Symantec: Financial Trojans Declined By 73% In 2015

Symantec detected far fewer financial Trojans in 2015 and saw cybercriminals focus more of their efforts directly on financial institutions.

Emily Johnson, Digital Content Editor, InformationWeek

March 31, 2016

3 Min Read

Symantec detected 73 percent fewer financial Trojans last year, and a surge in targeted malware incidents. 

The drop in financial Trojan infections in 2015 came amid a 232% increase since 2014 in malware families targeting some 93 organizations, according to Symantec's newly published Financial Threat 2015 report.   

Candid Wueest, principal threat researcher with Symantec’s security response team, warns that the drop in detections does not mean financial Trojans will soon be a thing of the past, however.

“Unfortunately, that’s one of the most misleading [findings] because you can think the problem is going away,” he says. Detections of financial Trojan infections still continue to decrease this year, but Wueest says it’s may be because attackers are getting better at infiltrating the right targets that yield the most success in defrauding accounts.   

Another significant finding from the research, says Wueest, is a shift in where attackers strike: More cybercriminals are directly targeting the financial institutions themselves rather than their bank customers. The recent attack on Bangladesh’s central bank that resulted in the loss of $80 million, is one example of that trend, according to Wueest.

The average number of targeted URL patterns per sample found by Symantec was 283 in 2015, an increase of 405% -- meaning that every financial institution could be a target, Wueest says. 

The decrease in detected financial Trojans could also be attributed to better overall detection capabilities of security software, Wueest says. “We would block it before we would even know there would be a financial Trojan download,” he says.

Recent takedowns by the FBI and the European Cybercrime Task Force also may have affected the decline in the number of financial Trojans detected -- including the shutdown of a few Dridex networks in October and a Dyre group takedown in November in Russia. 

But Kurt Baumgartner, principal security researcher at Kaspersky Lab, says his firm saw an increase in financial Trojan infections in 2015 and is also seeing that trend continue in 2016.

“According to our data, more folks around the globe are getting duped into attempting to run financial Trojans on their systems. This statistic seems to be the most significant, because it tells us that crooks are getting smarter about how they are getting financial Trojans in front of people," Baumgartner says.

Ransomware is on the rise, as is the number of ransomware families being developed. “In addition, the sheer volume of ransomware being deployed increased, whether it was through spam, compromised servers, or malvertising,” Baumgartner says. 

Symantec's Wueest also notes that an increase in ransomware could have influenced the drop in the number of financial Trojans detected. “The group behind Dridex ... they actually started to send out ransomware instead of the financial Trojan and we suspect that there might be one or two other groups that started to do this as well,” he says, adding that this is not a new phenomenon. 

The tactics of cybercriminals using financial Trojans haven't evolved much in the last couple of years, he says. “They’re still mostly using man-in-the-browser attacks" as well as business email compromise (BEC) attacks, he says.

While financial institutions are getting better at detecting fraudulent transactions and law enforcement is working together with the security industry to go after cybercriminals, at the end of the day, Wueest says, it’s important to remember that the tactics cybercriminals use to get Trojans onto financial systems are not rocket science.

“It’s still that a lot of people are naïve, maybe even gullible, and should probably be more vigilant when they do transactions online,” Wueest says. 

Related Content:

About the Author(s)

Emily Johnson

Digital Content Editor, InformationWeek

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content and marketing roles supporting the UBM America's IT events portfolio. Emily earned her BA in English and a minor in music from the University of California, Berkeley. Follow her on Twitter @gold_em.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights