Using financial Trojans to defraud customers of online banking services is still a popular method among cybercriminals looking to make a profit. Although we have seen a drop in the number of financial Trojans being detected, the Trojans are becoming more capable at what they do and the threat they pose will remain for some time to come. Furthermore, criminals are increasingly targeting financial institutions directly, using malware or through business email compromise (BEC) scams.
In order to keep abreast of the current threats facing the financial sector and its customers, Symantec analyzed hundreds of samples of financial Trojans and examined data and research gathered and conducted throughout 2015.
Drop in financial Trojan detections
For our research, we extracted configuration files from 656 active malware samples. Within those files, we found 2,048 URL patterns that show that the Trojans are targeting customers of 547 organizations in 49 countries.
The total number of financial Trojan detections continued to decrease in 2015, with a 73 percent drop compared to the previous year.
The US was again the country most infected with financial Trojans in 2015, followed by Germany and India. Given its size, the US, not surprisingly, also had the highest number of targeted organizations (141 institutions).
Why the drop?
Fluctuations are partially due to takedowns, arrests, and the efficacy of different Trojan families; some cybercriminal groups who used to favor financial Trojans appear to have shifted to ransomware lately. In addition to these factors, security software has increased its proactive detection capabilities—for example, blocking users from visiting infected websites or preventing droppers from downloading the payload. This increased success in early prevention leads inevitably to fewer detections of Trojans on computers. Because of this, we cannot always tell which malware would be dropped if the infection attempt had been successful. Therefore the real number of attempts by the cybercriminals to infect computers with financial fraud Trojans is most likely far higher than the number of actual infections.
Financial Trojans up their game
Although there was a significant drop in financial Trojan detections, the prevalent malware families have become far more capable.
The average number of targeted organizations per sample in 2015 was 93, an increase of 232 percent over the previous year; indicating that each individual sample now targets more organizations in order to be more effective. The most frequently targeted bank of 2015 is located in the US and was attacked by 78.2 percent of the analyzed Trojans.
Email still preferred distribution method
As previously reported, Symantec has seen millions of Dridex spam emails being sent out each day. This aligns with the 214 percent increase of Dridex detections registered from January to February 2016. While in the same period, detection counts for nearly all other major financial Trojan families continued to drop by approximately 20 percent. This shows that while some Trojan families are in decline, others are quick to take their place.
Criminals set their sights on the bigger prize
Another trend that has become evident over the last year is that cybercriminals are increasingly moving beyond targeting online banking customers and are instead targeting financial institutions directly. For example, as seen with the repeated Carbanak attacks, or with the recent infiltration of the Bangladesh Bank, which according to news reports led to losses of up to US$100 million. The tactics are simple: through classical attack methods like spear-phishing, the targeted financial institution is compromised and a foothold is established. Once inside the financial institution’s network, the attacker can wait and learn how to transfer money, issue fraudulent transactions, or orchestrate ATM machines to dispense cash.
Yet another scheme that has become more prevalent among criminals is the BEC scam, whereby the financial department of a company is convinced to carry out a transaction in favor of the attacker. These attacks do not involve malware and do not tamper with the online banking service, but instead rely solely on social engineering. These scams are growing in frequency and according to the FBI is responsible for losses of over $740 million since 2013 in the US alone.