Why is it called a salami attack?

The name comes from cutting a salami into thin slices. Each slice is small, but when combined, it becomes a large piece. The same idea applies to this kind of attack.

Where do salami attacks usually happen?

Salami attacks occur mostly in places where many small transactions happen every day, like banks, payroll systems, e-commerce sites, and billing systems.

How can a salami attack be detected?

Detecting a salami attack can be hard because the changes are so small. Regular audits and security systems that flag unusual activity can help identify hidden issues.

How can I protect against a salami attack?

Use strong passwords and ensure a two-factor authentication process. Update your systems regularly and report any transactions you don’t recognize or that seem suspicious.

Are salami attacks illegal?

Yes. Any act of secretly changing financial or digital systems for personal gain is a form of cybercrime and is punishable by law.

Salami Attack in Cybersecurity: How to Detect and Prevent

Key Takeaways

The term ‘Salami Attack’ was first used in the 1940s by a Hungarian leader to describe how his party dismantled the opposition “slice by slice”.
A salami attack can occur for years without getting noticed, where attackers steal small amounts of money or data from many sources.
These attacks can be extremely difficult to detect if carried out by an insider threat, such as a bank employee with access to the financial system.

Introduction

A cyberattack is a malicious and intentional attempt by an individual or organization to compromise the information system of another individual or organization. Attackers use different methods to gain unauthorized access to the victim’s system and steal sensitive data. One of the most innovative types of cyberattacks is known as a ‘Salami attack’. In this attack, criminals steal small amounts of data and funds from multiple accounts over time without being detected. By the time victims find out about the attack, the damage has already been done. Currently, salami attacks in cybersecurity are exploiting automation and digital transactions to remain hidden. Many industries process thousands of micro-operations daily, making it hard to detect such attacks.

What is a Salami Attack in Cybersecurity

In a salami attack, an attacker makes small, incremental changes to a target system to steal small amounts of money or resources. The changes are often too small to notice quickly, but the benefits for the attacker are significant when combined from multiple sources.

The attack is named after the idea of slicing a salami into thin pieces, with each small slice enough to go unnoticed. The concept of the salami attack first appeared in computer fraud discussions from the 1980s, when a group of programmers exploited automated systems to divert fractions of financial transactions into personal accounts.

Also known as salami slicing or penny shaving, this attack involves breaking up large targets into smaller, manageable pieces and working on each part at a time. This can make the plan easier to carry out and make the attack less obvious to others. Salami attacks in cybersecurity often hide inside automated, high-volume systems such as billing, payroll, or e-commerce platforms.

How a Salami Attack Works

A salami attack is carried out by someone with access privileges. It could be a developer, system admin, or any other authorized insider. They will insert a hidden script or malicious code into an automated process. When this code is executed, tiny amounts of data or other resources are extracted from multiple transactions or accounts. Each detection is small, making it hard for authorities to notice anything unusual.

It's a highly effective attack due to two key elements:

Stealth: Attackers make small changes in the code or transaction logic, which can make detection extremely difficult. For example, changing rounding algorithms in payroll or billing systems so that a few decimal points can be diverted into another account. Tracing such small discrepancies among thousands of daily transactions is not easy.

Persistence: The malicious code, once entered, continues to operate until detected and removed. It will continue to collect small amounts of data until the goal is achieved. Attackers use fake system maintenance or transaction fee messages to hide these malicious codes.

When these methods are combined, attackers can carry out salami attacks for a longer time without being noticed.

Types of Salami Attacks

There are several types of salami attacks in cybersecurity. Let’s discuss each in detail:

1. Financial Salami Attacks

This type of salami attack is called salami slicing. It works by manipulating financial systems to extract a small amount of money from multiple accounts. Salami attackers usually leverage rounding algorithms to deposit small fractions of money into hidden accounts. The differences, again, are so small that they usually go undetected, even during audits.

Other forms of salami attacks include internal payroll and internal operation payment manipulation, in which the attacker diverts a small portion of each payment to their own financial accounts. After an extended period, those small portions can add up to a significant amount.

2. Information-Based Salami Attacks

These attacks are carried out by extracting small amounts of data from multiple systems. For example, an attacker might copy some of the customer data from a large database. Then, this stolen data is combined to create a high-value dataset that can be used for identity theft or corporate espionage.

3. Resource-Based Salami Attacks

In these attacks, malware or scripts are injected into different devices to consume small portions of memory or bandwidth. Then, attackers use these resources to carry out cryptocurrency mining or botnet operations without being noticed.

4. Internet or Cloud-Based Salami Attacks

In cloud or SaaS environments, attackers sometimes modify scripts or usage meters so that a few extra requests or bytes are billed elsewhere. These minor shifts can go unnoticed among thousands of normal operations.

Salami attacks were already hard to detect, and with automation, detection has become even harder while they scale more easily.

Real-World Examples and Common Targets of Salami Attacks

There have been several instances where people with malicious intent have successfully stolen thousands of dollars using one or another form of the salami attack.

Payroll Manipulation (2023)

A case related to a payroll administrator at two Canadian construction companies was reported in May 2023. The report stated that the payroll administrator altered banking details for two years to issue unauthorized payments to herself. The fraud was only detected when employees started seeing missing payments. This shows how difficult it is to detect small manipulations, even with multi-tiered approvals and regular audits.

Micro-deposit Fraud

This is a perfect example of what’s known as a penny shaving attack. Several online banks and financial institutions send micro-deposits to new accounts to verify the user. Fraudsters exploited this verification method and created thousands of accounts to collect small deposits, ranging from $0.01 to $2. Cybersecurity companies have reported a rise in micro-deposit fraud since 2024. In 2008, a famous case happened when a California-based fraudster created over 58,000 accounts to accumulate between $40,000 and $50,000 from verification deposits.

Who are the Common Targets of Salami Attacks?

Salami attacks most often target systems with a large volume of low-value transactions, which can include banking systems, payroll systems, e-commerce, and subscription billing systems. The reason attackers prefer Salami attacks is that their small changes go unnoticed in thousands of daily transactions.

Detection and Prevention of Salami Cyber Attacks

Because salami attacks are carried out quietly, detecting them requires the user to remain vigilant and perform system-level monitoring.

For Individuals

Use strong, unique passwords: Do not reuse passwords between financial and online accounts. A password manager can help create and safely store difficult credentials.
Enable multi-factor authentication (MFA): If your password has been exposed to attackers, MFA can help keep your account safe.
Keep software and devices updated: Software and device updates close vulnerabilities that attackers could exploit to insert malicious scripts or Trojans for salami attacks.
Identify unusual activity: If you see any charge that you don't recognize, you should report it immediately. Also, review your account statements and recent transactions from time to time.
Stay alert to phishing: Attackers may use phishing emails to infect your system with malware or steal credentials to carry out small-scale data manipulation.

For Organizations

Utilize centralized monitoring tools: SIEM tools can correlate logs and identify transgressions such as minor transaction mismatches or round-offs that frequently occur.
Conduct regular audits and reconciliations: Compare transaction logs with billing and accounting data to identify minor mismatches that could indicate salami activity.
Restrict privileged access: Give admin rights only to trusted users and record all system changes.
Use automation and alerts: Set thresholds for unusual activity, such as repeated sub-cent changes or automated transfers. Any such activity would trigger real-time alerts.

Conclusion

Salami attacks have existed for decades, but the techniques used for attacks keep changing as systems become further automated and data-driven. Being able to detect these subtle attacks requires vigilance, regular monitoring, and robust security controls.

If you suspect that your organization may be affected, consult security experts who can identify and remove the hidden scripts or anomalies responsible for data or financial loss. SafeAeon’s cybersecurity experts can help enhance your security posture and protect your systems from salami attacks and other cyber threats.