“Some Ideas Never Die”
The Trojan is
Wheeled in Again
The ancient Greeks are
credited with many inventions that continue today in some form – the water
mill, odometer, alarm clock and cartography, to name a few. As a security
professional what comes to mind instantly is the Trojan horse, devised to sneak
Greek soldiers behind the walls of the city of Troy and win the war.
A few decades ago, the
term resurfaced to describe a type of attack that cyber criminals have used and
evolved over time to wreak havoc on financial institutions. Although ransomware
and DDoS attacks have captured the attention of the security industry of late,
a surge in trojan variants targeting banks across geographies is catching many
by surprise.
Banking trojans steal
credentials for bank accounts by sitting on a banking customer’s computer until
they access the account. At which point they launch a web injection attack by
launching a man-in-the-browser (MITB) attack which typically creates a phishing
page that sends login details to the attacker’s command and control server. The
malicious actors behind these attacks take time to learn the banking systems of
specific geographies so as to avoid detection and maximize profits. They wring
out cash as long as possible before moving on.
To help you assess your
digital risk, here are three examples of trojans from 2016 that will likely
continue to be active into 2017.
1. Since
the discovery of the TrickBot trojan in September 2016, its operators have
continued to develop the malware to target new locations and customers of new
banks. In October, TrickBot targeted bank customers in Australia and Canada,
but throughout the remainder of 2016 both the number of banks affected and the
locations of these banks increased dramatically – spreading to the UK, Germany,
Singapore and New Zealand, among others.
At this time, TrickBot
primarily targets financial services customers in English-speaking countries.
Given the number of targets and how quickly TrickBot is spreading across
geographies it is likely that the cyber criminals behind these attacks have
significant resources at their disposal, including funding, time, and
capability. And that capability includes not only development resources but a
network of accomplices that make these attacks profitable by doing the leg work
to cash out compromised bank accounts. With what appear to be vast resources
supporting the operation, it’s likely that TrickBot will continue to penetrate
deeper into current target geographies and spread to other regions during the
year.
2. GozNym
is another banking trojan identified early in 2016. The GozNym attacks started
in the U.S. and then shifted to Europe, including 17 banks in Poland and 1 in
Portugal. Since the initial reporting on GozNym In April 2016, it was
developed to incorporate the targeting of new financial institutions and new
target geographies. Furthermore, the methods which it has used, specifically
the redirection attacks, were likely indicative of a well-resourced group who
developed and operated the trojan, given that fake bank pages would need to be
developed for each targeted bank. This heavy investment in advanced
capabilities and the rapid evolution of the attacks, demonstrates that the bad
actors behind these schemes are sophisticated and will likely leverage their
investments to target customers in other geographies.
3. A
variant of the Zeus trojan, Panda, started by targeting banks in Europe and
North America but in mid-2016 spread to Brazil in advance of the Olympic games.
Likely in order to take advantage of an influx of visitors engaging in online
activity, Panda expanded its scope of targets beyond banks to include online
payment providers, prepaid card services, bitcoin exchange platforms and even
airline loyalty programs. Panda can inject malicious code into ongoing
web sessions to trick users with social engineering, and grabs login
credentials on the fly. Its operators make use of the Automatic Transfer System
(ATS) that automate typical banking actions like transferring money. Panda has
since been discovered targeting banks in the UK and Australia. It remains
active and is expected to continue to target these and additional geographies
in the coming year.
So how can financial
institutions and their customers mitigate digital risk?
• Banks and
operators of other online payment systems must remain alert and continue to
monitor which geographies are being targeted. Even in regions that have been
“safe” to date, it’s likely only a matter of time as these trojans are
targeting different geographies in definable waves. In addition, organizations
should ensure operating systems, email gateways, and malware detection
solutions are up to date and hardened against such attacks.
• Individuals should be reminded not to
click on unsolicited emails or attachments. Password training will also help
provide advice on changing credentials frequently and not reusing corporate
credentials for personal activity.
Banking trojans continue to evolve. Adopting
increasingly complex techniques, they spread to new regions, incorporate new
languages, and target other online payment platforms and services besides
banks. If you haven’t had a trojan poised outside your walls, chances are you
will. But by understanding your digital risk you can make sure you’re not
welcoming it in.
This comment has been removed by the author.
ReplyDelete