Security Experts:

Financial Malware Fell in 2014 As Takedown Operations Have Impact

One takedown at a time, security researchers and law enforcement were able to make a dent in financial cyber-crime last year.

According to Symantec, the number of detections of financial malware dropped off significantly in 2014. The total number of common financial Trojans detected decreased by 53 percent, while financial phishing emails fell by 74 percent. The U.S. had the most detections, with the UK and Germany rounding out the top three. 

Overall, customers of 1,467 financial institutions were targeted by the Trojans Symantec observed. The most targeted institution is located in the U.S. and was the target of 95 percent of the Trojans. 

While some malware families such as Trojan.Shylock nearly disappeared, others such as the new spin-off threat Infostealer.Dyranges stepped into the void, blogged Symantec security researcher Candid Wueest.

"In the U.S., there is a larger number of potential organizations to target, many of whom conduct banking online and have more wealth across the board, making the U.S. a good target for the attacker in terms of revenue per infection," he told SecurityWeek. "Additionally, English is well-understood as a language for international criminal activity."

Stolen bank accounts are sold for 5 to 10 percent of the balance value on underground cybercrime forums, according to Symantec.

"Stolen bank accounts do have a short shelf life and criminals intend to sell it quickly before the accounts get suspended," he said. "There is a constant supply of new compromised accounts and often the money mule accounts are the bottle neck."

"Furthermore," he added, "with many banks implementing [two-factor authentication] or additional transaction verification steps it is getting harder for the criminals to misuse bank account credentials without having direct access to the victims machine. These factors lower the usefulness of the compromised accounts and with this the price tag drops."

What institutions are targeted depends on the Trojan's configuration file and the attacker's methods, said Wueest. The type and number of targeted institutions vary both within and across malware families.

"Different global factors can also influence attackers’ decisions, such as spoken languages and regions where international transactions are more difficult to conduct and require local steps to launder the money," he explained.

According to Wueest, the drop off in detections was partially linked to a few takedown and arrest operations that occurred during the year. For example, law enforcement teamed up with the security community to go after the infamous Gameover Zeus botnet. The operation led to the indictment of Evgeniy Mikhailovich Bogachev of Russia, who is now the subject of a $3 million reward offered by the FBI.

In July 2014, an operation led by the UK National Crime Agency (NCA) and European Cybercrime Centre (EC3) at Europol resulted in the seizure of command and control servers and domains used by Trojan.Shylock. Shylock has been observed being distributed by at least five different exploit kits, including Nuclear and Blackhole. After the takedown, the number of Shylock infections fell by more than half, according to Symantec.

"Malware author arrests often lead to an end of support situation for threat families, causing the malware’s usage to drop and shift," Wueest said. "Cybercrime won’t disappear overnight, but the continued collaboration efforts between law enforcement and private industry will make it harder for cybercriminals to operate." 

In addition to continued collaboration between law enforcement and the private sector, Wueest believes financial institutions are helping to turn the tide by adopting stronger security measures like chipTAN, though the adoption rate remains slow.

"Institutions that persist with weaker security measures will continue to be targeted by attackers," he told SecurityWeek. "Strong security measures will deter attackers from pursuing these institutions in favor of vulnerable institutions where existing attack techniques are successful. As long as institutions continue to use weak security measures, large-scale financial fraud will continue to be a lucrative enterprise for attackers."

view counter