Kaspersky LabFinancial Cyberthreats in 2017
Introduction and Key Findings
The world of financial cyberthreats has been evolving and changing for years. As one of the
most profitable fields of cybercriminal activities, it attracts malicious individuals targeting
users of online financial services and payment systems, as well as large banks and any
industry where POS terminals are used. At the same time, criminals have recently started
shifting their attention from users to the systems and services themselves.
In 2017, we saw a number of changes to the world of financial threats and new actors
emerging. As we have previously noted, fraud attacks in financial services have become
increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and
frequent data breaches - among other successful attack types - have provided
cybercriminals with valuable sources of personal information to use in account takeovers or
false identity attacks. These account-centric attacks can result in many other losses,
including those of further customer data and trust, so mitigation is as important as ever for
both businesses and financial services customers.
Attacks on ATMs continued to rise in 2017, attracting the attention of many cybercriminals,
with attackers targeting bank infrastructure and payment systems using sophisticated
fileless malware, as well as the more rudimentary methods of taping over CCTVs and
drilling holes. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks
on ATM systems that involved new malware, remote operations, and an ATM-targeting
malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few
thousand dollars, along with a step-by-step user guide. Kaspersky Lab has published
a report outlining possible future ATM attack scenarios targeting ATM authentication
systems.
It is also worth mentioning that major cyber incidents continue to take place. In September
2017, Kaspersky Lab researchers identified a new series of targeted attacks against at
least 10 financial organizations in multiple regions, including Russia, Armenia, and
Malaysia. The hits were performed by a new group called Silence. While stealing funds
from its victims, Silence implemented specific techniques similar to the infamous threat
actor, Carbanak.
Thus, Silence joins the ranks of the most devastating and complex cyber-robbery
operations like Metel, GCMAN and Carbanak/Cobalt, which have succeeded in stealing
millions of dollars from financial organizations. The interesting point to note with this actor is
that the criminals exploit the infrastructure of already infected financial institutions for new
attacks: sending emails from real employee addresses to a new victim, along with a request
to open a bank account. Using this trick, criminals make sure the recipient doesn’t suspect
the infection vector.
Small and medium-sized businesses didn’t escape financial threats either. Last year
Kaspersky Lab’s researchers discovered a new botnet that cashes-in on aggressive
advertising, mostly in Germany and the US. Criminals infect their victims’ computers with
the Magala Trojan Clicker, generating fake ad views, and making up to $350 from each
machine. Small enterprises lose out most because they end up doing business with
unscrupulous advertisers, without even knowing it.
Moving down one more step – from SMEs to individual users – we can say that 2017 didn’t
give the latter much respite from financial threats. Kaspersky Lab researchers detected
NukeBot – a new malware designed to steal the credentials of online banking customers.
Earlier versions of the Trojan were known to the security industry as TinyNuke, but they
lacked the features necessary to launch attacks. The latest versions however, are fully
operable, and contain code to target the users of specific banks.
Kaspersky LabFinancial Cyberthreats in 2017
This report summarizes a series of Kaspersky Lab reports that between them provide an
overview of how the financial threat landscape has evolved over the years. It covers the
common phishing threats that users encounter, along with Windows-based and Android-
based financial malware.
The key findings of the report are:
Phishing:
In 2017, the share of financial phishing increased from 47.5% to almost 54% of all
phishing detections. This is an all-time high, according to Kaspersky Lab statistics
for financial phishing.
More than one in four attempts to load a phishing page blocked by Kaspersky Lab
products is related to banking phishing.
The share of phishing related to payment systems and online shops accounted for
almost 16% and 11% respectively in 2017. This is slightly more (single percentage
points) than in 2016.
The share of financial phishing encountered by Mac users nearly doubled,
accounting for almost 56%.
Banking malware:
In 2017, the number of users attacked with banking Trojans was 767,072, a
decrease of 30% on 2016 (1,088,900).
19% of users attacked with banking malware were corporate users.
Users in Germany, Russia, China, India, Vietnam, Brazil and the US were the
most often attacked by banking malware.
Zbot is still the most widespread banking malware family (almost 33% of attacked
users), but is now being challenged by the Gozi family (27.8%).
Android banking malware:
In 2017, the number of users that encountered Android banking malware
decreased by almost 15% to 259,828 worldwide.
Just three banking malware families accounted for attacks on the vast majority of
users (over 70%).
Russia, Australia and Turkmenistan were the countries with the highest
percentage of users attacked by Android banking malware.
Kaspersky LabFinancial Cyberthreats in 2017
Financial Phishing
Financial phishing is one of the most common and widespread types of cybercriminal
activity. It is the most affordable in terms of the investment and level of technical expertise
required. At the same time, it is potentially profitable. In most cases, as a result of a
successful phishing campaign a criminal will receive enough payment card credentials to
cash out immediately, or to sell the details to other criminals for a good price. Perhaps this
combination of technical simplicity and effectiveness makes this type of malicious activity
attractive to amateur criminals, a pattern that we can clearly see in Kaspersky Lab’s
telemetry systems.
Fig. 1: The percentage of financial phishing attacks (from overall phishing attacks) detected by Kaspersky Lab in 2015-2017
In 2017, Kaspersky Lab’s anti-phishing technologies detected 246,231,645 attempts to visit
different kinds of phishing pages. Of those, 53.8% of heuristic detections were attempts to
visit a financial phishing page – 6.3 percentage points more than the share of phishing
detections registered in 2016 when it was 47.5%. At the moment, this is the highest
percentage of financial phishing ever registered by Kaspersky Lab.
34.33%
47.48%
53.82%
201520162017。