Cybercriminal gangs attacking banks and financial institutions will up their game in 2016 with researchers at Dell SecureWorks Counter Threat Unit (CTU) expecting more countries to be hit and the thugs to expand their efforts to compromising mobile devices and spreading ransomware.
Pallav Khandhar, senior CTU security researcher, said in CTU's new report Banking Botnets: The Battle Continues that in 2016 attacks will expand beyond the 1,500 financial institutions located in 100 countries that were hit in 2015 and despite the progress that was made against a few criminal organizations last year the fight will continue. In 2014 about 1,350 banks in 35 countries were victimized, Khandhar said.
Going forward not only will major corporations continue to be in the crosshairs, but small and medium size banks that do not have the resources to properly defend themselves will become favored targets.
“The gangs are definitely not giving up. This is their business and they are expanding their horizons,” Khandhar said.
Some additional changes that can be expected this year is an increased focus on attacking through mobile devices, which became a new attack vector for the gangs starting in mid 2015. Here the criminals try to convince a consumer that they are merely updating their banking app when in fact they are being hit with an attack. Khandhar also sees gangs doubling down on their efforts by injecting ransomware into systems along with the trojan. This way they can not only steal money, but then blackmail the company, as well.
The report indicated that banks in the United States and the U.K. were the top targets in 2015 with the U.S. being targeted 80 percent, or 471 times, by banking trojans with the U.K. suffering 309 attacks. Dridex (Bugat), IceIX, Zeus and KINS were the top trojans used. However, the report noted cloud service providers, app stores, online tech stores, and organizations in the shipping, warehousing, e-commerce, and marketing industries are also in line to be hit with trojans.
Prevalence of banking botnets in 2015 based on samples analyzed by CTU researchers. (Source: Dell SecureWorks)
Khandhar and the Dell team also noticed a few changes in the tools being used by the gangs. Instead of using purchased third party phishing, spamming and exploit kit software the bad guys are often opting to use malware developed in house. This is partly due to the gang's increased financial resources enabling to develop their own cyber weapons. The other factor in play is so many botnet attacks are using off-the-shelf software that they have become easier to spot by the targets.
On the flip side much remained the same in 2015. Phishing scams using malicious attachments or URLs that then delivered an exploit kit, usually Nuclear or Angler, remained the primary method used to enter a bank's network.