Financial malware gets smarter

Malware aimed at finance houses is becoming increasingly spohisticated

An analysis into the use of financial malware has shown that despite a fall in the number of new attacks detected, criminals are still managing to beat security measures designed to stop fraud.

The study found that while discoveries of malware aimed at banks and other financial groups appears to be decreasing, this does not indicate a reduced threat. Rather the threats are increasing as malware writers are getting smarter.

“Financial institutions around the world are seeing increasing losses from cybercrime,” wrote Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab.

“Investing in better security costs a lot of money. However, this is a choice that banks clearly have to make.”

Attack vectors have changed significantly in the last year, according to Kaspersky, with far less reliance on easily blocked spam containing malware to attack code being embedded in web pages.

This is in line with other software attacks, but what differentiated the malware for finance houses is its sophistication. Traditional keylogging software is now being replaced by Trojans, that can download ever more complex spying tools.

For example, two-factor authentication for online banking, which uses a hardware token in addition to a secret password, is increasingly ineffective. This is because malware writers have perfected the tools to get around it by redirecting the user to a separate server to harvest the necessary access information in real time – the so called ‘man in the middle’ attack.

This defeats the two-factor process, but malware writers have taken the process a step further with a new ‘man in the endpoint’ attack. This eliminates the need for a separate server by conducting the entire attack on the user’s machine.

“There are several significant advantages to this approach,” Schouwenberg said.

“First, there is a direct connection with the financial organisation so there is no chance of a transaction being tagged simply because a user has logged on from an unknown IP address. Second, a man in the endpoint attack will have a better success rate than a man in the middle one if used against a system which employs complex defences.”

The situation is being aided by the increasing use of ‘money mules’, people who are recruited to act as recipients of stolen funds and pass them on in the form of e-gold or moneygram certificates to the fraudster in exchange for a 10 to 15 per cent cut.