Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:30 PM
Connect Directly

Symantec: Financial Trojans Declined By 73% In 2015

Symantec detected far fewer financial Trojans in 2015 and saw cybercriminals focus more of their efforts directly on financial institutions.

Symantec detected 73 percent fewer financial Trojans last year, and a surge in targeted malware incidents. 

The drop in financial Trojan infections in 2015 came amid a 232% increase since 2014 in malware families targeting some 93 organizations, according to Symantec's newly published Financial Threat 2015 report.   

Candid Wueest, principal threat researcher with Symantec’s security response team, warns that the drop in detections does not mean financial Trojans will soon be a thing of the past, however.

“Unfortunately, that’s one of the most misleading [findings] because you can think the problem is going away,” he says. Detections of financial Trojan infections still continue to decrease this year, but Wueest says it’s may be because attackers are getting better at infiltrating the right targets that yield the most success in defrauding accounts.   

Another significant finding from the research, says Wueest, is a shift in where attackers strike: More cybercriminals are directly targeting the financial institutions themselves rather than their bank customers. The recent attack on Bangladesh’s central bank that resulted in the loss of $80 million, is one example of that trend, according to Wueest.

The average number of targeted URL patterns per sample found by Symantec was 283 in 2015, an increase of 405% -- meaning that every financial institution could be a target, Wueest says. 

The decrease in detected financial Trojans could also be attributed to better overall detection capabilities of security software, Wueest says. “We would block it before we would even know there would be a financial Trojan download,” he says.

Recent takedowns by the FBI and the European Cybercrime Task Force also may have affected the decline in the number of financial Trojans detected -- including the shutdown of a few Dridex networks in October and a Dyre group takedown in November in Russia. 

But Kurt Baumgartner, principal security researcher at Kaspersky Lab, says his firm saw an increase in financial Trojan infections in 2015 and is also seeing that trend continue in 2016.

“According to our data, more folks around the globe are getting duped into attempting to run financial Trojans on their systems. This statistic seems to be the most significant, because it tells us that crooks are getting smarter about how they are getting financial Trojans in front of people," Baumgartner says.

Ransomware is on the rise, as is the number of ransomware families being developed. “In addition, the sheer volume of ransomware being deployed increased, whether it was through spam, compromised servers, or malvertising,” Baumgartner says. 

Symantec's Wueest also notes that an increase in ransomware could have influenced the drop in the number of financial Trojans detected. “The group behind Dridex ... they actually started to send out ransomware instead of the financial Trojan and we suspect that there might be one or two other groups that started to do this as well,” he says, adding that this is not a new phenomenon. 

The tactics of cybercriminals using financial Trojans haven't evolved much in the last couple of years, he says. “They’re still mostly using man-in-the-browser attacks" as well as business email compromise (BEC) attacks, he says.

While financial institutions are getting better at detecting fraudulent transactions and law enforcement is working together with the security industry to go after cybercriminals, at the end of the day, Wueest says, it’s important to remember that the tactics cybercriminals use to get Trojans onto financial systems are not rocket science.

“It’s still that a lot of people are naïve, maybe even gullible, and should probably be more vigilant when they do transactions online,” Wueest says. 

Related Content:

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...