Fraudsters become more organized, use more complex solutions

Mar 3, 2015 18:03 GMT  ·  By

Following an analysis of 999 configurations from recent samples of banking malware, security researchers have determined that cybercriminals have their sight on 1,467 organizations in the financial sector across the world.

Most of the targeted banks are located in the US, whose citizens have been attacked with 95% of the Trojans analyzed.

Telemetry data shows that coming in second and third places are individuals in the UK and Germany, but users in 83 other countries are also affected.

US bank targeted by almost all Trojans

The research, carried out by Symantec based on Trojan activity in 2014, revealed that the list of targets available in the configuration files of the malware included a total of 1,994 domains, about 95% of them belonging to entities in the financial sector, from banks to credit unions.

However, it appears that cybercriminals also have an interest in entities that process high-value transactions or platforms shared by banks and payroll systems.

In a list compiled from the gathered information, the researchers place a US bank as the top target, as its domains have been found in almost 95% of the configuration files.

Names are not provided in the report, but the security company says that they are available to the financial organizations by request.

Number of targets varies depending on who controls the Trojan

Banking Trojans have different targets, which vary both from one family to another and across related samples.

It has been observed that custom-made threats are more focused and aim at a smaller number of banks; the explanation for this is that access to them is limited to a smaller amount of attackers who enforce a tight control.

For instance, Mebroot included close to 1,200 targets in its configuration file while other threats that were not initially shared with the cybercriminal community (Cridex, Bebloh, Shylock, Dyranges, and Carberp) sprang into action for less than 100 banks.

“The targets can change over time as attackers move to focus on different countries or banks if they see their campaigns’ efficiency rate dropping or fear a law enforcement operation’s scrutiny,” Symantec’s report says.

In the case of Snifula, a Trojan that recorded increased activity in Japan in mid-2014, only eight organizations were targeted at the beginning; then the list grew to 37, most of the entries referring to regional banks, suggesting that the cybercriminals sought victims other than customers of big banks.

According to Symantec, in 2014 banking malware managed to compromise about 4.1 million users’ systems. The conclusion of the researchers is that crooks will continue to become more organized and set up professional operations in order to maximize the financial return.

Banking Trojan targets (3 Images)

Top targeted countries
Targeting percentage for financial institutionsNumber of institutions targeted by Trojans
Open gallery