Mika Ståhlberg F-Secure
It is obvious that as more and more money moves online, criminals who want to steal that money are moving online as well. Since banks no longer have large sums of money in their vaults and bank robbery has several inherent risks to it, criminals have found a lucrative and a much lower-risk business in online crime. Email-based phishing has been the first echelon of this change, but the situation is already changing again.
Online banks have begun to improve their security and authentication methods. This will very much reduce the effectiveness of phishing that is based on emails and fraudulent sites. There is a clear demand in the world of crime for better solutions. The second echelon of online bank fraud is banking trojans. These trojans infect the computer of an online bank customer. Therefore the trojan has visibility to everything the customer does and can use his authenticated banking session to steal his money. Also, a key difference to email-based phishing is that the victim is doing nothing wrong; he is just going to his bank and doing his business, as he should.
These attackers are making a lot of money. Relatively few of them are caught, so the problem is only going to get worse. To better understand this problem and its size, we have implemented a new tool for analysing banking trojans. We have run this tool on thousands of recent malware samples to get an idea how common these banking trojans are, what are the current trends, what is the geographical distribution of this problem, and what are the targets. This paper presents our findings.