Exposing the most dangerous financial malware threats
Cyphort analyzed the top eight types of financial malware cybercriminals are using today to target banks and electronic payment systems.
The most dangerous financial malware threats have resulted in the theft of hundreds of millions of dollars and infected tens of millions of users. They include:
Zeus – The most successful banking malware that has infected tens of millions of computers worldwide since it debuted in 2007. With its capabilities, financial service professionals consider Zeus to be the most severe threat to online banking.
SpyEye – Is a Trojan horse that’s infected about 1.4 million computers worldwide. Attackers use SpyEye to steal banking information in two ways: Keylogger application and the bot’s ability to take screenshots on the victim’s machine.
Torpig – Torpig is a botnet spread by a Trojan horse called Mebroot that infects Windows-based PCs. This botnet is used to steal targeted login credentials to access bank accounts and financial systems. Detection is difficult because Torpig hides its files and encrypts its logs. Once Torpig gains access, it scans the infected PC for account data and access credentials.
Vawtrak – Is a sophisticated and dangerous, backdoor banking Trojan able to spread itself via social media, email and file transfer protocols. This rather new Trojan has a unique feature of being able to hide evidence of the fraud by changing the balance shown to the victim on the fly.
Bebloh – Is banking malware used to steal targeted login credentials, intercept online banking transactions, and breach financial systems. Typically the attacker steals the user’s login credentials and subsequently steals specific amounts of money from the user’s account. The attacker protects his identity by collecting the money through an online “money mule.”
Shylock – Is known for targeting login credentials for European banks via Man-in-the-Browser exploits. Shylock has infected at least 60,000 computers running Microsoft Windows worldwide. The attackers behind Shylock have an advanced targeted distribution network that allows them to infect victims in selected countries through multiple channels.
Dridex – Relies on phishing to carry out malicious activities. It has executed malicious code on victim PCs via executable attachments, and Microsoft Word documents containing macros that download a second-stage payload, which then downloads and executes the Trojan.
Dyre – Dyre relies on phishing to carry out malicious activities. It often uses malicious PDF attachments that can exploit unpatched versions of Adobe Reader. The emails may use the misspelled subject line “Unpaid invoic” as well as the attachment “Invoice621785.pdf.” Dyre uses infected victim PCs to harvest credentials for bank accounts and other online services.
To make sure your organization is protected from financial malware, Cyphort recommends the following steps:
- Keeping your system and applications patched in a timely fashion goes a long way in protecting you from infection. You know it already, now you need to make sure you do it! Most of the modern OS and applications offer automatic updates, power to the defenders.
- Surfers should be very vigilant in visiting sites with busy offering and popups. When you do need to visit them, doing so from a non-Windows platform may reduce your chance of infection, at least until the bad actors start to target non-Windows endpoints more.
- Financial Institutions should adopt the new defense paradigm with a continuous monitoring, diagnostics, and mitigation approach; implement education and threat intelligence sharing so that employees are warned off of infection websites.