Malware is a topic that everyone is talking about. Giant movie studio’s network is hacked? The attackers used malware. Big retailer’s point-of-sale system is breached? Malware did it. Hackers breached ATMs at multiple banks? They used malware.
The litany of blame seems endless – in technical trade publications and in general news publications alike. Statistically, “malware” was the top keyword during 2014 and 2013 ousting “security,” according to the HP Cyber Risk Report 2015.
Interest in this topic is high because malware is an exceptionally effective attack vector. And if you work for a bank, an e-commerce company, or any other financial service provider, it’s vital for banking, credit card and ecommerce leaders to understand the key financial malware threats that often are uniquely targeted at your enterprise in order to prevent breaches.
Although financial malware is not a new concept, it is vital to understand the current threats as they quickly evolve in sophistication. At Cyphort, we recently analyzed the top eight financial malware threats cybercriminals are using today, in hopes of raising awareness of the dangers they present. Our report identified and analyzed the following financial malware as the most dangerous threats of 2015:
Zeus.The most successful banking malware that has infected tens of millions of computers worldwide since it debuted in 2007. With its capabilities, financial service professionals consider Zeus to be the most severe threat to online banking.
SpyEye. SpyEye is a Trojan horse that’s infected about 1.4 million computers worldwide. Attackers use SpyEye to steal banking information in two ways: Keylogger application and the bot’s ability to take screenshots on the victim’s machine.
Torpig. A botnet spread by a Trojan horse called Mebroot that infects Windows-based PCs. This botnet is used to steal targeted login credentials to access bank accounts and financial systems. Detection is difficult because Torpig hides its files and encrypts its logs. Once Torpig gains access, it scans the infected PC for account data and access credentials.
Vawtrak. A sophisticated and dangerous, backdoor banking Trojan able to spread itself via social media, email and file transfer protocols. This rather new Trojan has a unique feature of being able to hide evidence of the fraud by changing the balance shown to the victim on the fly.
Bebloh. Banking malware used to steal targeted login credentials, intercept online banking transactions, and breach financial systems. Typically the attacker steals the user’s login credentials and subsequently steals specific amounts of money from the user’s account. The attacker protects his identity by collecting the money through an online “money mule.”
Shylock. Known for targeting login credentials for European banks via Man-in-the-Browser exploits. Shylock has infected at least 60,000 computers running Microsoft Windows worldwide. The attackers behind Shylock have an advanced targeted distribution network that allows them to infect victims in selected countries through multiple channels.
Dridex. Relies on phishing to carry out malicious activities. It has executed malicious code on victim PCs via executable attachments, and Microsoft Word documents containing macros that download a second-stage payload, which then downloads and executes the Trojan.
Dyre. Dyre relies on phishing to carry out malicious activities. It often uses malicious PDF attachments that can exploit unpatched versions of Adobe Reader. The emails may use the misspelled subject line "Unpaid invoic" as well as the attachment "Invoice621785.pdf." Dyre uses infected victim PCs to harvest credentials for bank accounts and other online services.
So what can your organization do to protect your customer’s money and safeguard corporate financial assets?
Keeping your system and applications patched in a timely fashion goes a long way in protecting you from infection. You know it already, now you need to make sure you do it! Most of the modern OS and applications offer automatic updates, power to the defenders.
Cyber surfers should be very vigilant in visiting sites with busy offering and popups. When you do need to visit them, doing so from a non-Windows platform may reduce your chance of infection, at least until the bad actors start to target non-Windows endpoints more.
Financial Institutions should adopt the new defense paradigm with a continuous monitoring, diagnostics, and mitigation approach; make sure that your defense covers the complete attack surface; implement education and threat intelligence sharing so that employees are warned off of infection websites.
I believe we just saw the tip of the iceberg from APT-style financial crimes, including the Cabernak that transfers money out of customer accounts from inside the bank system and the malware-powered “pump and dump” attack on Wall Street. The worst is still to come in 2016 before most of the financial institutions have enhanced protection in place. In the meantime, vigilance on the part of the consumers and the financial institutions should come together for better defense against cyber financial crimes.
Fengmin Gong is co-founder and chief strategy officer at Cyphort.