“Because that’s where the money is!” This is a quote frequently attributed to Willie Sutton as the answer he allegedly gave when asked why he robbed banks. Even though Mr. Sutton never gave this answer, it still holds true.
This paradigm also holds true when it comes to today’s financial malware. Online banking applications are where money is moved; hence they are also the focus of attackers. It should not come as a surprise that we still see further development of Trojans targeting online banking services. One example that we recently blogged about is the Neverquest Trojan, a successor of Trojan.Snifula, which was first seen in 2006 but is still in use.
The number of infections of the most common financial Trojans grew to 337 percent in the first nine month of 2013. This represents nearly half a million infected computers per month that are susceptible to fraud. To get a better understanding of the mechanics behind financial Trojans and the scale of their operations, we analyzed over one thousand recent configuration files belonging to eight online banking Trojans. These configuration files define which URLs the Trojan should attack and what attack strategy to use. Attacks vary from simple user redirection to complex Web-injects, which can automatically conduct transactions in the background. The analyzed configuration files targeted 1,486 organizations in total. This highlights the wide distribution of the Trojans, which target everything that could yield a monetary profit for the attacker.
The most frequently attacked bank is located in the US and was present in 71.5 percent of all the examined Trojans’ configuration files. All of the top 15 targeted banks were found in more than 50 percent of the configuration files. This means that every second Trojan targets at least one of these banks. These high numbers might be because the targeted URLs are present as examples in some of the basic toolkits, which are sold with the Trojans. Another reason could be that the Trojans simply still work against these firms, as not all financial institutions have moved to strong authentication yet. Of course, most financial institutions are aware of these cybercrime developments and are deploying new protection mechanisms to block such attacks. Unfortunately, new security measures take time and money to roll out and the attackers will always come up with new attack avenues. After all, social engineering attacks still work, since some people will always fall for a cleverly crafted story. We expect that we will continue to see attacks targeting online banking services in the coming year.
If you want to learn more about the state of financial Trojans, we released an updated whitepaper on this topic.
We also have the following infographic on 2013’s financial threat landscape.