Connect with us

Hi, what are you looking for?



Financial Malware Fell in 2014 As Takedown Operations Have Impact

One takedown at a time, security researchers and law enforcement were able to make a dent in financial cyber-crime last year.

One takedown at a time, security researchers and law enforcement were able to make a dent in financial cyber-crime last year.

According to Symantec, the number of detections of financial malware dropped off significantly in 2014. The total number of common financial Trojans detected decreased by 53 percent, while financial phishing emails fell by 74 percent. The U.S. had the most detections, with the UK and Germany rounding out the top three. 

Overall, customers of 1,467 financial institutions were targeted by the Trojans Symantec observed. The most targeted institution is located in the U.S. and was the target of 95 percent of the Trojans. 

While some malware families such as Trojan.Shylock nearly disappeared, others such as the new spin-off threat Infostealer.Dyranges stepped into the void, blogged Symantec security researcher Candid Wueest.

“In the U.S., there is a larger number of potential organizations to target, many of whom conduct banking online and have more wealth across the board, making the U.S. a good target for the attacker in terms of revenue per infection,” he told SecurityWeek. “Additionally, English is well-understood as a language for international criminal activity.”

Stolen bank accounts are sold for 5 to 10 percent of the balance value on underground cybercrime forums, according to Symantec.

“Stolen bank accounts do have a short shelf life and criminals intend to sell it quickly before the accounts get suspended,” he said. “There is a constant supply of new compromised accounts and often the money mule accounts are the bottle neck.”

“Furthermore,” he added, “with many banks implementing [two-factor authentication] or additional transaction verification steps it is getting harder for the criminals to misuse bank account credentials without having direct access to the victims machine. These factors lower the usefulness of the compromised accounts and with this the price tag drops.”

Advertisement. Scroll to continue reading.
What institutions are targeted depends on the Trojan’s configuration file and the attacker’s methods, said Wueest. The type and number of targeted institutions vary both within and across malware families.

“Different global factors can also influence attackers’ decisions, such as spoken languages and regions where international transactions are more difficult to conduct and require local steps to launder the money,” he explained.

According to Wueest, the drop off in detections was partially linked to a few takedown and arrest operations that occurred during the year. For example, law enforcement teamed up with the security community to go after the infamous Gameover Zeus botnet. The operation led to the indictment of Evgeniy Mikhailovich Bogachev of Russia, who is now the subject of a $3 million reward offered by the FBI.

In July 2014, an operation led by the UK National Crime Agency (NCA) and European Cybercrime Centre (EC3) at Europol resulted in the seizure of command and control servers and domains used by Trojan.Shylock. Shylock has been observed being distributed by at least five different exploit kits, including Nuclear and Blackhole. After the takedown, the number of Shylock infections fell by more than half, according to Symantec.

“Malware author arrests often lead to an end of support situation for threat families, causing the malware’s usage to drop and shift,” Wueest said. “Cybercrime won’t disappear overnight, but the continued collaboration efforts between law enforcement and private industry will make it harder for cybercriminals to operate.” 

In addition to continued collaboration between law enforcement and the private sector, Wueest believes financial institutions are helping to turn the tide by adopting stronger security measures like chipTAN, though the adoption rate remains slow.

“Institutions that persist with weaker security measures will continue to be targeted by attackers,” he told SecurityWeek. “Strong security measures will deter attackers from pursuing these institutions in favor of vulnerable institutions where existing attack techniques are successful. As long as institutions continue to use weak security measures, large-scale financial fraud will continue to be a lucrative enterprise for attackers.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.