Endpoint Protection

 View Only

Financial Trojans in 2014: Takedowns contributed to 53 percent drop in infections, but threat is still prevalent 

Mar 03, 2015 03:57 AM

the-state-of-financial-trojans-2014-header.png

Financial Trojans that intercept and redirect transactions from online banking sessions have always been popular among cybercriminals. These campaigns will probably remain prevalent for the foreseeable future, as attacks against banking customers are still successful in many cases. Today’s financial malware has evolved to bypass newer security measures, such as two-factor authentication (2FA) and mobile banking, in order to steal money from unsuspecting users.

In order to study the changes in strategy for these types of threats, Symantec analyzed nine common financial Trojans and their activity in 2014. For our research, we extracted configuration files from 999 recent malware samples. Within those files, we found URLs that show that the Trojans are targeting customers of 1,467 financial institutions in 86 countries. The top nine most targeted financial institutions were in the crosshairs of more than 40 percent of all the analyzed Trojans. Around 95 percent of the threats focused on the most frequently targeted financial institution, which are based in the US.

A drop in infections
The total number of detections of common financial Trojans decreased by 53 percent in 2014, while financial phishing emails dropped by 74 percent last year. The US experienced the most detections of financial Trojans last year, followed by the UK and Germany. Some threat families like Trojan.Shylock nearly disappeared, whereas others, such as the new spin-off threat Infostealer.Dyranges, filled some of the gaps. Some groups shifted their focus to other continents, such as Asia, and to local payment systems, such as Boleto Bancário in Brazil.

figure1_2014banking.png
Figure. Number of global infections of common financial Trojans in 2014

Why the drop?
Multiple factors can influence the prevalence of financial malware in the wild. The drop in detections in 2014 can be partially attributed to a few takedown and arrest operations conducted by different law enforcement agencies in cooperation with the security industry. Malware author arrests often lead to an end of support situation for threat families, causing the malware’s usage to drop and shift. Cybercrime won’t disappear overnight, but the continued collaboration efforts between law enforcement and private industry will make it harder for cybercriminals to operate. 

The drop could also be attributed to how Symantec and Norton products detect and block threats as early as possible in the infection chain. Most financial Trojans nowadays are distributed through exploit kits such as Styx, Angler, and Nuclear, and we have technology to cut these attacks off before they can do damage. Our URL reputation technology can prevent users from visiting exploit kit landing pages in the first place. Additionally, our browser protection technology can block the exploits that are distributed through these kits before they can download dropper malware onto computer. This leads to fewer detections of the actual financial Trojan on users’ computers. For example, detections of the Angler exploit kit increased threefold in the last six months.

But don’t relax too much—the bad guys are still out there and they are after your money. They focus on every possible target that they can get a profit from. Not all of the attacks are successful, as the banks have upgraded their internal antifraud processes to counter the attacks. But some attackers still make a lot of money from their campaigns. There was a case in Switzerland where the criminals successfully stole more than US$1 million from one victim and sent the money to accounts in Poland and China. According to recent research, a group of attackers managed to steal more than US$300 million by hacking into banks and issuing transactions as well as reconfiguring ATMs to spit out cash onto the streets. The latter technique is not dissimilar to the one we had observed early in 2014 where ATMs in Mexico were made to spit out cash simply by attackers sending a text message. Since our initial reporting, the same malware and technique has inevitably spread to other countries including the Ukraine.

Protection
Symantec and Norton products protect customers through our multilayered security approach. In addition, users should adhere to the following advice to ensure that they prevent these attacks from succeeding:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Keep antivirus software and operating systems up to date
  • Enable advanced account security features, like 2FA, if available
  • Use strong passwords for all your accounts
  • Always log out of your online banking session when finished
  • Enable account login notifications, if available
  • Monitor bank statements regularly for suspicious activity
  • Notify your financial institution of any strange behavior while using their service

If you want to learn more about the state of financial Trojans in 2014, we released an updated whitepaper on this topic.

the-state-of-financial-trojans-infographic-2014_edit.jpg

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.