Security Experts:

Banking Trojan Infections Plummeted 73% in 2015

Financial Trojan detections have registered a 73 percent drop in 2015 when compared to the previous year, a new report from Symantec reveals.

According to the security firm, while detections have dropped significantly, the threat is still active and Trojans are becoming more advanced in terms of their capabilities. Furthermore, the company says that cybercriminals are increasingly targeting financial institutions via malware or through business email compromise (BEC) scams.

Symantec’s Financial threats 2015 whitepaper reveals that the primary distribution vector for financial fraud malware is via malicious attachments in spam email, and that adversaries continued to use Office documents containing malicious macros as droppers in 2015. 

Fortunately, Microsoft this week announced a new macro blocking feature in Office 2016 designed to counter the use of malicious macros to deliver malware.

Zeus (also known as Trojan.Zbot) was the malware responsible for the largest number of financial Trojan detections last year, with just under one million. However, it showed a significant drop from the 4 million infections registered in 2014, a continuation of a trend observed before, which suggests that criminals are moving to more current, financial malware families.

The drop in Zeus infections is said to be the result of a takedown operation conducted in 2014, similar to what happened in November 2015 with the Dyre group. Following law enforcement actions, the Dyre botnet has remained inactive, yet a similar operation conducted against Dridex in October was unsuccessful, with the Trojan achieving high infection rates only one month later.

In fact, the report also reveals that Dridex/Cridex, the second most used financial Trojan, more than doubled the number of infections year-on-year in 2015, while Dyre, the third in line, dropped to nearly half of them. Last year, Dridex targeted a total of 315 different institutions and was most active in May and June.

A total of 547 institutions in 49 countries were targeted by no less than 656 financial Trojans in 2015, Symantec’s report reveals. According to the security company, the average number of targeted organizations per sample was 93 in 2015, which marked an increase of 232 percent over the previous year.

The two most targeted banks were located in the United States, being attacked by 78.2 percent and 77.90 percent of all analyzed Trojans, respectively. Next in line are two banks in the United Kingdom, with 69.36 percent each, followed by a US financial service group with 69.05, and another UK bank, with 68.45 percent of malware targeting it.

However, the geographical distribution of financial Trojans shows that banks in other countries are targeted as well, including Spain, Russia, Canada, Switzerland, Australia, Ireland, Germany, and India. In fact, while the US was the most targeted country, Germany and India came on the second and third positions, respectively, followed by Japan and the United Kingdom.

Some of the analyzed threats had a narrow geographical focus and were not distributed internationally, Symantec said. Such is the case with Shifu, which was found mainly in Japan last year, although it infected a very small number of computers in the UK, USA, and other countries as well. Shifu targeted a total of 16 financial institutions last year, Symantec says.

To increase their effectiveness, threat groups also started targeting mobile phone users, perfecting their malware to circumvent two-factor authentication systems to ensure successful credential theft. The Bankosy Trojan for Android is one such example, as it was designed to make even 2FA systems that use voice calls ineffective.

Cybercriminals behind financial Trojans used multiple attack methods, ranging from man-in-the-browser attacks to redirections, the whitepaper reveals. In terms of infection vectors, malicious emails (which included Office documents containing malicious macros as attachments) were preferred the most, followed by drive-by download sites, social engineering, and supply chain hacks, the whitepaper also reveals.

view counter