Financial Malware on the Rise – More Damaging than Ransomware

There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the year has seen a massive explosion in new ransomware variants. Could any network security threat be more damaging than ransomware?

Last month, a group of hackers managed to pull off a bank heist of over $60 million from a series of Taiwanese bank servers. The cybercriminals managed to infiltrate the network of The Far Eastern International Bank in Taiwan and plant malware on its PCs and servers. They were then able to gain access to the financial telecommunications system they utilize called SWIFT that is used to send money securely around the world.  The hackers then began moving money out of the bank to locations in the US, Cambodia, and Sri Lanka until staff members began noticing the transactions. Fortunately, nearly all of the funds have been recovered. This was not the first time that SWIFT was attacked. Back in February of 2016, another group of hackers nearly got away with a series of transfers totaling nearly $1 billion. That transaction alone would have been equal to the entire proceeds generated by ransomware last year.

While ransomware has stolen a lot of the headlines over the past two years, financial malware continues to stealthily conduct its sinister deeds, stealing millions of dollars each year.  In fact, according to Symantec, financial malware is 2.5 times more prevalent than all other threat types including malware.  Financial threats not only involve fraudulent interbank transactions, but also targeted online transactions, ATMs, and point of sale machines. While 38% of all financial cyber threats are targeted against corporations, for which the time and effort can be quite extensive, but the potential payout can be enormous due to the large payouts.  However, everyone in the world today with some type of online account or credit card is susceptible today and needs to be aware of the colossal threat.

For small businesses and ordinary users, financial cybercrime is dominated by three well-known Trojans: Rammit, Bebloh, and Zeus, which combined, were responsible for 86% of all financial attack activity in 2016.  The market breakdown between the three trojans looked like this:

  • Rammit (38% of attacks)
  • Bebloh (25% of attacks)
  • Zeus (23% of attacks)

Rammit was introduced as a Trojan in 2011 and it alone is responsible for as many attacks as ransomware since its inception.  It is known as one of the Top 5 banking Trojans in the world, and despite being nearly eradicated in 2015 by authorities, has made a dramatic comeback in 2017.  Zeus is another Trojan that is designed to steal private data from infected systems such as passwords, banking credentials, and other financial details. It has been in existence since 2007 and is responsible for the loss of hundreds of millions of dollars. Other financial Trojans have made their presence from time to time such as Dridex, which was responsible for the loss of $40 million in 2015.  To help increase the spread of these Trojans, Hackers have even begun purchasing financial-related keyword searches to direct users to trojanized malicious links.

All of these malware threats are derived from the same type of model.  

  • A user’s PC is infected with financial malware either from a drive-by website, an email attachment or an installation file disguised as a Trojan that the user willingly installs on his or her device thinking that it is a game or some other legitimate application
  • The hacker takes control of the user’s device and begins to steal credentials and other sensitive information through either keylogging or screenshot captures
  • The hacker then uses the stolen data to create fraudulent transactions and clean out the account before being discovered

How hackers operate in the financial sector. 

Another approach to financial malware is to redirect the user to a fraudulent site that emulates an actual banking site.  This type of malware approach is usually distributed through email phishing in which thousands of emails are sent concerning some type of urgency concerning an online banking account.  The email may even include the actual banner image of the financial institution to make it look more authentic. The objective is always the same, to entice the user to click an embedded link directing them to the hacker’s duplicitous site. As the victim enters their credentials, the malware then redirects the logon to the actual legitimate bank site.  It will even forward SMS confirmations or other multifactor codes. The hacker then uses the stolen credentials or the open session itself to empty the account.

New malware strains

With the proliferation of both online banking and shopping, hackers continue to create new ways to infiltrate devices besides the traditional methods.  Because more banking and online retail customers are using phones and mobile apps, new malware strains such as “Invisible Man” are being released.  Invisible Man targets Android devices and deceives smartphone users by disguising itself as a fake Flash Player update.  The malware quickly goes about capturing keystrokes, obtaining banking credentials and credit card numbers that are then forwarded to the hackers.

Another malware application called Android.Fakebank.B also targets Android devices, searching the phone for banking apps and even reading the saved SMS messages.  It then uses this information to obtain banking credentials.  Hackers are even poisoning Google banking keyword searches.  Certainly, the innovation and creativity regarding financial malware knows no bounds.