According to Symantec’s latest Financial Threats update the attacks still mostly rely on email, social engineering, and man-in-the-middle (MitM) manipulation through browser web injects.
MitM allows the Trojan to locally modify all traffic to and from the browser, allowing for social engineering or transactions to take place in the background. Readymade web injects are sold for less than US$100 on underground markets.
Redirect attacks are also used. The attacker waits until the victim logs into the desired online service. Depending on the authentication scheme the attacker can:
- steal the credentials for later use and then redirect the user to the original site
- act as a completely transparent proxy and modify any transactions that take place
- or use a fake copy of the bank website, extract as much data from the user as needed to create a new session and conduct fraudulent transactions in the background
Most of the financial Trojans contain functionality to log keystrokes, take screenshots, and upload and download files. Besides these typical features, they may also have additional capabilities that go beyond defrauding online banking customers. The groups behind these threats have been branching out to gather other credentials that could yield a profit; such as account credentials for media streaming services that can be sold on underground forums; or career and HR related website credentials.
Other threats can also be downloaded by the attackers. Dyre, for example, has downloaded ransomware and a spam bot that helped propagate the threat further.
One evident trend over the last year is that cyber criminals are increasingly moving beyond banking customers and are now also targeting financial institutions directly. Once inside the financial institution’s network, the attacker can learn how to transfer money, issue fraudulent transactions, or orchestrate ATMs to dispense cash.
Another prevalent scheme is the business email compromise (BEC) scam, whereby the financial department of a company is convinced to carry out a transaction in favour of the attacker. These BEC attacks do not involve malware and do not tamper with the online banking service, but instead rely solely on social engineering.
Symantec's key findings include:
- Financial Trojan detections year-over-year dropped 73%
- The primary distribution vector was via malicious spam email attachments – usually Office documents containing malicious macros as droppers
- 547 institutions in 49 countries were targeted by the 656 analysed financial Trojans (previously 93 in 2015 - an increase of 232% increase)
- The average number of targeted URL patterns per sample was 283 in 2015, an increase of 405%
- Dridex (W32.Cridex) targeted a total of 315 different institutions; Shifu (Infostealer.Shifu) targeted 16
- 78.2% of all Trojans targeted US banks followed by Germany, India, Japan and the UK. Australia rates ninth (behind Russia)
- Dridex infections increased by 107% making it the fastest growing family of financial Trojans
- Redirection attacks have increased again
- Stolen accounts are sold for 5-10 percent of the balance value
The underground financial fraud community is well organized. Everything from malware kits to distribution services to scam configurations is sold or rented out for cash on the dark web. It offers specialised and dedicated services for “cash out” (a term meaning to get money from victim accounts) and for any other aspect of the scam life cycle – fake web pages suggested spam email copy, etc.