A mortgage industry
Threat actors responsible for cyberattacks are sitting for longer periods of time undetected in firms’ servers and methodically plotting their crimes, according to cybersecurity experts. At least two servicers in April acknowledged individual cyberattacks in which personally identifiable information was accessed by unauthorized actors for over a month before being detected.
Now, cybercriminals are employing double and triple extortion attacks, using ransomware to leverage personally identifiable information in numerous criminal ways, experts said. Fintechs could be particularly exposed to these new types of threats, according to one expert, although cybersecurity professionals remain adamant no type of mortgage firm, fintech or otherwise, is more exposed to specific threats than another.
Digital Silence has responded to a few extortion incidents in the last several months, said JT Gaietto, the cybersecurity firm’s chief security officer. The threat actors hold PII for ransom, then simultaneously sell it on the black market and also use it to attack fintechs, particularly those offering speedy loan approvals.
“Threat actors are taking that PII data and they’re leveraging the workflow of fintechs against them,” he said.
Threat actors can write bots that toss a plethora of stolen credentials at a fintech, which has likely worked with credit bureaus to prequalify borrower candidates, and attempt loan applications until one hits and is wired, he said, therefore utilizing the PII in numerous ways.
Dan Koch, chief technology officer at digital mortgage lender Tomo, agreed that threat actors leverage the workflow of fintechs against them, but added the caveat that humans are part of that workflow, too.
“Cybersecurity experts will tell you that social engineering is one of the most potent tools in a bad actor’s toolkit,” he said. “Social engineering is [about] exploiting a system that’s exploiting … the humans who are involved in the system.”
In discussing the scenario Gaietto described, Koch said Know Your Customer verification varies among fintechs, with money transfers requiring massive KYC requirements. He expects to see the verification technology continue to improve.
Rutul Dave, co-founder and chief technology officer at mortgage tech firm Maxwell, said he hasn’t seen the double or triple extortion threat in the mortgage industry firsthand but acknowledged the attacks are possible.
Mortgage lenders like Maxwell’s customers rely on third-party providers for a number of services and more layers could possibly increase exposure.
“Because of the number of vendors or number of systems that sometimes you need to rely on, you are at least increasing that risk profile and in a way the complexity of everything,” he said. “That needs to be protected.”
Ransomware, the method by which such attacks could occur, are among the most popular tools for cybercriminals. A major cyberattack on
Longer, undetected breaches also allow cybercriminals to do some research and assess how much money a victim company could pay them, said Jordan Bingham, founder of cybersecurity firm LendSafe, part owner of a Utah brokerage and former mortgage loan originator. The con doesn’t have to end there, with cybercriminals returning to victims long after the initial ransom.
“If they don’t release [information], well then maybe they’ll come back a year later and say, ‘Hey, this information is still valuable and I need a little bit of money, so are you willing to pay me again for it?’” Bingham said. “So it’s really bad.”
At least one victim of a recent, massive data breach alleged she suffered from the misuse of her compromised PII months after the initial cyberattack. Lakeview Loan Servicing last month acknowledged a substantial breach undetected over 41 days last fall and did not disclose the type of cyberattack.
Jenniffer Morrill, an affected California customer, claimed in a federal lawsuit her compromised PII, including her name, address and Social Security number, was used to make four fraudulent credit card purchases months after the breach.
“The temporal proximity of the fraud to this Data Breach further demonstrates that Plaintiff Morrill’s injury is fairly traceable to this Data Breach,” an attorney for Morrill wrote.
Mortgage technology firms aren’t any more exposed to threat actors than the average mortgage lender, experts emphasized. Some pointed to the recent wave of data breaches at servicers, and the recent spate of attacks included smaller mortgage lenders and title companies.
Fintech or otherwise, the industry’s players have all incorporated digital workflows, experts said. Exposure to cyberattacks is a matter of digital competency, professionals suggested, or sometimes simply a matter of luck.
“It’s an asymmetric landscape from a perspective of we have to be correct and good all the time,” said Paul Guthrie, information security officer at mortgage tech firm Blend, comparing firms to cybercriminals. “They just have to get lucky once.”