Looking to 2023: Defeating Money Laundering-as-a-Service and Other Emerging Threats

By Michael Brown, field CISO for financial services, Fortinet

U.S. financial institutions paid $1.2 billion in ransomware-related payments in 2021 – almost 200% more than the prior year, according to the U.S. Treasury Department. And while total numbers for 2022 are still being compiled, it’s likely to surpass that. Bad actors continue to slam this sector, even as it works to bolster security defenses and raise more awareness.

As we look to 2023, security leaders in these institutions must remain on high alert. Some of the big things to watch out for in the coming year include the increased use of Ransomware-as-Service (RaaS) and Crime-as-a-Service (CaaS), and the rise of Money Laundering as a Service (LaaS).

RaaS threat on the rise

Across almost every sector, ransomware has flourished in the past year – and it’s being driven largely by RaaS, which is a subscription-based ransomware system. It’s part of the CaaS industry, which involves seasoned attackers selling their expertise and tools to enable others to commit cybercrimes. The CaaS market offers a variety of attack vectors and related code, including, but not limited to, phishing kits, DDoS attacks and, of course, RaaS.

RaaS programs are distinctive in that they free attackers from having to create their own malicious code. This enables hackers, regardless of experience level, to successfully target individuals, financial firms and other entities to make a quick buck. Cybercriminals gain access to ransomware and other malware for a monthly fee, similar to the model for popular streaming media subscriptions or food delivery services.

CaaS will expand

Based on the success of RaaS, a growing number of other attack vectors will become accessible as a service through the dark web to support the considerable growth of Cybercrime-as-a-Service. There will be an increase in additional, smaller services along with the sale of Malware-as-a-Service such as ransomware.

Threat actors of all skill levels find the CaaS business model appealing because they can quickly take advantage of turnkey services without having to spend time and money developing an original attack strategy. And for experienced attackers, offering attack portfolios as a service yields a fast and reoccurring payout. In the future, subscription-based CaaS products may lead to other sources of income, too.

Criminals will also start to use cutting-edge attack methods like deepfakes, making audio and video recordings and associated algorithms more widely available for purchase.

Money Laundering-as-a-Service

To help scale their criminal enterprises, leaders and affiliate programs typically use money mules—individuals who deliberately or innocently help a crime syndicate launder money. Criminals use mules to transfer funds secretly from one nation or bank account to another; they sometimes recruit these mules via job ads. To avoid being discovered, this money-shuffling is sometimes carried out through cryptocurrency exchanges or anonymous wire transfer services.

It is standard practice to move money physically and conduct transactions through unaware mules, which helps prevent leaving a digital trail. To avoid setting off the warnings required by anti-money laundering legislation, funds are frequently divided into smaller batches and then moved through a number of channels.

Deploying recruitment campaigns for money mules is typically time-consuming because cybercriminals create websites for fictitious organizations and job listings for them. The listings are usually for money-handling roles like accounts receivable to lend credence to their businesses, successfully recruit mules, and elude law enforcement. We forecast that bad actors will begin adopting machine learning (ML) for recruitment targeting, which will improve the accuracy of their search for potential mules and speed up the process of finding these recruits. This adds new challenges for the teams ultimaltey responsible for ensuring the company is adhering to Anti-Money Laundering (AML) regulations.

In a similar vein, we anticipate the replacement of manual mule campaigns with automated services that transfer funds through multiple crypto exchanges, accelerating the process and making it harder to track.

The arrival of Money Laundering-as-a-Service is imminent; it might soon be included in the expanding CaaS portfolio. Additionally, the automation of this sort of crime makes money laundering harder to track, which lowers the likelihood of retrieving stolen monies for the organizations that become victims.

A six-step defensive strategy for FSI

1. Automate and augment: The only alternatives to the talent shortage are automation and augmentation. Giving your staff access to AI/ML tools will give your teams actionable alerts and a single point of control for managing, automating and orchestrating your network and security company-wide.

2. Understand compliance: From a business perspective, as well as from an IT and security perspective, it is crucial to be aware of the specific laws and regulations that you must address and adhere to.

3. Find the business-critical vulnerabilities and processes: Prioritizing the most important and susceptible processes requires FSIs to identify their most important business operations and assign them a risk assessment. Since a broad picture is ideal, talks throughout your entire firm are necessary. This allows you to see your organization from a risk perspective and simplifies the security language when talking to the board.

4. Upskill for cybersecurity: To help make up for the global shortage of cybersecurity talent, FSIs must upskill their workforce. No matter what their role, all personnel need cybersecurity awareness training, as well as recurring updates on the latest risks and attack techniques. Cybersecurity is the key discipline that is critical to all business endeavors.

5. Exchange knowledge: Look beyond your own organizations. CISOs must take proactive steps to learn what is occurring to the brand “in the wild.” Sharing information across organizations is essential. A DRP (digital risk protection) service should be used to improve visibility of the external digital attack surface.

6. Get on the same risk conversation page: Align with a common framework, such as NIST, to enable discussions about that service among all business units. In order for FSIs to advance their regulatory environment and automate audits, OSCAL (Open Security Controls Assessment Language) has been at the forefront of how the FSI can develop an information mechanism that tries to understand and makes data machine-readable.

Forewarned for 2023

With the difficult but critical task of watching out for all forms of financial fraud, financial services professionals need every tool and tactic at their disposal to thwart emerging attack vectors like RaaS and CaaS. The defensive strategy outlined above will help the FSI detect and defeat these forms of cybercrime.