Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Banking Trojans Expand Their Reach

Report: New Botnet Targets Include App Stores, Shipping Organizations, Many Others
Banking Trojans Expand Their Reach

Leading banking Trojans are expanding their targets, taking aim at industries outside banking to compromise financial accounts and other information, new research shows. And the botnets are proving difficult for law enforcement officials to take down.

See Also: Close the Gapz in Your Security Strategy

Some of these malware strains also have shifted their focus from targeting big bank brands in the U.S. to smaller banking institutions in developing markets in Eastern Europe and Asia, researchers say.

Among the key findings in Dell SecureWorks' Counter Threat Unit's third annual Top Banking Botnets report, Banking Botnets - the Battle Continues, are:

  • Beyond banking, botnets are now targeting cloud service providers, mobile app stores, online tech stores and organizations in the shipping, warehousing, e-commerce and marketing industries.
  • 2015's victims included some 1,500 financial institutions in more than 100 countries. And while more than 80 percent of the institutions were U.S.-based, institutions in the U.K., Europe and Australia are increasingly popular targets.

Global Reach

In an exclusive interview with Information Security Media Group, an author of the report, Pallav Khandhar, a Dell senior security researcher, discusses the banking botnets' global reach.

"All the banks have different security measures," Khandhar says, "and sometimes it is easier for the [botnet operators] to go after the small to medium-sized banks ... because those banks may not have the real high-profile security measures, like the big banks can afford."

As for the move into industries outside of banking, Khandhar cites two reasons: The botnet operators want to harvest new credentials, and they also want to launder the money they've already stolen from banks.

"The primary targets are still the banks," he says. "But [the attackers] are slowly adding new targets from these new industries as well."

Khandhar speculates that the attack shift toward other industries is part of an effort by cybercriminals to more efficiently monetizing stolen information.

He says if stolen payment cards are used to buy illicit goods, then it makes sense that criminals would want to have a way to transport those goods without detection. By targeting logistics industries, such as shipping and warehousing, attackers can compromise authentication credentials to access servers and systems used to route goods - thus, exporting and transporting their goods, illegally, without detection, Khandhar says.

"Their primary motive always seems to be money," Khandhar says. "So maybe that is why they are going after the shipping and warehousing industry - so they can easily move items from one location to another."

Or, they could be targeting those industries to compromise their online banking credentials, just as they would target any other commercial business to perpetrate ACH and wire fraud, he adds.

Trojan Evolution

Dell SecureWorks researchers noticed a consistent trend throughout 2015 involving 12 of the world's most pervasive banking Trojans, including Gozi, which emerged in 2012, Shifu, which hit the scene in 2015, and Tinba, another 2015 entrant.

All three Trojans started cropping up in attacks against industries outside the banking industry, such as payments and retail. And their attack methods were more similar to APTs than the usual banking malware, Khandhar says.

Shifu, for instance, which is built on source code from the banking Trojans Dridex, Gozi, Shiz and Zeus, started out as more of an APT than a banking Trojan.

Limor Kessem, a security researcher at IBM Trusteer, noted last August that Shifu, rather than targeting banking customers, had been attacking banks. IBM Trusteer researchers linked Shifu to attacks against 14 Japanese banks and a few electronic banking platforms used in Europe.

"While Web injections are a common Trojan capability, very few Trojans target banking platforms," Limor writes in a blog she posted about Shifu. "Such an attack type is known from older malware like Shiz that targeted banking platforms used by Russian banks. ... If the malware's developer finds a way to compromise an application/platform in one case, it will likely work the same on other banks using that platform."

Shifu, in a similar attack fashion, also doubles as point-of-sale malware, targeting payment and processing platforms linked to POS terminals. Once an endpoint deemed to be a POS is found, Shifu deploys a memory/RAM-scraping plugin to collect card data.

Tinba works in a similar way.

In November, Dell SecureWorks researcher Brett Stone-Gross noted in an interview with Information Security Media Group about Tinba that the Trojan's attack targets had shifted from Western institutions to targets in Eastern European. Tinba was linked to attacks waged against Russian banks and payments providers.

"Tinba is unusual, because we typically see banking Trojans targeting Western institutions," Stone-Gross says. "This one is targeting Russian targets. One reason why we may see this shift could be, in part, due to the hostility between the Ukraine and Russia."

But according to Dell SecureWork's newest research, most of today's banking Trojans are following that same evolution, regardless of political tensions.

Outside Law Enforcement's Reach

Botnets continue to rely on hidden network services, such as Tor and the Invisible Internet Project, better known as I2P, along with domain generation algorithms, to resist surveillance and takedowns, Dell SecureWorks notes in its report. Additionally, by using private spam mailers, botnet groups continue to deviate from the "spam as a service" model, the report adds.

Khandhar contends the use of Tor and private spam filters has made it almost impossible for law enforcement to take these botnets down. "They just try to hide their infrastructure behind these hidden solutions," he says. "They are fighting against the law enforcement and trying to limit their takedown operations."

Tom Kellermann, CEO of security firm Strategic Cyber Ventures, says attackers are doing a better job of cloaking their nefarious activities. "Many hackers are utilizing cloud infrastructures to colonize networks," he says. "The Dark Web has improved their own resiliency efforts, and now attackers use multiple command-and-control servers, usually deploying a secondary command-and-control server within an infrastructure on a sleep cycle."

That kind of stealthy movement in the underground is helping cybercriminals leverage their abilities to get the upper hand, says Andrew Komarov, chief intelligence officer at security firm InfoArmor.

"This market is becoming much more private, compared with 2015, because of law enforcement attention and security community attention," he says. "This market attracts very serious cybercriminals, who now act as the botnets' makers, and they want to evade detection."

Mitigating the Risks

To mitigate the growing threat these botnets pose, Khandhar says organizations should conduct regular scans of their networks for anomalous activity and consistently educate their employees and customers about phishing techniques.

"They need to make sure that their users don't click on links in an email," he says. "This is still the primary entry point for most criminals."

And financial fraud expert Avivah Litan, an analyst at consultancy Gartner, says organizations need to invest more in so-called deception technologies and fraud analytics, to ensure they are aware of these attacks when they occur.

"To deflect these attacks they need deception technologies so that the fraudsters can't decipher their Web or mobile app code and therefore can't write scripted attacks," she says. "They also need fraud analytics that detects patterns in these attacks by looking at massive amounts of attack data from multiple enterprises. These analytics can then be used to detect the attack and stop it from doing any damage."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.