Artificial Intelligence

Financial Attacks Grow by 16% in Q2 2016 as Malware Creators Join Forces

Financial malware is evolving through collaboration between malware creators, according to the results of Kaspersky Lab’s IT threat evolution Report for Q2. During the quarter Kaspersky Lab products blocked 1,132,031 financial malware attacks on users, a rise of 15.6% compared to the previous quarter.  One of the reasons for the rise is the collaboration between the authors of two leading banking Trojans: Gozi Trojan and Nymaim Trojan, pushing both into the top 10 ranking of financial malware.8

Banking Trojans remain the most dangerous online threats. These malware are often propagated via compromised or fraudulent websites and spam emails and, after infecting users mimic an official online banking page in an attempt to steal users’ personal information, such as bank account details, passwords, or payment card details.

According to the Kaspersky Lab statistics for the quarter, Turkey became the country most attacked by this type of malware: 3.45% of Kaspersky Lab product users in the country encountered such an online threat during the quarter. Russia was in second place, the target of 2.9% of online threats, followed by Brazil with 2.6%.  The Olympic Games are likely to push Brazil up the attack list in Q3.

The main culprits were the Gozi and Nymaim banking Trojans, with the authors of both joining forces. The Nymain Trojan was initially designed as ransomware, blocking access to users’ valuable data and then demanding a ransom to unblock it. However, the latest version includes banking Trojan functionality from Gozi source code that provides attackers with remote access to victims’ PCs.  Additional, and apparently also joint efforts have been put into the distribution of this malware and this cooperation pushed both into the top 10 financial malware rating.  Gozi took second place with 3.8% of users whose security software triggered a financial malware detection, while Nymaim took sixth place with 1.9%.  The list of financial malware continues to be led by Zbot. 15.17% of those hit by financial malware were attacked with this Trojan.

“Financial malware are still active and developing rapidly. New banking Trojans have significantly extended their functionality by adding new modules, such as ransomware. If criminals do not succeed in stealing users’ personal data, they will encrypt it and demand a ransom. Yet another example is the Neurevt Trojan family. This malware was used not only to steal data in online banking systems, but also to send out spam. We at Kaspersky Lab are responding to this situation by expanding and sharpening the way we detect and classify financial malware – so that we can block it even faster,” notes Denis Makrushin, Security expert at Kaspersky Lab.

One response to “Financial Attacks Grow by 16% in Q2 2016 as Malware Creators Join Forces”

  1. Pankaj Mitra says:

    We are primarily interested in protecting our Web server which connected to the Internet. We have found a way of isolating internal network from external network by air gaping it at the LAN / MAN / WAN levels.

    The exchange of publishable information / data and mail between the internal and external network through a STS system operating at the central location of the organisation (Data Centre), and the transfer takes place through a relay server (IS), ensuring there is no direct connection between the internal and external network. This is done automatically without any manual intervention.

    In all other locations there is total isolation between the INTRANET and Internet LANs.

    What we would like to know is how long does it take for Kaspersky Lab products to detect and eliminate any mail carrying the malware Trojans enumerated in the article. This information would help us to ensure that such mail do not get from the Internet Mail Gateway (IMG) in the Web server connected to the Internet, to the Company Mail Server(CMS) connected to the air gaped INTRANET LAN, via the relay server IS. We would also have backup anti-malware software installed in the IS so that any mail which slips past the anti-malware software in the Web server gets trapped by this backup anti-malware software in the IS.

    We look forward to urgent response from Kaspersky Labs to our query.

Leave a Reply

Your email address will not be published. Required fields are marked *