat-research" target="_blank">Download Report</a></p>