ProofPoint Warns Of Bank Trojans: A Massive Threat Executives May Overlook

Warnings from the Federal Bureau of Investigation have enterprises worried about cybersecurity — specifically, concerns about ransomware attacks.

Business Email Compromise scams continue to grow and steal more corporate money than ever before. Phishing emails — 93 percent of which include ransomware, according to ITProPortal — should by no means be ignored. However, there is a much larger threat facing corporations today that may be flying under executives’ radars.

In its latest quarterly report, cybersecurity firm ProofPoint emphasized the continued reign of the bank Trojan — a strategy that accounted for 42 percent of the attacks analyzed by ProofPoint for the year’s second quarter. Compare that to ransomware, which made up just 11 percent.

ProofPoint’s report does not underestimate the strength of ransomware attacks via phishing. As previously highlighted by the FBI, Business Email Compromise scams are on the rise, and businesses saw a 26 percent increase in fraudulent emails during Q2 compared to Q1 — and that’s a whopping 87 percent increase compared to Q2 2017.

Another phishing strategy, known as angler phishing, also showed its teeth in Q2. The strategy focuses on social media support fraud, and saw a 38 percent increase quarter-over-quarter. The year’s second quarter also saw an increase in social media link spam after a previous decline of this type of attack in Q1.

But the bank Trojan reigns supreme.

While bank Trojans saw a 17 percent decline in their share of malicious messages (a drop replaced by a rise in ransomware campaigns), more than 40 percent of observed malicious messages were bank Trojans, researchers noted. Such a high percentage cannot be ignored, and while this type of attack appears to be on the decline, ProofPoint noted that the bank Trojan is quickly evolving, resulting in a wide array of Trojan strains.

The bank Trojan strategy convinces targets to download malware by disguising it as a legitimate link or other seemingly innocent software. Attackers then use that malware to access bank accounts.

The malicious link may bring a user to a seemingly legitimate online banking login page that steals credentials and other sensitive data. Like ransomware attacks, these Trojans often spread via phishing emails, with messages disguised as legitimate notices from banks.

According to Heimdal Security, attackers are increasingly developing bank Trojans to specifically target corporations. One such strain, like QakBot, goes after banks and stock brokerages, and is able to lock out users, analysts warned.

ProofPoint’s report warns that bank Trojans sometimes embed cryptocurrency mining software and add-on modules that enable attackers to steal cryptocurrency.

“The evolution of Banking Trojans in particular provides insight into the importance of cryptocurrency in the threat landscape,” ProofPoint said in its report. Bank Trojans with mining capabilities were first noticed in 2013.

“Historically, [Bank Trojans] have generally used webinjects that either modify or replace web pages from online banking sites to steal login credentials, conduct fraudulent transactions, and otherwise monetize infections,” the report said. “However, many banking Trojan campaigns have added cryptocurrency mining modules or bots, known as coin inters, as later-stage payloads.”

This trend was first identified by ProofPoint in Q3 2017, and has since grown.

Regardless of what attack strategy is the flavor of the week for cybercriminals, professionals must develop robust email security strategies to protect both their customers and their brand reputations, ProofPoint warned. The company is urging businesses to “assume users will click.”

ProofPoint went on to say, “Preventing email fraud requires a multilayered solution that includes email authentication and domain discovery, as well as dynamic classification that can analyze the content and context of the emails, stopping display-name and lookalike-domain spoofing at the email gateway. … Fight attacks targeting your customers over social media, email and mobile — especially fraudulent accounts that piggyback on your brand.”