Using financial Trojans to defraud customers of online banking services is still a popular method among cybercriminals looking to make a profit. Although we have seen a drop in the number of financial Trojans being detected, the Trojans are becoming more capable at what they do and the threat they pose will remain for some time to come. Furthermore, criminals are increasingly targeting financial institutions directly, using malware or through business email compromise (BEC) scams.
In order to keep abreast of the current threats facing the financial sector and its customers, Symantec analyzed hundreds of samples of financial Trojans and examined data and research gathered and conducted throughout 2015.
Drop in financial Trojan detections
For our research, we extracted configuration files from 656 active malware samples. Within those files, we found 2,048 URL patterns that show that the Trojans are targeting customers of 547 organizations in 49 countries.
The total number of financial Trojan detections continued to decrease in 2015, with a 73 percent drop compared to the previous year.
The US was again the country most infected with financial Trojans in 2015, followed by Germany and India. Given its size, the US, not surprisingly, also had the highest number of targeted organizations (141 institutions).
Why the drop?
Fluctuations are partially due to takedowns, arrests, and the efficacy of different Trojan families; some cybercriminal groups who used to favor financial Trojans appear to have shifted to ransomware lately. In addition to these factors, security software has increased its proactive detection capabilities—for example, blocking users from visiting infected websites or preventing droppers from downloading the payload. This increased success in early prevention leads inevitably to fewer detections of Trojans on computers. Because of this, we cannot always tell which malware would be dropped if the infection attempt had been successful. Therefore the real number of attempts by the cybercriminals to infect computers with financial fraud Trojans is most likely far higher than the number of actual infections.
Financial Trojans up their game
Although there was a significant drop in financial Trojan detections, the prevalent malware families have become far more capable.
The average number of targeted organizations per sample in 2015 was 93, an increase of 232 percent over the previous year; indicating that each individual sample now targets more organizations in order to be more effective. The most frequently targeted bank of 2015 is located in the US and was attacked by 78.2 percent of the analyzed Trojans.
Email still preferred distribution method
The most common distribution method for financial Trojans is through spam emails with malicious attachments. As seen with the active Dridex family, Office documents with a malicious macro (W97M.Downloader) or .zip archives with malicious JavaScript (JS.Downloader) are frequently used to compromise computers. The activities of such droppers increased by 92 percent in the last month, although they still need user interaction to complete the infection process.
As previously reported, Symantec has seen millions of Dridex spam emails being sent out each day. This aligns with the 214 percent increase of Dridex detections registered from January to February 2016. While in the same period, detection counts for nearly all other major financial Trojan families continued to drop by approximately 20 percent. This shows that while some Trojan families are in decline, others are quick to take their place.
Criminals set their sights on the bigger prize
Another trend that has become evident over the last year is that cybercriminals are increasingly moving beyond targeting online banking customers and are instead targeting financial institutions directly. For example, as seen with the repeated Carbanak attacks, or with the recent infiltration of the Bangladesh Bank, which according to news reports led to losses of up to US$100 million. The tactics are simple: through classical attack methods like spear-phishing, the targeted financial institution is compromised and a foothold is established. Once inside the financial institution’s network, the attacker can wait and learn how to transfer money, issue fraudulent transactions, or orchestrate ATM machines to dispense cash.
Yet another scheme that has become more prevalent among criminals is the BEC scam, whereby the financial department of a company is convinced to carry out a transaction in favor of the attacker. These attacks do not involve malware and do not tamper with the online banking service, but instead rely solely on social engineering. These scams are growing in frequency and according to the FBI is responsible for losses of over US$740 million since 2013 in the US alone.
Mitigation
Users should adhere to the following advice to ensure the best possible security:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails or phone calls
- Keep security software and operating systems up to date
- Enable advanced account security features, such as 2FA, if available
- Use strong passwords for all your accounts
- Always log out of your session when done
- Enable account login notification if available
- Monitor your bank statements regularly for suspicious activity
- Notify your financial institution of any strange behavior while using their service
- Exercise caution when conducting online banking sessions, in particular if the behavior or appearance of your bank’s website changes
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Establish enhanced authorization business processes for transactions to avoid falling for BEC scams
Protection
Symantec and Norton customers are protected against financial Trojans through our multilayered security approach:
- Antivirus and Intrusion Prevention System (IPS) detections are in place for each of the discussed threat families
- Browser protection can protect against web-based attacks that use exploits
- Norton Safeweb blocks users from visiting malicious websites
- Insight can proactively block files associated with financial Trojans and detect them as WS.Reputation.1
- Behavior-based detection blocks suspicious processes using the SONAR series of detections
- Email-filtering services such as Symantec Email Security.cloud can block emails associated with these attacks before they can reach users
- Symantec Messaging Gateway’s Disarm technology can also protect computers from many email-borne attacks by removing the malicious content from the attached documents before they even reach the user
- Symantec’s Advanced Threat Protection solution allows customers to uncover attacks that would otherwise evade detection
- Symantec's Cyber Security Services can help organizations achieve a higher level of security with our leading cyber threat experts for global threat and adversary intelligence, advanced threat monitoring, cyber readiness, and incident response
If you want to learn more about threats to financial institutions, read our whitepaper: Financial threats 2015
