Banking Botnets Bounce Back Despite Takedowns

Banking botnets became more widespread, resilient and evasive in 2014, resisting takedowns and arrests to target over 1,400 financial institutions in more than 80 countries, according to Dell SecureWorks.

The firm’s Counter Threat Unit revealed in its latest annual Top Banking Botnets report that as banks improve their defenses and law enforcement seeks to disrupt, the cyber gangs behind these botnets have been hard at work improving their resilience.

Although activity from Zeus and its variants decreased in the latter half of 2014, Dyre, Gozi/Vawtrak, and Bugat v5 were ramped up.

Botnet masters have also increasingly been looking to anonymity networks lke Tor and I2P and other tools like P2P networks and domain generation algorithms (DGAs) to hide themselves and make shutdowns more difficult for the white hats, the report claimed.

Proving their adaptability, cyber-criminals have also shifted focus slightly, towards Asian banks with weaker account security.

However, 90% of banking trojans discovered were found targeting US banks, with financial institutions in the UK, Germany, Italy, Spain, and Australia also affected.

It’s not just banks at risk now, either.

The report claimed attackers have broadened their remit to include websites for corporate finance and payroll services, stock trading, social networking, email services, employment portals, entertainment, hosting providers, phone companies, and dating portals.

Spam, downloaders and drive-by attacks are just some of the methods used to infect machines, with most trojans using port 80 or 443 for communicating with their C&C servers, Dell said.

On the plus side, the CTU said it didn’t see much innovation in fraud techniques in 2014 and early 2015. But it warned that 'traditional solutions' are ineffective against modern banking trojans.

It added:

“The CTU research team recommends that clients conduct online banking and financial transactions on isolated workstations that are not used for web browsing, reading email, and other activities that could increase the risk of infection. The best defense for financial institutions is a unified web security solution with real-time content inspection of every packet of incoming and outgoing web content.”

What’s Hot on Infosecurity Magazine?