How fraudsters target mortgage lending
April 25, 2022 2:04 PM
Across business and finance, dealing with cyber threats has become a regular part of life. Two years ago, researchers at Cybersecurity Ventures predicted that a new ransomware attack would occur every 11 seconds. Last year, a hack of the Colonial Pipeline’s billing infrastructure illustrated how large an impact cyberattacks could have. And at the end of the year, a security flaw in Apache Log4j framework posed a threat to any company using Java applications, putting banking services particularly at risk to Dridex malware. And in mid-April, five lenders and a title company reported data breaches which, combined, could affect thousands of customers.
Mortgage lenders can be anattractive target to cybercriminals due to the value of transactions taking place and their long lists of clients — any of whom could be compromised. While larger companies have gone to great efforts to protect their corporate security infrastructure, cyber safety on the consumer level is still “woefully inept,” according to Chase Cunningham, chief strategy officer at cybersecurity firm Ericom Software.
“We still have this issue of people not accepting that they need to make security, and the need for security, part of their everyday lives,” he said.
With flaws on theconsumer side of cyber operations easy to exploit, extra vigilance is required on the part of mortgage companies to protect client information, as well as their own operations. The more attention paid to security will lead to payoffs down the road, Cunningham said.
“There's data that proves if you have real security in place, you are able to do business quicker, better, faster, and people will be willing to do more business with you. So it's a business benefit to do security.”
Awareness and precautions go a long way toward preventing cyberattacks, and there are several steps mortgage companies can take to ensure their businesses are knowledgeable and prepared to deal with threats.
Mortgage lenders can be an
“We still have this issue of people not accepting that they need to make security, and the need for security, part of their everyday lives,” he said.
With flaws on the
“There's data that proves if you have real security in place, you are able to do business quicker, better, faster, and people will be willing to do more business with you. So it's a business benefit to do security.”
Awareness and precautions go a long way toward preventing cyberattacks, and there are several steps mortgage companies can take to ensure their businesses are knowledgeable and prepared to deal with threats.
Phishing and identity theft are the most common types of cybercrime
Compromised credentials and phishing are the most common methods of cyberattacks, Cunningham said. “And those are so prevalent that it's an everyday, every hour thing.”
Phishing, or transmission of emails made to look like they are from reputable businesses in order to steal victims’ personal data — as well as the text-message equivalent of smishing — are a common entry point leading to theft of personal information. Once fraudsters can obtain personal credentials, that person’s contacts are immediately threatened as well.
“When they infiltrate a victim, they record everything that's going on in their browser,” said Oleg Kolesnikov, vice president of threat research and detection at security analytics and operations management platform Securonix.
“The browser has special session-related cookies. So they could impersonate the person browsing to their bank or their mortgage provider. Then, following that, they basically leverage those to apply for mortgages and they can as part of doing that they can impersonate the browser of the user.”
The consequences of the initial breach commonly can lead to wire fraud, a trend that Todd Keller, chief information security officer at Cherry Creek Mortgage, has seen increase over the past few years. But it also opens the door to possibly more serious outcomes, including ransomware attacks.
“The bad guys get access to your system, and then, once they have a foothold on the network, they move laterally,” Keller said. “They start to own other systems, find out what's happening on the network. Where's the data? Where's the crown jewels? How can I get that out?”
The mortgage industry is particularly vulnerable to infiltration due to the common use of email usage for business.
“Email continues to be ubiquitous in the mortgage industry for transacting a loan,” Keller said. “So you're working with a lot of third parties — whether it's title, real estate, the borrower themselves — and a lot of that information about specifics around the loan will be communicated via email. So the bad guys realize this, and that's an easy target.”
Phishing, or transmission of emails made to look like they are from reputable businesses in order to steal victims’ personal data — as well as the text-message equivalent of smishing — are a common entry point leading to theft of personal information. Once fraudsters can obtain personal credentials, that person’s contacts are immediately threatened as well.
“When they infiltrate a victim, they record everything that's going on in their browser,” said Oleg Kolesnikov, vice president of threat research and detection at security analytics and operations management platform Securonix.
“The browser has special session-related cookies. So they could impersonate the person browsing to their bank or their mortgage provider. Then, following that, they basically leverage those to apply for mortgages and they can as part of doing that they can impersonate the browser of the user.”
The consequences of the initial breach commonly can lead to wire fraud, a trend that Todd Keller, chief information security officer at Cherry Creek Mortgage, has seen increase over the past few years. But it also opens the door to possibly more serious outcomes, including ransomware attacks.
“The bad guys get access to your system, and then, once they have a foothold on the network, they move laterally,” Keller said. “They start to own other systems, find out what's happening on the network. Where's the data? Where's the crown jewels? How can I get that out?”
The mortgage industry is particularly vulnerable to infiltration due to the common use of email usage for business.
“Email continues to be ubiquitous in the mortgage industry for transacting a loan,” Keller said. “So you're working with a lot of third parties — whether it's title, real estate, the borrower themselves — and a lot of that information about specifics around the loan will be communicated via email. So the bad guys realize this, and that's an easy target.”
Risk increases with more parties involved
Apart from threats posed through their emails, third and fourth party participants within the mortgage process add an extra layer of risk, said Keller. He has seen a significant uptick in terms of outside risk to lenders and their clients over the past few years and pointed to the Log4j incident as an example of how a fourth party could pose a danger.
“You have this component that, unless you're a developer or a Java junkie, you're not going to know what in tarnation the thing is. And you may not even know that's running in your environment,” he said.
“That would be an example of a fourth-party risk,” Keller went on, illustrating the potential for confusion, “Where ‘Wait a minute, you're telling me that this software component from a third-party software that I didn't even know one of our third-party vendors is using is potentially compromised, and there are active active attacks going on?’"
“You have this component that, unless you're a developer or a Java junkie, you're not going to know what in tarnation the thing is. And you may not even know that's running in your environment,” he said.
“That would be an example of a fourth-party risk,” Keller went on, illustrating the potential for confusion, “Where ‘Wait a minute, you're telling me that this software component from a third-party software that I didn't even know one of our third-party vendors is using is potentially compromised, and there are active active attacks going on?’"
Compromised personal data is bought and sold by cybercriminals on the dark web
Also available on the dark web are phish kits — pieces of web code that mimic a login page for a legitimate company. “Anybody who really wants to can go purchase that and register a domain name,” Keller said. “And within 15-20 minutes, they can drop that on there, and lo and behold, they can start sending phishing email.”
Mortgage banks are less likely targets for ransomware attacks — but danger still lurks
Fortunately, for a large section of the mortgage industry, malware and ransomware attacks do not pose as big a threat as in other industries thanks to the investments large banks realized they needed to take.
“The bad guys are going after the lowest-hanging fruit, and banks often are not. They have controls in place,” Kolesnikov said.
But by no means are other real estate and mortgage-related businesses immune from ransomware attacks, as evidenced last year ontech platform Cloudstar , which serves title and settlement providers. Smaller mortgage banks are also perceived by cybercriminals as easier to victimize.
“They go downstream and look for these little mortgage providers that have five employees, twenty employees that are all remote, all digital,” said Cunningham. “They go after them and work their way up.”
“The bad guys are going after the lowest-hanging fruit, and banks often are not. They have controls in place,” Kolesnikov said.
But by no means are other real estate and mortgage-related businesses immune from ransomware attacks, as evidenced last year on
“They go downstream and look for these little mortgage providers that have five employees, twenty employees that are all remote, all digital,” said Cunningham. “They go after them and work their way up.”
Remote work has created more opportunities for fraudsters
The remote work options brought on by the coronavirus pandemic added further potential for disruption by fraudsters, especially with many employees now regularly or entirely conducting business outside the office.
“Whatever device they use to access the network, that is an entry point into an internal network. Those devices need to be secured,” said Stephen Lineberry, chief information security officer at Blue Sage Solutions, the digital loan origination platform. “And there's cases where the company doesn't even own the device, so they have a really hard time putting controls on it.”
“When that device is outside, it brings all kinds of concerns,” he said, adding that policies need to be set around non-company devices and included in security awareness training. Everything from weak passwords to unfamiliar wifi networks can invite threats to a company’s system.
“Anything that creates an opportunity for someone to take that device and get into your internal network needs to be addressed,” Lineberry said.
“Whatever device they use to access the network, that is an entry point into an internal network. Those devices need to be secured,” said Stephen Lineberry, chief information security officer at Blue Sage Solutions, the digital loan origination platform. “And there's cases where the company doesn't even own the device, so they have a really hard time putting controls on it.”
“When that device is outside, it brings all kinds of concerns,” he said, adding that policies need to be set around non-company devices and included in security awareness training. Everything from weak passwords to unfamiliar wifi networks can invite threats to a company’s system.
“Anything that creates an opportunity for someone to take that device and get into your internal network needs to be addressed,” Lineberry said.
Every company is a target, but precautions are simple to take
A big portion of risk can be reduced with simple precautions, such as software patches, multifactor authentication for both internal and external users and incident response plans, cybersecurity experts agreed. But not all companies take them seriously.
“If you do these things, you actually reduce a lot of your risk, and it's things like — make sure all your systems are patched up, know what systems are accessing your systems. So patch them. Get MFA set up anywhere and everywhere,” Keller said. “Just by doing some of those basics, we just reduced our risk pretty significantly.”
Regularly testing that security processes are still working is necessary as well, as they have a tendency to degrade over time, according to Kolesnikov. It’s a task that companies also overlook.
“I think sometimes there's a false sense of security related to the fact that we have controls in place and therefore we are protected. Controls often does not mean protection. Protection has to be validated and validated on a continuous basis,” he said.
Making security part of a company’s culture and fundamental training is also key to removing threats and should be taken seriously at all levels of the company. “Cybersecurity in today's age — it needs to be integrated as part of your organization — not just something you do. It needs to be touched on and looked at through the entire process,” Lineberry said.
“I think it's a fair statement to say there's going to be attempts on everyone,” he added. But the attempts won’t turn into incidents if the precautions are taken. While no system can be foolproof, the organizations who take cybersecurity risks seriously will still end up ahead.
“Information security — it's impossible for it to be perfect. You just need to be better than everyone else that you can, because then you're not an attractive target,” Lineberry said.
“If you do these things, you actually reduce a lot of your risk, and it's things like — make sure all your systems are patched up, know what systems are accessing your systems. So patch them. Get MFA set up anywhere and everywhere,” Keller said. “Just by doing some of those basics, we just reduced our risk pretty significantly.”
Regularly testing that security processes are still working is necessary as well, as they have a tendency to degrade over time, according to Kolesnikov. It’s a task that companies also overlook.
“I think sometimes there's a false sense of security related to the fact that we have controls in place and therefore we are protected. Controls often does not mean protection. Protection has to be validated and validated on a continuous basis,” he said.
Making security part of a company’s culture and fundamental training is also key to removing threats and should be taken seriously at all levels of the company. “Cybersecurity in today's age — it needs to be integrated as part of your organization — not just something you do. It needs to be touched on and looked at through the entire process,” Lineberry said.
“I think it's a fair statement to say there's going to be attempts on everyone,” he added. But the attempts won’t turn into incidents if the precautions are taken. While no system can be foolproof, the organizations who take cybersecurity risks seriously will still end up ahead.
“Information security — it's impossible for it to be perfect. You just need to be better than everyone else that you can, because then you're not an attractive target,” Lineberry said.
