Online banking offers a convenient way to do bank transactions without having to physically go to banks. Online banking platforms have made it so easy that even traditional paper trail bankers have embraced this method of money-managing.
However, online banking is not without risks. As much as it offers ease and convenience, online banking platforms have given fraudsters and cybercriminals a lot of new avenues to steal from unknowing users. Additionally, cybercriminals have now taken things a step further with the use of banking malware, specifically, banking Trojans, that are reaching new, alarming levels of sophistication. Attackers continuously develop new variations that are constantly being introduced in the wild to thwart detection by security solutions on a user devices.
Over the last few years, cybercriminals have improved their tools and expanded their targets in terms of scale and reach. To carry out a banking theft operation, cybercriminals need specific malware or kits that can help them get to their target. Here's a list of some of the most notable banking Trojans attackers have used and are still using:
ZBOT (a.k.a. Zeus)
In 2011, ZBOT’s source code was leaked on a file-sharing site and quickly spread across underground forums. ZBOT's ensuing boom became a huge modular example for other online banking Trojans that followed. In the years that passed after the advent of ZBOT, many cybercriminals used its code and built variants or other malware families with similar capabilities. ZBOT variants have been known to display behavior that might seem “out of character” for teaming up with file infectors, while some variants were designed to generate income through a per-pay-click model.
Some ZBOT variants have adjusted their behavior to evade detection, including the use of random headers and different file extensions as well as changes to their encryption. Additionally, it also improved the way it would connect to its C&C servers and was seen using Tor and peer-to-peer networks.
The GOZI banking Trojan is a spyware that monitors traffic. With its screen capture and keylogging function, it can obtain login credentials stored in browsers and mail applications. GOZI uses rootkit component to hide related processes, files, and registry information.
In September 2015, Latvian national Deniss Calovskis pleaded guilty in a US federal court for creating and distributing the online banking Trojan GOZI. Extradited from his home country to the US in back in February 2015, Calovskis faces more than 60 years in prison for his crimes, but pleading guilty may drastically shorten it to 10 years and a hefty fine.
CARBERP is an online banking Trojan that was first seen in 2009. It is designed to steal user credentials through hooking network APIs in WININET.DLL, monitoring user browsing behavior. CARBERP logs keystrokes, spoofs websites, and deliberately drops a copy of itself in locations that do not require administrator privileges. It is characterized as a plugin-dependent malware since it relies on downloaded/embedded modules to complete its routines.
In 2012, 8 individuals involved with CARBERP’s operations were arrested by Russia’s Ministry of Affairs. However, the following year, it made a comeback with improved costly versions and mobile app variants available in the wild. It downloads new plugins to complement its information stealing routines that help a possible attacker to remotely access an infected system used to monitor Internet banking systems.
SPYEYE is notorious for stealing user information related to banking and finance websites. Its variants may be downloaded unknowingly by users when visiting malicious sites, and may also arrive through spam.
SPYEYE has rootkit capabilities that allows it to hide processes and files from users. Like other Trojans, it uses its keylogging functions to steal information. It connects to various sites to send and receive details. In 2011, a cybercriminal in Russia used SPYEYE to steal more than US$3.2 million dollars from various organizations in the United States.
In 2014, U.S. Department of Justice announced that the creator of the SPYEYE, Aleksandr Andreevish Panin (aka Gribodemon or Harderman) pleaded guilty to charges related to the creation and distribution of SPYEYE.
SHYLOCK is a spyware that attempts to replace the contact numbers of certain banks with rogue numbers that are controlled by attackers—leading infected users to divulge banking and personal information to the attackers. Users can get infected by visiting malicious sites. SHYLOCK steals sensitive online banking information, such as user names and passwords. In 2014, the National Crime Agency announced the takedown of SHYLOCK command and control (C & C) servers.
CITADEL is a banking Trojan that was first seen in 2010. The CITADEL toolkit allows attackers to customize the Trojan according to their needs and C&C infrastructure. In 2013, CITADEL made a comeback and targeted Japan users, as well as webmail services such as Gmail, Yahoo!, Japan mail, and Hotmail. These variants are well-known for stealing online banking credentials of users, directly leading to theft.
The name TINBA was derived from the combination of the words “Tiny” and “Banker”. Users get infected via Blackhole exploit kit, and are aimed primarily at users in Turkey. Using web injects, it steals user login information from websites. TINBA has also been linked to other activities such as money mules, pornographic sites, shady Web hosting, and other information-stealing malware.
KINS, peddled in the underground as “professional-grade banking Trojan”, is essentially identical to ZBOT in terms of functionality. It downloads a configuration file that has a list of targeted banks, drop zone sites, and webinject files. KINS steals online banking information such as user credentials by injecting a specific code onto the users’ browsers when they visit certain URLs in real time. KINS then shows legitimate-looking popups that asks for banking credentials and other information like social security numbers.
First spotted in August 2013, VAWTRAK arrived as a ZIP file attachment in social engineering scams, particularly spam emails disguised as package delivery notifications. It stole information stored in FTP clients, including login credentials. In May 2014, VAWTRAK was seen targeting users in Japan. This resurgence was followed by attacks of banking and financial institutions in the U.S. and Canada in 2015. The new variants seen in that time both arrived onto the user’s system through spammed mails that use shipping information and airline ticket transaction emails as bait.
This spyware sniffs network packets to steal information. It arrives in users’ systems via spammed emails and is aimed at German online users. The malware arrives as an attachment to email messages by grayware or malicious users. It also arrives as a file dropped by other malware or as a file downloaded unknowingly by users when visiting a malicious websites. Once in the system, the malware downloads component files, including a configuration file that contains information from other targeted banks. In December 2014, EMOTET ceased activity, but reappeared quickly in January 2015.
DYRE caught the security industry’s attention due to its capability to bypass SSL, a popular security measure for online banking websites. Like other online banking Trojans, it arrives at the user’s system via spammed mails with malicious attachments, with the spammed email tailored to look like a legitimate bank notification, usually with a PDF file attached. Once the malware is installed in the system, it can monitor and take screen shots of browser activities, perform man-in-the-middle attacks via browser injections, steal personal security certificates, steal online banking credentials, and track the victim’s location through STUN (Session Traversal Utilities for NAT).
First spotted in November 2014, DRIDEX is an online banking malware that steals personal information and banking credentials through HTML injections. Designed to target customers of financial and banking institutions, DRIDEX variants arrive onto the users’ systems via spammed messages in emails, which come with malicious attachments—a Microsoft Word document that contains a malicious macro code. Once executed, the malware monitors online banking-related activities with configuration files that contain a list of banks based in Europe, Australia, UK, and the US. It then performs information theft through form-grabbing, screenshots, and site injections. DRIDEX is an evolution of the CRIDEX malware, which is based on ZBOT.
Cybercriminals use various methods and techniques to steal information. From traditional social engineering tricks like phishing to sophisticated automation techniques, here are the most common techniques cybercriminals use:
The Underground: What’s for sale?
Recent years have seen a lot of changes on how toolkits and exploits are used. The Blackhole Exploit Kit, for example, will not provide you the kit but will instead install it on a server and use ioncube to encode PHP files to secure its creation. Nowadays, it is quite rare to be able to buy a kit with a good infection rate, unless you want to use an older version. In Latin America, cybercriminals no longer use hijacked servers to host C&C servers, spam tools, and other malicious activities; instead they use their “own” datacenters around the world. Furthermore, to avoid Google’s indexing radar, they don’t register any hostname/domain for these servers and use only IP addresses instead.
In 2013, a Computer Science college student whose underground name was Filho de Hakcer (Portuguese for hacker’s son, but misspelled) now known as Lordfenix, started creating online banking Trojans. He has since then continued to develop and sell banking Trojans, racking up to more than 100 different banking Trojans that cost roughly US$320. Lordfenix remains the latest online banking malware creator in a string of young and solo cybercriminals today.
Last June 2014, the FBI announced that an international effort had seized the activities of peer-to-peer (P2P) variant of ZBOT known as “Gameover”, a variant that is well-known for its resilience to takedowns. Based on Trend Micro’s investigation, Gameover was not sold to individuals, but are instead privately operated. This means only one Gameover is running, compared to the multiple botnets that power ZBOT variants.
What can users do?
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.