Security Market Segment LS
Wednesday, 23 March 2016 17:04

Financial threats make money – lots of it Featured


Financial gain is still the major motivation behind most cybercriminal activities, and there is little chance of this changing in the near future.

According to Symantec’s latest Financial Threats update the attacks still mostly rely on email, social engineering, and man-in-the-middle (MitM) manipulation through browser web injects.

MitM allows the Trojan to locally modify all traffic to and from the browser, allowing for social engineering or transactions to take place in the background. Readymade web injects are sold for less than US$100 on underground markets.

Redirect attacks are also used. The attacker waits until the victim logs into the desired online service. Depending on the authentication scheme the attacker can:

  • steal the credentials for later use and then redirect the user to the original site
  • act as a completely transparent proxy and modify any transactions that take place
  • or use a fake copy of the bank website, extract as much data from the user as needed to create a new session and conduct fraudulent transactions in the background

Most of the financial Trojans contain functionality to log keystrokes, take screenshots, and upload and download files. Besides these typical features, they may also have additional capabilities that go beyond defrauding online banking customers. The groups behind these threats have been branching out to gather other credentials that could yield a profit; such as account credentials for media streaming services that can be sold on underground forums; or career and HR related website credentials.

Other threats can also be downloaded by the attackers. Dyre, for example, has downloaded ransomware and a spam bot that helped propagate the threat further.

Cybercriminals behind these threats have well-established methods to circumvent two-factor authentication (2FA) and attack mobile banking. We have also seen an increase in redirection attacks, where the victim is rerouted to a fake website that handles the manipulation of traffic sent from and to the client.

One evident trend over the last year is that cyber criminals are increasingly moving beyond banking customers and are now also targeting financial institutions directly. Once inside the financial institution’s network, the attacker can learn how to transfer money, issue fraudulent transactions, or orchestrate ATMs to dispense cash.

Another prevalent scheme is the business email compromise (BEC) scam, whereby the financial department of a company is convinced to carry out a transaction in favour of the attacker. These BEC attacks do not involve malware and do not tamper with the online banking service, but instead rely solely on social engineering.

Symantec's key findings include:

  • Financial Trojan detections year-over-year dropped 73%
  • The primary distribution vector was via malicious spam email attachments – usually Office documents containing malicious macros as droppers
  • 547 institutions in 49 countries were targeted by the 656 analysed financial Trojans (previously 93 in 2015 - an increase of 232% increase)
  • The average number of targeted URL patterns per sample was 283 in 2015, an increase of 405%
  • Dridex (W32.Cridex) targeted a total of 315 different institutions; Shifu (Infostealer.Shifu) targeted 16
  • 78.2% of all Trojans targeted US banks followed by Germany, India, Japan and the UK. Australia rates ninth (behind Russia)
  • Dridex infections increased by 107% making it the fastest growing family of financial Trojans
  • Redirection attacks have increased again
  • Stolen accounts are sold for 5-10 percent of the balance value

The underground financial fraud community is well organized. Everything from malware kits to distribution services to scam configurations is sold or rented out for cash on the dark web. It offers specialised and dedicated services for “cash out” (a term meaning to get money from victim accounts) and for any other aspect of the scam life cycle – fake web pages suggested spam email copy, etc.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Ray Shaw

joomla stats

Ray Shaw [email protected]  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments