The war against financial malware
Ransomware makes more headlines, but conventional attacks on bank accounts and credit data remain a greater concern
Financial threats are still profitable for cybercriminals and remain an enduring part of the threat landscape, according t o Symantec, t he US-based cybersecurity software and services provider. While ransomware tends to make more headlines, a more significant threat is posed by the likes of financial trojans that attack online banking, attacks against ATMs and fraudulent interbank transactions.
Symantec noted an increase in attacks against corporations and financial institutions in 2016, including a series of highvalue heists targeting the Swift (Society for Worldwide Interbank Financial Telecommunication) system. Several institutions lost millions to cyber criminals and state-supported attackers such as the Lazarus group.
“On average, 38% of the financial threats we detected in 2016 were found in large business locations,” said Symantec. “Most were not targeted attacks but took the form of widespread email campaigns. Although we saw 36% decrease in detection numbers for financial malware in 2016, this was mainly due to earlier detection … and more focused attacks.”
With more than 1.2 million annual detections, the number of financial threats is still 2.5 times grater than that of ransomware. The financial Trojan threat landscape is dominated by three malware families — Ramnit, Bebloh and Zeus (Trojan. Zbot) — that were responsible for 86% of all such activity in 2016. However, arrests, takedowns and regrouping have helped reduce the threat. For example, Bebloh all but vanished in 2017 after the Avalanche takedown. Many new variants of these families have appeared or re-appeared on the market, focusing on filling specific niches. The attackers mainly use scam email campaigns with little variation and simple attachments.
Japan was the main focus of 90% of the activity by the financial Trojans Bebloh and Snifula in 2016. Globally, financial institutions in the US were targeted the most by the samples analysed by Symantec, followed by Poland and Japan.
Infection vectors for financial Trojans have not changed much. Distribution mainly relies on spam email with malicious droppers attached and web exploit toolkits. The already well known Office document attachment with malicious macros continued to be widely used. However, Microsoft Visual Basic Scripting (VBS) and JavaScript (JS) files in various attachment forms have also been used in massive spam runs to distribute malware.
Phishing emails, where the victim is lured to fake websites that trick them into revealing their account details, decreased to just one in 9,138 emails in March 2017, from one in 3,000 a year earlier. Simple phishing no longer works against most financial institutions, as they rarely rely on static passwords alone. However, phishing attacks can still be successful in stealing online retail account credentials and credit card details.
ATM malware, meanwhile, has been around for 10 years but is still effective. However, since chip cards have begun to spread outside of Europe, we have seen a decrease of classic memory scraping threats, as they are no longer efficient for the attackers.
There are various degrees of sophistication when it comes to ATM attacks. For some attacks the criminals need physical access to the ATM computer and they get this by opening the cover with a stolen key or picking the lock.
Once they have access to a USB port or the CD-ROM they can install malware and attach a keyboard to issue commands. Similar attacks have been reported in hotels where attackers used the USB ports on the backs of check-in computers to install malware. In retail stores, attackers added their sniffer to an exposed network port inside the shop. This allows them to compromise any attached POS device and scrape the memory for payment card information.
In the mobile world, threats against the Android operating system focus mainly on form overlay attacks or fake online banking apps. Symantec reports seeing more than 170 mobile apps targeted by malware. Mobile threats are still relevant as many financial institutions have deployed two-factor authentication through mobile phone applications.
“As it has become more difficult to conduct such attacks on the latest Android OS, we have seen attackers reverting to social engineering attacks, where they trick victims into authorising fraudulent transactions,” said Symantec. “The end user still remains the weakest link in the chain during an online transaction, which means even the strongest technologies are susceptible to social engineering attacks.”
When a cyber attacker successfully compromises an i nternal network, they can steal any credentials that will help maximise their profits. This could mean stealing online banking credentials, sensitive personal data or other passwords.
Once a system is compromised, cyber attackers can use any stolen information to spread their malware further, or even sell it on underground forums. Credit card details are still the most sold digital product on underground forums, while bank account access information is priced according to the account balance. For example, an account with US$1,000 in it can be sold for $10. An account with a greater balance will be offered for a larger sum.
Attacks target not only bank customers but in some cases the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent interbank transactions,
In the event of a cyber breach, companies’ losses extend far beyond just monetary value. Their reputation and customers’ trust — areas that take time and effort to develop — will also be damaged.
“We expect financial threats to remain a problem for end users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them,” said Symantec.
A multilayered approach to security minimises the chance of infection. This includes preventing incursions, containing any attacks that do occur, and responding to incidents by learning from them and improving defences.
Rattipong Putthacharoen is system engineer lead for Thailand, Cambodia, Laos and Myanmar with Symantec.