Banking malware slowed in 2015 – but don't get too comfortable, Symantec warns

Australia is amongst the world's top ten countries affected by banking malware, according to a Symantec analysis that found that one Australian bank was targeted by nearly 55 percent of all banking trojans analysed during 2015.

The company's Financial Threats 2015 report analysed some 656 financially-targeted Trojans, which collectively sought to harvest access codes and other details from 547 banking institutions in 49 countries.

Malware authors' increasing interest in Australian banks was correlated with a strong showing in the leaderboard for the countries with the most computers compromised by banking Trojans last year. More than 20,000 Australian systems suffered attacks from such malware, ranking slightly behind France and just ahead of Russia in terms of absolute numbers of banking-related compromises.

Details of targeted institutions change rapidly, with installed Trojans maintaining a regularly-updated list of URLs to watch for as users go about their online business; when target URLs are detected, Trojans launch man-in-the-browser or redirect attacks to capture banking details that can be sold on the black market for four and five-digit pricetags.

Some banking malware is highly geographically targeted – for example, the Infostealer.Shifu Trojan that targeted just 16 institutions, primarily in Japan – while others relied on a scattershot approach. For example, Dridex – a that grew by 107 percent last year and targeted 315 different institutions – was well ahead of the average of 93 institutions targeted by such malware (in a curious twist, Dridex was itself hacked in February to [[xref: |distribute antivirus software instead of its malware payload).

Bank Australia chief risk officer Patrick Ashkettle is among the many banking-security executives that have been watching Dridex and its ilk with concern.

“When I talk with the people in our network they are dealing with hundreds of alerts daily,” he told a recent FST Media conference on financial-services security. “The major threats we see are around people, customers, and employees. Despite the amount of literature and media attention [about malware], we continue too see customers being scammed, duped, and hacked.”

Yet intervention does seem to be having some effect: overall infections by banking malware showed a strongly downward trend throughout 2015, according to Symantec's latest figures. By the end of the year, less than 50,000 computers were compromised with banking Trojans – half the rate in April 2015 and one-quarter the rate a year in late 2014.

Yet this decline – which Symantec attributes to the Russian government's November takedown of the insidious Dyre Trojan – should not be taken as a sign that the Trojan banking threat had been contained, the analysis warns.

“While it is getting increasingly difficult for attackers to successfully steal money from financial institutions, it is still an extremely lucrative endeavour for cybercriminals,” the report's authors wrote, noting that successful efforts to block attacks further up the attack chain had masked visibility of Trojan payloads downstream.

Mobile attacks, in particular, had emerged as a favoured new attack vector by cybercriminals, with Kaspersky Labs recently noting that two mobile banking Trojans – Faketoken and Marcher – cracked the top-10 banking Trojans list. In 2015, Kaspersky Labs noted, its tools blocked more than 1.9m attempts to launch malware capable of stealing money via online banking – up 2.8 percent on the previous year.

Tags CSO Australiabanking Trojans

Show Comments