Sophisticated Trojan horses target banks, Symantec says
The financial sector is under threat from increasingly sophisticated malware attacks a Symantec report has claimed, with many security solutions ineffective against modern Trojans.
Following the proliferation of malware targeted at online banking over the past decade, financial institutions created custom security solutions to prevent fraud resulting from simple keylogging Trojans or phishing. However, more sophisticated attacks are being created and targeted at a wider range of financial sector companies, according to Symantec's The World of Financial Trojans report, with more than 600 financial organizations singled out for Trojan attacks.
The report claims that criminal groups responsible for the attacks have become more knowledgeable about the financial sector as attacks have become more sophisticated, and are supported by a service industry of widely available malware.
Attacks against the U.S. broadcasting outlet NBC in February were apparently conducted to spread malware aimed at hacking online banking.
"The financial fraud marketplace is also increasingly organized," the report claims. "It is a service industry where a wide variety of financial Trojans, webinjects, and distribution channels are bought and sold. Services being offered are dedicated to each aspect of a financial fraud campaign. These offerings will improve effectiveness of established techniques. "
Zeus Trojan's successful heist
Symantec points to Trojans such the Zeus-based "Gameover" peer-to-peer botnet as one of the major threats facing financial organizations, infecting over 678,000 Windows PCs last year. The Zeus Trojan, also known as Zbot, was used in a raid of 3000 banks accounts in the U.K., stealing £675,000 (US$1 million) from an unnamed British bank in 2010.
According to the report the Trojan responsible for attacking the widest number of financial organizations was found to be SpyEye, targeting for 384, followed by Zeus with 284.
The report also highlights the growing ability of cybercriminals to use location-aware distribution services to deliver malware with greater precision. Symantec also points to third-party remote web-injects which can circumvent security countermeasures, targeting a large number of financial companies "concurrently and intelligently" as posing a threat to financial companies.
The organizations being targeted are varied, from commercial banks to credit unions, though attackers have increasingly looked to other organizations that perform online transactions. This means targeting institutions that facilitate high volume and high value transactions, such as automated clearing house payments systems, and payroll systems. Single Euro Payments Area (SEPA) credit transfers in Europe are also an increasing target.
Not surprisingly, the report found that attackers prefer to target institutions in wealthier, developed countries, but also claimed that new markets in emerging economies such as in Asia and the Middle East were increasingly being targeted.
Countries with fewer financial institutions were also preferential, with the U.K. deemed to be a prime target due to its wealthy population and only 52 major financial institutions, meaning that a smaller number of variants would be needed to developed by cybercriminals.
US is biggest target
The U.S. has the most number of computers infected with banking Trojans, with almost 250,000 systems affected, the report claimed, while the U.K. is in fourth place with over 40,000. The Zbot Trojan was found to be most prevalent in both countries.
Sian John, security strategist at Symantec said that financial companies are involved in a constant battle to stay ahead of malware creators.
"It is not so much a falling behind, as being involved in an arms race. If they bring in one way of protecting, then the Trojans get used to that protection and bring in a new attempt to attack," John told Computerworld UK. "So there are some banks that will have new thoughts about defence but they won't bring it in until they need, because the guys that write the Trojans pick up on it early."
"It is not that the banks do not have sophistication, they have lots. They just have to continually evolve because the malware is continually evolving."
However, there is a gap in the ability of certain organizations to detect threats on customers' systems.
"There is a difference in quality between the different banks in terms of how much of the protection and fraud detection methods they put in place," she said. "The challenge is that the Trojans are beginning to work out which the banks are with less security, and going after them."
Banks have tools, too
John said that for the banks, sophistication in their own methods is displayed in how they deal with customers that might be infected, and detect the issues. This means putting in place measures such as strong authentication, using PIN pads, or not requiring customers to input full passwords to stop details being picked up by a Trojan.
"Banks themselves need to put in software to detect anomalous behavior, if not to stop it then to at least understand that something is going on with that transaction," John said.
This means implementing transaction software from vendors such as Trusteer, for example, which a lot of banks currently provide to detect attempts by a Trojan to hijack a login session.
John said that due to many high profile banks improving their defence methods, some of the organizations which would not previously have been top of the list of cybercriminals are now being focused on, due to comparatively weaker protection.
"It is things like business to business banking, the trading houses and clearing houses, as well as emerging markets which haven't had internet banking previously," she said. "They historically went for the low hanging fruit of internet banking, but are now looking beyond that."