Symantec, the cybersecurity company, has released new research indicating that the cyberthreats facing financial institutions are much more dangerous than they appear.

The firm’s Internet Security Threat Report: Financial Threats Review 2017, outlines how financial crime is more profitable for cybercriminals.

“As we had predicted in 2015, we saw an increase in attacks against corporations and financial institutions themselves during 2016,” writes analyst Candid Wueest. “With more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of ransomware.”

The number of detections for financial malware suite Rammit matched the combined total for all ransomware detections in 2016.

The world of financial crime is dominated by three trojans: Rammit, Bebloh and Zeus. The three families were responsible for 86% of all financial attack activity in 2016. Despite this, some of the creators have been taken down by authorities. Bebloh has “all but vanished” so far in 2017.

Symantec’s research found that Japan was the most-infected country across the globe for trojans, followed by China and India. The US was the most targeted nation, with Poland and Japan on its heels.

Risk and reward

“Financial threats, aimed at taking over customer transactions and online banking sessions, are still a force to be reckoned with,” writes Symantec. “Cybercriminals have adapted their attacks and are mimicking customer behaviour as closely as possible and attacking the institutions themselves.”

Social engineering, the firm writes, continues to play a “major role” in many attacks. There has also been a marked increase in the amount of mobile-based malware attempting to steal user credentials.

While the cybercrime threat landscape is typically dominated by indiscriminate, mass attacks,” reads the report. “2016 saw the emergence or re-emergence of a handful of sophisticated cybercrime groups going after financial institutions themselves instead of their customer base.”

Sophisticated attacks take longer and have more risk but can net the bad guys substantial profit. Although the groups are trying more intricate methods, the good old spam email still ranks as the main infection vector.

“The use of scam emails was the most prevalent method of distribution for financial Trojans in 2016. The already well-known Office document attachment with malicious macros continued to be widely used.”

Arms race

Firms are catching on and upgrading their software to keep up with the criminals, yet malware is updating every day. Symantec points to the recent exploitation of Microsoft zero-day vulnerabilities by Dridex as an example of the opportunism of cybercrimnals.

“Most financial threats deploy a general set of modules for various tasks –  such as taking screenshots or videos, keylogging, form grabbing, or installing SOCKS proxies and remote access tools like hidden VNC servers,” writes Symantec.

“Process hollowing and injecting into system processes is still a very common tactic used by malware authors to try and remain hidden on infected computers.”

Once a financial virus has compromised a computer it will get to work stealing an and all credentials that will help its operators maximise their profits. It is common, says Symantec, for the malware to steal account details for important software, tools and administrative rights.

Attacks against ATMs, POS and mobile phones have increased over the past year. Since the adoption of Chip & Pin in regions outside of Europe, however, the prevalence of older memory scraping malware has decreased.

Mobile malware rates increased by 29% to 7.2 million detections in 2016. More than half were related to downloader threats. Mobile-based malware is the third-most prevalent form of financial threat.

by Alex Hamilton
Alex is Senior Reporter at IBS Intelligence, follow him on Twitter or contact him at: alexanderh@ibsintelligence.com
imp-loader
preloader