According to Kaspersky Lab, Zbot remained the most popular desktop banking trojan family in 2016, while mobile banking trojans Asacub and Svpeng caused headaches for many Android users last year.
According to Kaspersky Lab, Zbot remained the most popular desktop banking trojan family in 2016, while mobile banking trojans Asacub and Svpeng caused headaches for many Android users last year.

The number of cyberattacks targeting financial institutions and their customers soared to new heights in 2016, according to Kaspersky Lab, which observed nearly 1.09 million banking trojan attacks on users in 2016 – a roughly 30.6 percent jump over the previous year.

Meanwhile, of the nearly 155 million phishing attacks detected on Windows machines by Kaspersky in 2016, about 47.5 percent impersonated banks, payment service providers (e.g. PayPal and Visa) or e-shops (e.g. Amazon and eBay), compared to roughly 34.3 percent in 2015. "At the moment this is the highest percentage of financial phishing ever registered by Kaspersky Lab," the company noted in its “Financial Cyberthreats in 2016” report, issued Wednesday.

In another first, Kaspersky found that phishing pages impersonated legitimate banking services more often than any other online service offering, including global web portals and social networks. Phishers imitated banking sites about 25.8 percent of the time, compared to approximately 17.4 percent of the time in 2015. Phishing attacks in 2016 that imitated e-shops and payment services also surpassed their respective 2015 shares.

Amazon was the most commonly impersonated brand in Windows-based financial phishing scams, while Apple was the most frequently mimicked brand in Mac-based scams.

The findings complemented a separate, fourth-quarter Phishing Activity Trends Report published Thursday by the Anti-Phishing Working Group (APWG), which identified more phishing attacks in 2016 than in any year since it began monitoring the practice in 2004. The APWG observed a 65 percent increase in phishing incidents in 2016, with phishing activity in the fourth quarter higher than during any period in 2015.

Banking Malware Makes a Comeback

After noting a significant decline in desktop malware attacks targeting financial data in 2014 and 2015, Kaspersky observed a major turnaround in 2016, as financial attackers executed a quarter-million more banking trojan attacks than they had launched the year before.

According to the report, this increase means that “although professional cybercriminal groups shifted a lot of their attention to targeted attacks against large companies, including banks and other financial organizations, smaller groups of criminals are continuing to target victims with the help of relatively widespread malware, which is available on the open web.”

In fact, while the number of attacked individual users and corporate users both increased, individuals actually comprised an even larger share of total attacks in 2016 (about 82.8 percent) than they did in 2015 (about 78.5 percent). Corporations were attacked about 17.2 percent of the time in 2016, compared to roughly 21.5 percent of the time in 2015.

The Zbot banking trojan family remained most popular among cybercriminals in 2016 – used in 44.1 percent of banking malware attacks observed by Kaspersky, compared to about 58.2 percent of attacks in 2015. The Gozi trojan, used in approximately 17.2 percent of these attacks, ate into Zbot's share, while use of Tinba fell markedly, from 20.7 percent of attacks in 2015 to only about 3.5 percent in 2016.

More than half of the users targeted in desktop banking malware attacks during 2016 were based in 10 countries, including Russia (19.8 percent) and Germany (14.9 percent). U.S. users saw the sixth most attacks of this nature, as the country's overall share of such attacks shrank from about 4.2 percent in 2015 to roughly 3.3 percent last year.

Kaspersky noted a dramatic 430 percent year-over-year increase in Android banking malware incidents, after more than 305,000 users were attacked in 2016. While only 3,967 users were attacked in January, incidents quickly skyrocketed, peaking in October with nearly 75,000 attacks before falling off sharply.

Kaspersky attributed the sudden spike to a pair of key developments in the mobile malware world: attackers began distributing the malware Asacub via SMS, while other bad actors started to distribute the Svpeng trojan through the Google AdSense advertising network.

Researchers from Kaspersky were unavailable for comment.