The Security Ledger

Financial Malware, not Ransomware, drives most Cyber Crime

The New York Times expose on the hacks of the DNC is a case study in how not to respond to a cyber attack. We talk with Tim Bandos of Digital Guardian about building a cyber threat hunting capability.

In-brief: data from the firm Symantec shows that financial malware targeting banks – not ransomware- is the most important and oft-used tool in the cyber criminal’s toolbox. 

The headlines might be all about ransomware like the recent WannaCry, but data from the firm Symantec shows that financial malware targeting banks is the most important and oft-used tool in the cyber criminal’s toolbox.

Symantec said it detected more than 1.2 million instances of financial malware in 2016, more than 2.5 times  more than ransomware instances spotted during the same time. The data, published in Symantec’s latest Internet Security Threat Report (ISTR). The report highlights an ongoing and endemic problems for financial institutions in the U.S. and elsewhere, as cyber criminals increasingly focus on mobile users and nation-backed “APT” style adversaries use financial malware to blend in with more common, financially motivated attacks.

Financial malware such as banking trojans are designed to take over customer transactions like online banking sessions. The malware is installed on victims’ computers via malicious file attachments or links embedded in phishing attacks via email or social media, or via malicious websites (“drive by downloads”). The malware typically waits for users to visit a targeted website before springing into action: using key-logging features to steal banking and brokerage credentials or hijack banking sessions to submit fraudulent transactions, often using features like Windows Remote Desktop protocol or virtual network computing (VNC) to control the compromised system directly and carry out the transaction.

Detection rates for the top four families of financial malware in 2016. (Image courtesy of Symantec.)

Though generally targeted at consumers, recent months have seen financial malware target banks and financial institutions directly. The attacks by the Lazarus hacking group against users of the SWIFT interbank transfer system, initiating a massive transfer of $1 billion from the Central Bank of Bangladesh through SWIFT.  FBI and NSA officials in March pinned the blame for that attack on hackers working for the government of North Korea.  (Further analysis by the Russian firm Group-IB seems to confirm that conclusion.) Additionally, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions, Symantec noted, and a round of similar attacks on Polish banks took place in 2017.

Banks and other financial institutions face threats on many levels, as cyber criminals and others target both their customers, business partners and their infrastructure such as bank servers and point of sale (POS) terminals directly.

Overall, rates of detection of financial malware were down. Symantec said it detected 36 percent fewer instances of endpoints in 2016 than in 2015 – following a 73% drop between 2014 and 2015 in the same statistic. Detections of banking malware like Ramnit and Zeus were down between 50% and 75% between 2015 and 2016 though other families, like Bebloh saw an increase in activity. Symantec attributes the declines to high – profile takedowns of top financial malware networks and better detection of so-called “dropper” malware that is used in the early stages of financial malware attacks.

Still, the report suggests that ransomware, while a highly disruptive and visible form of malicious software, is still mostly a bit player in the online financial crime landscape. In fact, just one family of financial malware, dubbed Ramnit, scored as many detections as all the ransomware variants combined during 2016, the company said.

The company said that cyber criminal groups are taking more steps to cover their track, including the use of free SSL certificates to encrypt traffic to and from s0-called command and control servers. The company also expects a continued shift to platforms like Android as more users rely on mobile banking applications to manage their financial lives. Finally, corporations should be prepared from more attempts to compromise corporate finance departments using social engineering and other methods.

Read the full Symantec report here.

Spread the word!