Although crypto ransomware is becoming a common choice for cyber criminals, there is still a significant amount of malware targeting financial organisations and their customers, Symantec has warned.

In 2016, attacks saw several such institutions lose millions to cyber criminals and nation state-supported attackers such as the Lazarus group, Symantec research has revealed.

Attacks against financial institutions are on the rise, with the emergence of a handful of sophisticated cyber crime groups going after financial institutions themselves rather than customers last year.

Researchers found that 38% of all financial threat detections were against corporations rather than consumers. Even though such attacks are harder to carry out and take longer to prepare, they yield a much higher profit, the report said.

Although there was a 36% fall in detection numbers for financial malware in 2016 due to earlier detection in the attack chain, with more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of ransomware, the Symantec report said.

For example, the number of Ramnit (W32.Ramnit) detections was roughly the same as all ransomware detections combined.

“With all the attention ransomware is getting lately, it is easy to overlook other threats, such as those that target the financial sector and its customers,” said Symantec threat researcher Candid Wueest. “However, these types of threats are a serious and costly problem for both businesses and consumers.

“Financial threats are still profitable and therefore continue to be popular among cyber criminals. From financial Trojans that attack online banking, to attacks against ATMs, point of sale [PoS] machines and fraudulent interbank transactions, there are many different attack vectors utilised by criminals,” he wrote in a blog post.

The financial Trojan threat landscape is dominated by three malware families – Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot). These three families were responsible for 86% of all financial Trojan attack activity in 2016.

However, due to arrests, takedowns and regrouping, the report said there have been many fluctuations over the past year. But many new variants of these families have appeared or reappeared, focusing on filling specific niches. The attackers mainly use scam email campaigns with little variation and simple attachments.

Globally, financial institutions in the US were targeted the most, followed by Poland and Japan, with the UK ranked 8th^.

Japan is the country with the most financial malware infections. It saw a spike in infections in 2016, with 37% of global detections, up from 3% in 2015. By contrast, the US accounted for just 6% of global detections.

The UK and Germany were among the top 10 countries targeted globally by financial Trojans, but Symantec saw a big increase in financial Trojan detections across Asia, with Japan, China and India notably appearing in the top 10 list, which researchers said shows the attackers are expanding to new markets that are less saturated and less protected.

Symantec also reported trends in financial malware attempting to hide configuration files from researchers, as well as the move to redirection attacks or even manually logging into the system to issue large transactions if interesting financial software is detected.

High-profile victims

Cyber crime hit the big time in 2016, with high-profile victims and bigger-than-ever financial rewards. The Lazarus attacks that took place last year also marked the first strong indications of state involvement in financial cyber crime, the report said.

Ramnit was the most active financial Trojan in 2016, responsible for 38% of activity, followed by Bebloh (25%) and Zeus (23%).

Malware authors are obfuscating the lists of attacked bank URLs, making it impossible to extract exact statistics for all threat families, the report said, while redirection attacks to fake sites and the use of free self-service valid SSL certificates on malicious sites increased.

Other trends include the use of mobile banking malware to target at least 170 apps for credential stealing, and the use of financial malware to blend in with more common attacks.

“As long as it remains profitable, we expect financial threats to continue being a problem for banking customers in the future, but attackers are also likely to increase their focus on corporate finance departments,” said Wueest.

“As IT protection measures improve, we expect attackers to increase their reliance on social engineering. Cyber criminals behind financial threats will also start focusing on other geographical locations, which may not be as well protected from financial threats as current targeted regions.”

Wueest said businesses and consumers can minimise the chance of infection by adopting a multilayered security approach.

He also recommended that businesses and consumers:

• Exercise caution when conducting online banking sessions if the behaviour or appearance of the bank’s website changes.
• Notify the financial institution of any strange behaviour while using its service.
• Exercise caution when receiving unsolicited, unexpected or suspicious emails.
• Keep security software and operating systems up to date.
• Enable advanced account security features, such as two-factor authentication (2FA) and login notification.
• Use strong passwords for all accounts.
• Always log out of your session when done.
• Monitor bank statements regularly.
• Be wary of Microsoft Office attachments that prompt users to enable macros.
• Establish enhanced authorisation business processes for transactions to avoid falling for business email compromise (BEC) scams.