Malware operators are joining forces, installing each others’ tools on compromised computers to target a wider range of victims, and possibly also sharing the work of harvesting funds using stolen account details.

Samples of the IceID banking trojan have been observed downloading and installing the more prolific Trickbot, according to a study issued by “Deep and Dark Web” intelligence firm Flashpoint. Amid the growing sophistication of the cybercriminal economy, such cooperation between previously rival cybercrime gangs could lead to more people having their bank accounts plundered by fraudsters.

Crime gangs tend to be targeted in their attacks, tailoring their malware for a specific handful of financial institutions. By teaming up and pooling resources, scammers can link their malware another group's malware, thus targeting a wider range of financial institutions.

In the past, rival gangs have regularly battled for control of infected systems, removing or disabling each others’ malware to ensure each victim computer is “owned” by a single group. Signs that this approach was changing have been emerging for a while; over the last few years, a complex web of interconnection between criminal groups has formed, operating in secret on the Dark Web.

Specialization has been a key part of this, with dedicated groups focusing on selling a particular service — coders offering to create custom malware on commission, groups operating established malware selling their software to anyone willing to spread it to new victims, brokers trading in vast swathes of stolen account information, botnet operators renting out time on their networks, and money-mule operations providing services to convert stolen logins into clean cash.

Growing collaboration between major gangs could represent the next stage in this development, and it’s a worrying portent for online banking users.

Previously, a given piece of malware could target only the users of banks it was set up to attack. For the most part, such attacks are performed by web injects, which force extra pieces of code into banking webpages, for example a fake button which looks like the bank’s own “Submit” or “Pay now” button, but actually performs an action of the attacker’s choosing; or proxies, which redirect visitors to fake sites designed to look like a real banking site but actually passing everything entered over to the attacker.

Both these methods require the malware to have a specific module to target each bank. If malware creators team up, it could mean many more people will be subjected to such fraud attempts.

The IceID malware, for example, was reported to target only 2 “major banks in the U.K.” when first analyzed by IBM’s X-Force in November 2017 (along with numerous U.S. banks, card providers, and webmail and e-commerce sites). If a U.K.-based user was infected, they would be at risk of bank fraud only if they used one of the two banks targeted.

With this development, if the user proved to be a bad fit for the IceID gang, they could bring in their new friend Trickbot, which has far wider bank support and a long history of adding new spreading techniques and new modules and features to target a wider range of victims. It recently added a screen-locking capability to extort money out of people whose banks it couldn’t target.

Trickbot has a particular focus on U.K. banks, with IBM researchers studying the malware reporting that 39% of the banks it goes after are in the U.K. A new one, added just over a year ago as part of a major update targeting private banks, was described as “among the oldest banks in the world, located in the U.K.” (Barclays, Coutts and the venerable C. Hoare & Co. all predate the founding of the Bank of England in 1694).

So, those people previously left unaffected by an IceID infection thanks to their choice of banks could find themselves threatened by Trickbot instead.

If this trend continues and the complex networks of affiliates operating in the cybercrime underground continue to pool their resources, this pattern could broaden to the extent that, once a victim's computer is compromised, the malware installed on it would be selected based on which threats are best placed to defraud that system’s users.

We could even see a bidding system similar to that currently operating in the free software bundling market. Whenever a new “customer” starts downloading a piece of free software, automated systems compete to get their wares bundled with the install package in the hopes of getting onto a new machine; micro-payments are made for this service, based on the location and supposed financial status of the user being targeted.

It seems likely that a similar approach will soon be in use in the criminal economy, if it’s not already deployed.

Such developments are bad news for all of us. The only silver lining is that with added complexity comes a higher likelihood of mistakes leading to crooks being tracked down; with the advent of cryptocurrencies for more anonymous fund transfers, even that is becoming less of a risk to the bad guys.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry