Banking Trojans Take Backseat to Ransomware

The banking trojan — a type of malware used to steal credentials for bank accounts — has been a staple of cyberthieves for years. However, ransomware, which has proven both easy to use and highly successful, has started eroding its popularity.

In a typical banking trojan attack, a robber mounts a phishing campaign to entice a target to open an attachment containing the malware, or to click on a link that triggers its surreptitious delivery to the victim’s computer. Once the trojan is installed, the thief can leverage it to obtain banking credentials and make withdrawals from the mark’s account.

There recently has been a significant move to ransomware as the malware of choice for online thieves, noted Andy Feit, head of threat prevention product marketing at Check Point.

“What we’ve seen in the last three of four months is this major move by the hacker community to install ransomware on machines,” he told TechNewsWorld. “Ransomware is a big money maker right now. When something catches on, the hackers’ social networks get fired up, and everybody starts to move to it.”

More Benefits, Better Rewards

Banking malware requires massive adaptation from bank to bank, according to Check Point security researcher Gad Naveh. There is no generic attack weapon. That contrasts with ransomware, which cybercriminals can adapt easily without any special developer input. All that needs modification is the ransom note, which can be done — albeit crudely — with Google translate.

More importantly, with ransomware it’s easier for thieves to get their hands on a mark’s money than with a banking trojan.

Typically, cybercrooks transfer money siphoned from a bank account to a mule account for conversion into a cash equivalent, such as a Western Union transfer.

“Banking fraud systems can silently raise a red alert to catch the attacker trying to get the cash or just block the transfer,” Naveh explained. “The ability to trace movements of funds, or physical pick up, creates a real risk for the attacker.”

By comparison, victims make ransomware payoffs in bitcoin. External third parties can not interrupt transfers of the digital money.

“Bitcoin wallet shuffling allows the transaction to remain untraceable by the authorities, and changing bitcoin into money is as easy as going to an ATM,” noted Naveh.

“With all these advantages, it is easy to understand why ransomware is generating such a significant profit for its perpetrators,” he observed. “This trend is rising rapidly and we can expect it to grow even further.”

When Protection Becomes Infection

Security software is supposed to protect devices from malicious actors but sometimes, in its exuberance to protect a machine, a security application actually can make it more vulnerable to attack.

That situation occurs when a browser encounters an encrypted data path. With an unencrypted connection, security products can scan the data stream, and if they determine there’s nothing malicious in it, pass along the data. The security software can’t do that when the stream is encrypted, because it can’t make heads or tails of what’s in the stream.

To address that problem, security software typically breaks the connection and impersonates the website the browser is trying to contact.

“The way it does that often ends up making it so the browser no longer knows if the remote site is safe and trustworthy,” explained Lance Cottrell, chief scientist at Ntrepid.

That ordinarily would trigger a browser alert. To circumvent that, however, the security software installs a certificate the software can sign. The problem with that approach is that it leads the browser to accept all connections as valid, even when they may not be so.

Security software makers can avoid the problem, Cottrell noted.

“There are ways to design these systems so you don’t have to break SSL. You’re much better off building your scanning into the browser itself,” he told TechNewsWorld.

“Inside the browser, you can inspect the data and look at the data before it’s encrypted in the first place,” Cottrell explained, “so you don’t have to break the SSL security model.”

Cracking Down on Ad Fraud

Online advertising is cooking. Ad revenue jumped to US$27.5 billion during the first six months of 2015, a 19 percent increase compared with the first half of 2014,according to the Interactive Advertising Bureau.

Unfortunately, as ad revenues increase, so does ad fraud. This year, fraud is expected to cost Internet pitch people $7.2 billion, according to the Association of National Advertisers. That’s almost a billion dollars more than in 2015, when ad fraud was pegged at $6.3 billion.

In an attempt to make a dent in those losses, the Trustworthy Accountability Group last week launched an initiative to fight criminal activity in the digital advertising supply chain. Through the program, companies can be certified against fraud after they complete some rigorous antifraud requirements.

“There’s a lot of technologies that have come out to battle ad fraud, but there really hasn’t been a centralized standard of best practices,” said Sydney Goldman, marketing manager for Engage:BDR, one of the first companies in the industry to commit to the new certification program.

“With this program, people can say, ‘We’re following these rules that everyone else is following, and so what we’re doing is legitimate,'” she told TechNewsWorld. “This isn’t an immediate fix, but we’re hoping that in the next year or two it will drastically cut down fraud.”

Breach Diary

  • May 23. The Guardian reports 100 thieves stole $13 million in three hours from ATMs in Japan using credit cards forged from account information illegally obtained from Standard Bank Group in South Africa.
  • May 23. Card issuers begin notifying customers of Noodles & Company that their payment card is a risk due to data breach at restaurant chain.
  • May 23. Motherboard reports LinkedIn has reset the passwords of more than 100 million users who created accounts prior to 2012 and had not changed their passwords since then. A database containing LinkedIn credentials from a 2012 data breach has recently been posted for sale on the Internet by a hacker.
  • May 23. Symantec reports more than 2,500 Twitter accounts — including those of Azeem Banatwala, Chromeo, Cecil Shorts and David Carr — have been compromised to tweet links to websites specializing in adult dating and sex personals.
  • May 24. Home Depot reports $2 million in pre-tax expenses in first quarter tied to 2014 data breach.
  • May 24. Anti-Phishing Work Group reports phishing attacks during the first quarter highest since group began tracking and reporting on phishing in 2004. During the period, 289,371 unique phishing websites were identified by the group.
  • May 24. Betzalel Yochanan files class action lawsuit in federal district court in Atlanta against Equifax over data breach that compromised tax information of employees of Kroger supermrket chain.
  • May 24. Microsoft announces it will automatically block by its account holders the use of simple or common passwords and passwords exposed on data breach lists.
  • May 26. Reddit announces it has reset the passwords of 100,000 user accounts in response to an uptick in account hijackings and takeovers.
  • May 26. Bloomberg reports as many as 12 banks linked to Swift’s global payments network may have irregularities similar to those found in the theft of $81 million from the Bangladesh central bank in March.
  • May 27. Motherboard reports a hacker is selling more than 427 million passwords of MySpace users on the Internet for six Bitcoin, about $2,800.

Upcoming Security Events

  • June 6. Securing Federal Identity. Ronald Reagan Building, 1300 Pennsylvania Ave. NW, Washington, D.C. Registration: government employees, free; Smart Card Alliance members, $349; non-members, $399.
  • June 6-9. Cloud Identity Summit. New Orleans Marriott, 555 Canal St., New Orleans. Registration: $1,695.
  • June 8. Eight Months of EMV: Early Fraud Shifts and Trajectory. 9 a.m and 1 p.m. ET. Webinar by Iovation. Free with registration.
  • June 8. Ready Before the Smoke Clears: Understanding the Correlation between DDoS Attack and Data Breaches. 11 a.m. ET. Webinar by Arbor Networks and Frost and Sullivan. Free with registration.
  • June 8. B-Sides London. ILEC Conference Center, 47 Lillie Rd., London SW6 1UD, UK. Free.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 10. National Security & Social Media: The Power of Information and Knowledge. 8:30 a.m. to 1 p.m. ET. Renaissance Hall, Berkeley College, 44 Rifle Camp Rd., Woodland Park, N.J. Free with registration.
  • June 10. B-Sides Pittsburgh. Spirit Pittsburgh, 242 51st St., Pittsburgh. Free.
  • June 11-12. B-Sides Latin America. PUC-SP (Consolao), So Paulo. Free.
  • June 15. Federal Trade Commission’s Start With Security — Chicago. Northwestern Pritzker School of Law, 375 E. Chicago Ave. (corner of Lake Shore Drive), Chicago. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 16. Defending Oil & Gas Industrial Control System (ICS) Networks. 5 a.m. ET. Webinar by Arbor Networks and American Gas Association. Free with registration.
  • June 20. Center for New American Security Annual Conference. 9:30 a.m. to 5:30 p.m. J.W. Marriott, 1331 Pennsylvania Ave., Washington, D.C. Free with registration.
  • June 22. B-Sides Tel Aviv. Tel Aviv University, tel Aviv, Israel. Tickets: 20/40 NIS.
  • June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
  • June 25. B-Sides Athens. The Stanley Hotel, 1 Odisseos Str., Karaiskaki Square, Metaxourghio, 10436, Athens, Greece. Tickets: free, but attendance limited.
  • June 25. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Tickets: free, sold out; with T-shirt, $5.
  • June 27-29. Fourth annual Cyber Security for Oil & Gas. DoubleTree by Hilton, 6 Greenway Plaza East, Houston. Registration: main conference, $2,295; conference and workshops, $3,895; single workshop, $549.
  • June 27-July 1. Appsec Europe. Rome Marriott Park Hotel, Colonnello Tommaso Masala, 54 Rome, Italy. Registration: members, 599 euros; nonmember, 610 euros; student, 91.50 euros.
  • June 27-July 1. Hack in Paris. Maison de la Chimie, 28 Rue Saint-Dominique, 75007 Paris. Tickets: before April 5, 288 euros; student or unemployed, 72 euros. Before June 9, 384 euros; student or unemployed, 108 euros. After June 8, 460.80 euros.
  • June 28. AuthentiThings: The Pitfalls and Promises of Authentication in the IoT. 10 a.m. and 1 p.m. ET. Webinar by Iovation. Free with registration.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
  • July 30-Aug. 4. Black Hat USA. Mandalay Bay, Las Vegas, Nev. Registration: before July 23, $2295; before Aug. 5, $2,595.
  • Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

1 Comment

  • After reading this i realized that got mail for "asking to receive your prizes money send us your data with the full details so i can deposit the prize money in your bank account" they are doing some cheat.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels