Nine of the most common and sophisticated financial Trojans in use are targeting 1,467 financial institutions in 86 countries, says a Symantec report compiled after the analysis of 999 configuration files from recent Trojan samples.
One particular (but unnamed) US bank is targeted by 95 percent of these malware samples, and the rest of the list is chock full of US banks, followed by several in Canada, UK, and Europe. The list of top 25 institutions targeted in configuration files also contains a US-based online payment service and a US-based auction platform – I think we can safely assume that they are PayPal and Ebay.
While 95 percent of the targeted institutions are from the financial sector, financial Trojans are also after login details for several social media sites, employment websites, auction houses, and email services.
But attackers have also started focusing on targets outside of online banking, such as the Brazilian payment system Boleto, cryptocurrencies like Bitcoin, and password managers.
“As many banks are adopting stronger security implementations, attackers have shifted focus onto the institutions with weaker account security. For example, as predicted in last year’s report, we have seen a spike in attacks targeting Asia in 2014,” noted Symatec researcher Candid Wueest.
The Zeus (Zbot) Trojan and its offshoots (Gameover, Citadel, etc.) are responsible
for the most financial Trojans infections by far:
But one good news is that the number of total financial Trojan infections around the world has dropped by 53 percent from January to December, 2014. Wueest believes this is die to extremely visible takedown operations and malware author arrests carried out during that period.
It’s interesting to note that some malware families target a huge number of institutions (Mebroot targets nearly 1,200 organizations), while others operate with a much smaller list.
The targets can change over time as attackers move to focus on different countries or banks if they see their campaigns’ efficiency rate dropping or fear a law enforcement operation’s scrutiny. Different global factors can also influence attackers’ decisions, such as spoken languages and regions where international transactions are more difficult to conduct and require local steps to launder the money,” Wueest explains.
“For example, Trojan.Snifula, which had a spike of activity in Japan in mid-2014, grew over the summer from targeting eight organizations to attacking 37 different financial institutions. This includes 12 smaller regional banks in Japan, indicating that the attackers tried to expand their operational scope to other niche organizations beyond the big players.”
All in all, banking malware is here to stay for the foreseeable future, and as banks increase their protection efforts, so will the malware keep evolving.
At the moment, users can protect themselves by being careful when perusing unsolicited emails, keeping their AV solutions and other software updated, using strong passwords, enabling 2-factor authentication and account login notification (if available, and regularly monitoring their bank statements.