Qakbot Trojan Targets Business Accounts at Financial Institutions
On Monday, RSA released the findings of its monthly Online Fraud Report for October 2010. The latest fraud report puts a particular focus on the Qakbot Trojan, and while Qakbot isn’t new (it attacked the UK’s National Health Service earlier this year), RSA has identified several attributes that make this Trojan stand out from the crowd.
Qakbot is the first Trojan seen to exclusively target business and corporate financial accounts and is designed to spread like a worm—infecting multiple machines at a time—while also stealing data like an ordinary Trojan such as Zeus. Additionally, Qakbot appears to be the first Trojan to separate out targeted credentials, from other stolen information on the client side rather than in a drop zone.
Additionally, the latest online fraud report shows that September was the seventh consecutive month nationwide banks in the U.S. continued to be targeted most by cybercriminals, taking 64 percent of all attacks.
The detail of information captured by Qakbot is astonishing. RSA notes that “Every time an infected user accesses a website, the Trojan organizes data transmitted from the victim’s machine into three separate files: System Information (IP address, DNS server, country, state, city, software applications installed), Seclog (HTTP/S POST requests), and Protected Storage (information saved in the Internet Explorer Protected Storage and auto complete credentials including usernames, passwords, and browser history).” Capturing all this data actually helps cybercriminals build their own “intelligence centers” which can help them develop more effective attacks in the future. After all, cybercrime organizations have business models too.
According to the report, RSA identified 16,274 worldwide phishing attacks in September – a nine percent decrease from August. The bulk of the decrease can be directly attributed to fewer attacks on those organizations that are typically heavily targeted. Many reports have also suggested that phishing organizations have changed strategies and have switched to distributing malware instead. According to the most recent APWG Global Phishing Survey, activity from the Avalanche phishing gang, the world’s most prolific phishing group, dropped significantly as a result of changing strategies to malware distribution.
In September, RSA says 178 brands were attacked, an 18 percent decrease from August in which 216 brands were attacked, the first time in over a year that the number of targeted brands fell below 200.
The full RSA Online Fraud Report, October 2020 is available here.
Be Informed. Subscribe to the SecurityWeek Email Briefing Here >
Tags: Qakbot, malware, cybercrime, financial malware, latest cyber threats