Little Trojan provides big insights into future Financial Institution malware attacks

Mon, 07 Jan 2013 – Paul Murray, SVP Product Management

A report was recently released about the banking Trojan, Stabuniq. Stabuniq is not well known, and its authors would like it to stay that way. It targets financial institutions (FIs) and functions as a data theft engine in financial institution malware attacks. Approximately 40 percent of all infections detected were inside FIs, which points to a highly successful targeting campaign involving whale phishing (the selective targeting of high value victims within organizations) and watering hole attacks (infecting websites which are frequently visited by their target company in the hope of infecting them). Research has validated both techniques are being used.

The Stabuniq findings validate what we have seen elsewhere: FIs are now a primary malware target, for the first time in five years. Back in 2005-07, we witnessed multiple hacking attacks on FIs. The sector responded robustly and successful attacks were uncommon. Then in 2007, with the rise of Zeus malware, fraudsters decided to go after the weaker link: bank customers. As Zeus increased in complexity and was able to steal multi-factor credentials and all credentials on end-devices, fraudsters found their cash cow. Zeus and its competitor SpyEye have stolen several hundred million dollars to date.

FIs have been forced to address the problem by recent court decisions and are implementing solutions that shut Zeus down. Wontok SafeCentral is a key technology leveraged by FIs to successfully disable Zeus.

The fraudsters decided to fight back. Zeus and SpyEye, and lesser-known trojans such as Stabuniq are now focusing on infecting FIs, rather than their customers. In 2012, an increasing number of Zeus infections has been found within FI perimeters. They focus on stealing credentials, mapping internal networks, compromising email, accessing development servers and obtaining information on network defenses. These attacks will continue and escalate. Some of these attacks have resulted in criminal gangs accessing Wires and ACH control software and directly sending customer money out of the bank to their waiting money mules. Although these sensitive systems are protected by multi-factor authentication (MFA), MFA is easily overcome by Zeus. Compromised information will likely also be leveraged by Nation States for attacks on FIs, such as Operation Ababil currently devastating U.S. banks.The fraudsters decided to fight back. Zeus and SpyEye, and lesser-known trojans such as Stabuniq are now focusing on infecting FIs, rather than their customers. In 2012, an increasing number of Zeus infections has been found within FI perimeters. They focus on stealing credentials, mapping internal networks, compromising email, accessing development servers and obtaining information on network defenses. These attacks will continue and escalate. Some of these attacks have resulted in criminal gangs accessing Wires and ACH control software and directly sending customer money out of the bank to their waiting money mules. Although these sensitive systems are protected by multi-factor authentication (MFA), MFA is easily overcome by Zeus. Compromised information will likely also be leveraged by Nation States for attacks on FIs, such as Operation Ababil currently devastating U.S. banks.

FIs need to protect themselves, their customers and their brand. Wontok has seen very low detection rates from certain antimalware vendors for advanced financial malware. This is why we created SafeCentral, with TSX hooks deep inside the operating system, to ensure true protection, both for enterprises such as FIs and their customers.