April 2025 Security Issues in Korean and Global Financial Industries
This report comprehensively covers actual cyber threats and security issues that have occurred in financial institutions in Korea and abroad.
This includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and industry statistics of leaked Korean accounts on Telegram. A case of phishing emails distributed to the financial sector is also covered in detail.
This report also analyzed key financial threats and cases in the dark web. It examined the threat of credit card data breaches and actual cases, as well as the threat of financial institutions’ databases being leaked and actual cases. The report also analyzed the threat of ransomware breaches targeting the financial sector and the resulting damages, along with various cyberattack threats and actual cases involving financial institutions.
Statistical Summary
-
Statistics on Malware Distributed to the Financial Sector
-
Statistics on Accounts of Korean Industries Exfiltrated via Telegram
Summarized Key Issues in the Deep and Dark Web Related to the Financial Industry
-
Cases of Credit Card Information Leakage
Exploit Forum: 1,400 Credit Card Information Being Sold
Threat Actor (B_ose) from the cybercrime forum Exploit is selling credit and debit card information.
On April 2, B_ose posted a thread on the same forum about selling 1,400 pieces of credit card information. The next day, B_ose posted another thread about selling a total of 336 card information, including 201 pieces of credit card information and 135 pieces of debit card information.
B_ose stated that 80% of the cards are valid, and the leaked data includes credit card numbers (CC), expiration dates (EXP), security codes (CVV), names, addresses, phone numbers, and emails.
This incident is extremely dangerous as all information required for online payments, such as card numbers, expiration dates, and CVV codes, has been leaked, and 80% of the information is valid. The threat actor is selling this information in bundles, and there is a high possibility that it will be used by automated carding tools. Companies must check their encryption, access control, and logging systems in the card information storage and processing process. They must also check for leaks through bypass routes, such as third-party payment services and customer support systems. It is especially important to enhance their customer authentication and abnormal transaction detection systems, as the leaked information includes addresses, phone numbers, and other personal details that can be used for identity theft and account takeover attacks.
The fact that the same threat actor has been selling a large amount of card information in a short period of time suggests that they may have an internal automated collection route. Companies must not only protect card payment information but also review the entire data flow combined with customer names, addresses, and emails. They must also check for security vulnerabilities in the POS environment, payment gateway, and API integration processes. All industries that handle customer information must regularly review the scope of their stored data and processing flow and conduct response training based on hypothetical breach incidents.
- Cases of Database Leaks
Affected Company: a***.ru
The data breach of A*** Bank’s employees in Russia was posted on BreachForums, a cybercrime forum. Please note that the breachforums website has been inaccessible since April 15th when this article was being written, up to May 7th.
A*** is the largest private bank in Russia established in 1990. It provides account opening, credit card issuance, personal loans, and mortgage services for individual customers, and loans, trade finance, asset management, lease, and investment services for corporate customers. The threat actor (Dull) claimed that the data breach involved approximately 2,600 employee information. The leaked data includes names and email addresses. They are releasing sample data to add credibility to their attack claims.
This breach highlights the importance of supply chain security, as the poor management of an external service provider led to the leak of employee data from a major financial institution. Indirect infiltration through a third party, instead of direct hacking, poses the same threat to all companies that use externally linked services or outsource their operations. The fact that the leaked data includes employee emails makes the situation even more dangerous, as it could lead to secondary damages such as phishing attacks and internal breaches. Companies must regularly assess the security of their service providers and strictly enforce the principle of least privilege and data access control. Proactive vulnerability assessments and threat modeling for supply chain systems are also essential.
- Cases of Ransomware Infection
Ransomware: Everest
Affected Company: https://www.j***.com/
The ransomware group Everest has claimed responsibility for the attack on a commercial bank in Jordan, J***.
J*** is a financial services company in Jordan established in 1976, providing various financial services including commercial finance, investment finance, personal finance, and finance for small and medium-sized enterprises.
The group claims to have stolen 11.7 GB of internal bank data, including confidential information and employee data, and has released a sample of the stolen human resources (HR) data, which includes basic information, resident registration information, payment information, contact details, and addresses. They are threatening to release the data around April 29.
This incident highlights the fact that the entire financial sector is at risk of exposing sensitive information including internal confidential information and HR data. In particular, the fact that data from the HR management system was leaked underscores the need to review the internal privilege management and account security system as a whole. Financial institutions need to strengthen access controls and anomaly detection in their internal systems (especially HR and financial systems), instead of relying solely on external defenses. Systems that handle employee personal information should implement data minimization and encryption measures, and establish a system to monitor insider risks. This incident should prompt the financial sector to conduct comprehensive cyber risk assessments that include their own infrastructure as well as those of their partners.
- Cases of Cyber Attacks
Affected Company: http://www.s***.fi/
The hacktivist group Dark Storm Team claimed to have launched a DDoS attack against the *** bank in Finland.
The Bank *** of Finland is the central bank of Finland, established in 1812. It performs key tasks such as formulating and implementing monetary policy, supervising the stability of the financial system, producing statistics, supplying cash, and managing foreign exchange reserves.
This attack has caused significant repercussions as it targeted a core financial institution of a certain country. This institution plays a central role in its economy by managing currency policies, financial market stability, and foreign exchange reserves. Therefore, even a temporary service disruption caused by a DDoS attack can damage credibility. Considering the fact that the infrastructure is connected to the European Central Bank system, other countries’ central banks and financial authorities should also prepare for similar threats. It is necessary to establish proactive response strategies, such as system redundancy and high availability, DDoS response system checks, and threat modeling based on geopolitical risks.
