Trojans Tied to New Ransomware Attacks

Researcher: Botnet Takedowns Don't Reduce Fraud
Trojans Tied to New Ransomware Attacks

Ransomware attacks are on the rise, and a recent resurgence of the banking Trojan Citadel, a Zeus variant, is partly to blame, research from McAfee Labs, a security firm, shows.

See Also: Defining a Detection & Response Strategy

Despite law enforcement and industry efforts to take down the botnets used to launch these malware attacks, the assaults won't stop until the developers and attackers behind them are brought to justice, says McAfee threat researcher Ryan Sherstobitoff.

So it's increasingly critical for banking institutions to not only know how and when their customers' PCs are infected with an emerging Trojan, but also exactly what malware strain was used in the attack, he says.

"It is important for banks to know which Trojan is hitting, because the way the fraud occurs is different, depending on the Trojan," Sherstobitoff says. For example, Citadel completes fraudulent transactions in a different way than Zeus Gameover, a peer-to-peer variant of the Zeus banking Trojan, he notes.

"So knowing the type of malware helps banks know what kind of fraud might occur," Sherstobitoff says. "It's about understanding the threat, the type of fraud and how to respond."

Uptick in Ransomware Attacks

Ransomware attacks, which target consumers via phishing or drive-by download, have heightened concerns about the need for improved Trojan awareness, Sherstobitoff says.

According to McAfee, global ransomware attacks more than doubled in the second quarter of this year, compared with the previous quarter. Ransomware attacks have been steadily increasing since 2011, but the spike this year led to an all-time high of more than 320,000 unique ransomware samples in the second quarter, McAfee reports.

And a resurgence in commonly used banking Trojans, including Citadel, has fueled rapid ransomware attack growth since June, Sherstobitoff says.

Botnet Takedowns Fuel Attacks

A collaborative effort in June between the Microsoft Digital Crimes Unit and the FBI to take down Citadel botnets throughout the world fueled a backlash, he says - a common occurrence in malware cycles (see Microsoft, FBI Take Down Citadel Botnets).

"The operation by Microsoft and the FBI to interrupt the Citadel botnet was only short-lived," Sherstobitoff says. "This is the ebb and flow we commonly see. Just like Microsoft's takedown of Zeus, after you have a takedown, you see a resurgence. These takedowns only cause a small disruption until the attacks pick up again."

And when the attacks do pick back up, they're typically more sophisticated, he says. It's why Sherstobitoff recommends investigations focus on the attackers behind the malware, rather than the botnets used to launch attacks.

"It's better to target the human actors behind these attacks rather than taking down the command and control centers, because sooner or later, they just come back," he says. "Any details the banks can track, such as Citadel being used against business banking, and provide to law enforcement helps. But if they don't know how the fraud actually occurred and the type of Trojan that was used, then you don't have the intelligence to share."

Previous Takedowns

Back in August 2012, the Federal Bureau of Investigation warned that Citadel was being used in conjunction with the drive-by virus known as Reveton to target consumers and convince them that the FBI had seized their computers. From there, the attackers demanded a ransom, purporting to be from the FBI (see Zeus Variant Targets U.S. Accounts).

In late July of this year, the FBI issued a new warning about Citadel and Reveton, noting that the ransom message this time claimed to be from the Department of Homeland Security, and that affected consumers' computers were being locked down for violations to U.S. laws.

Understanding Trojans

Depending on the malware strain used in an attack, the fraudulent transaction could be automated or conducted manually, in real-time, by the attacker compromising an account, Sherstobitoff says.

But a majority of banking institutions remain uninformed about today's most threatening banking Trojans and how they work, according to Information Security Media Group's 2013 Faces of Fraud Survey. The survey found that 60 percent of the more than 200 bank institution leaders who responded don't know which banking Trojans contributed to fraud within their organization in the last 12 months.

That's disheartening, Sherstobitoff says, because that kind of forensic information about the specific strains of malware that are compromising accounts is what law enforcement needs to track down the perpetrators behind the attacks.

Besides, the more banks understand about how different Trojans work, the greater their chances of detecting an attack or compromise and ultimately reducing fraud and data losses, Sherstobitoff says.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.