1、 February, 2018 FINANCIAL CYBERTHREATS IN 2017 Kaspersky Lab 2 Financial Cyberthreats in 2017 Introduction and Key Findings The world of financial cyberthreats has been evolving and changing for years. As one of the most profitable fields of cybercriminal activities, it attracts malicious individual

2、s targeting users of online financial services and payment systems, as well as large banks and any industry where POS terminals are used. At the same time, criminals have recently started shifting their attention from users to the systems and services themselves. In 2017, we saw a number of changes

3、to the world of financial threats and new actors emerging. As we have previously noted, fraud attacks in financial services have become increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and frequent data breaches - among other successful attack types - have prov

4、ided cybercriminals with valuable sources of personal information to use in account takeovers or false identity attacks. These account-centric attacks can result in many other losses, including those of further customer data and trust, so mitigation is as important as ever for both businesses and fi

5、nancial services customers. Attacks on ATMs continued to rise in 2017, attracting the attention of many cybercriminals, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as the more rudimentary methods of taping over CCTVs and drilling hol

6、es. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote operations, and an ATM-targeting malware called Cutlet Maker that was being sold openly on the DarkNet market for a few thousand dollars, along with a step-by-step user guid

7、e. Kaspersky Lab has published a report outlining possible future ATM attack scenarios targeting ATM authentication systems. It is also worth mentioning that major cyber incidents continue to take place. In September 2017, Kaspersky Lab researchers identified a new series of targeted attacks against

8、 at least 10 financial organizations in multiple regions, including Russia, Armenia, and Malaysia. The hits were performed by a new group called Silence. While stealing funds from its victims, Silence implemented specific techniques similar to the infamous threat actor, Carbanak. Thus, Silence joins

9、 the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak/Cobalt, which have succeeded in stealing millions of dollars from financial organizations. The interesting point to note with this actor is that the criminals exploit the infrastructure of already

10、infected financial institutions for new attacks: sending emails from real employee addresses to a new victim, along with a request to open a bank account. Using this trick, criminals make sure the recipient doesnt suspect the infection vector. Small and medium-sized businesses didnt escape financial

11、 threats either. Last year Kaspersky Labs researchers discovered a new botnet that cashes-in on aggressive advertising, mostly in Germany and the US. Criminals infect their victims computers with the Magala Trojan Clicker, generating fake ad views, and making up to $350 from each machine. Small ente

12、rprises lose out most because they end up doing business with unscrupulous advertisers, without even knowing it. Moving down one more step from SMEs to individual users we can say that 2017 didnt give the latter much respite from financial threats. Kaspersky Lab researchers detected NukeBot a new ma

13、lware designed to steal the credentials of online banking customers. Earlier versions of the Trojan were known to the security industry as TinyNuke, but they lacked the features necessary to launch attacks. The latest versions however, are fully operable, and contain code to target the users of spec

14、ific banks. Kaspersky Lab 3 Financial Cyberthreats in 2017 This report summarizes a series of Kaspersky Lab reports that between them provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-b

15、ased and Android- based financial malware. The key findings of the report are: Phishing: In 2017, the share of financial phishing increased from 47.5% to almost 54% of all phishing detections. This is an all-time high, according to Kaspersky Lab statistics for financial phishing. More than one in fo

16、ur attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing. The share of phishing related to payment systems and online shops accounted for almost 16% and 11% respectively in 2017. This is slightly more (single percentage points) than in 2016. The share of f

17、inancial phishing encountered by Mac users nearly doubled, accounting for almost 56%. Banking malware: In 2017, the number of users attacked with banking Trojans was 767,072, a decrease of 30% on 2016 (1,088,900). 19% of users attacked with banking malware were corporate users. Users in Germany, Rus

18、sia, China, India, Vietnam, Brazil and the US were the most often attacked by banking malware. Zbot is still the most widespread banking malware family (almost 33% of attacked users), but is now being challenged by the Gozi family (27.8%). Android banking malware: In 2017, the number of users that e

19、ncountered Android banking malware decreased by almost 15% to 259,828 worldwide. Just three banking malware families accounted for attacks on the vast majority of users (over 70%). Russia, Australia and Turkmenistan were the countries with the highest percentage of users attacked by Android banking

20、malware. Kaspersky Lab 4 Financial Cyberthreats in 2017 Financial Phishing Financial phishing is one of the most common and widespread types of cybercriminal activity. It is the most affordable in terms of the investment and level of technical expertise required. At the same time, it is potentially

21、profitable. In most cases, as a result of a successful phishing campaign a criminal will receive enough payment card credentials to cash out immediately, or to sell the details to other criminals for a good price. Perhaps this combination of technical simplicity and effectiveness makes this type of

22、malicious activity attractive to amateur criminals, a pattern that we can clearly see in Kaspersky Labs telemetry systems. Fig. 1: The percentage of financial phishing attacks (from overall phishing attacks) detected by Kaspersky Lab in 2015-2017 In 2017, Kaspersky Labs anti-phishing technologies de

23、tected 246,231,645 attempts to visit different kinds of phishing pages. Of those, 53.8% of heuristic detections were attempts to visit a financial phishing page 6.3 percentage points more than the share of phishing detections registered in 2016 when it was 47.5%. At the moment, this is the highest p

24、ercentage of financial phishing ever registered by Kaspersky Lab. 34.33% 47.48% 53.82% 201520162017 5 Moreover, in 2017, the detection of phishing pages which mimicked legitimate payment systems took second place in the overall chart, just behind banking services, leaving global web portals further

25、behind. Fig. 2: The percentage of payment systems phishing (from overall phishing attacks) detected by Kaspersky Lab in 2016-2017 At Kaspersky Lab, we categorize several types of phishing pages as financial. Besides banks there is also the category of payment systems, which includes pages that mimic

26、 well-known payment brands such as PayPal, Visa, MasterCard, American Express and others. There is also the online shop category which includes internet shops and auction sites like Amazon, Apple store, Steam, E-bay and others. In 2017 all of them experienced slight growth: the share of phishing att

27、acks against banks, payment systems and online shops increased by 1.2, 4.3, and 0.8 percentage points respectively. That said, 2017 became the first year when the top three categories of all phishing detections related to financial attacks: 11.55% 15.9% 20162017 6 Fig. 3: The distribution of differe

28、nt types of financial phishing detected by Kaspersky Lab in 2017 That means that for the first time in our observations, payment systems and online shops hit the top three in all categories of phishing detections. The major reason behind this is quite simple it is a result of the steady growth of th

29、ese kinds of attacks on lucrative targets. Moreover and also for the first time the presented chart means that more than every second phishing attack in 2017 was related to the financial sector. This is largely due to the fact that while the online shop share grew slightly, the global internet porta

30、l category fell from second place in 2016 with 24.1%, to fourth place in 2017 with 10.9%. This looks like a global trend, as Yahoo left the top spot for good. Fig. 4: The percentage of global internet portal phishing detected by Kaspersky Lab in 2016-2017 The list of targets has stayed more or less

31、the same as in previous years. Among financial phishers favorite targets are top transnational banks, popular payment systems 27% 16% 11% 46% Bank Payment system E-shops Other 24.1% 10.9% 0,00 5,00 10,00 15,00 20,00 25,00 30,00 20162017 7 and internet shops and auction sites from the US and Asia. Th

32、is is due to the popularity of these brands, which makes them attractive targets for cybercriminals. Financial phishing on Mac MacOS is generally considered to be a much safer platform than Windows due to the lower number of malware families that exist for this operating system versus those for Wind

33、ows. However, experts often forget that phishing threats dont care what OS the victims device is running. Kaspersky Labs statistics show that MacOS users often face phishing threats - if not with the same frequency as other users. Moreover, 2017 also demonstrated that the figures almost doubled. In

34、2016, 31.4% of phishing attacks against Mac-users were aimed at stealing financial data. This is almost half that seen in 2017, when 55.6% of financial attacks blocked by Kaspersky Lab were financially-themed. At the same time, the share of attacked unique users didnt show such significant growth. T

35、hat said, this near doubling of attacks can be explained by two factors: Strong growth in overall phishing detections from over 150m detections in 2016, to over 246m in 2017. This is alarming and clearly indicates that phishing is on the rise. Criminals tendency to repeatedly attack the same users.

36、This is even more alarming as it increases the chances that victims will sooner or later lose vigilance and experience a hit. Overall the split looks like this: Fig. 5: The distribution of different types of financial phishing detected by Kaspersky Lab on Mac in 2017 Our data shows that the financia

37、l share of phishing attacks on Macs is also quite solid as seen for other platforms. Lets have a closer look at both categories. 29% 19% 8% 44% Bank E-shop Payment system Other 8 Mac vs Windows In last years report, we detected one apparent platform-related feature of the financial phishing landscap

38、e for Mac. Based on the phishing page detection statistics from Windows-based computers, the list of the most frequently used brands in the online shop category is topped by Amazon a longtime category leader. However, when it comes to Mac-phishing, the leader is Apple. The latter is easy to explain:

39、 Apples ecosystem includes a number of recognizable and generally trusted web services, like iCloud, iTunes, AppStore and the Apple Store. Criminals are aware of that trust and therefore try to exploit it. Interestingly enough, this was not the case in 2017, as Apple became the leader in both catego

40、ries - Mac and Windows detections. Mac Windows Apple Apple A: Online Shopping A: Online Shopping eBay MercadoLibre Alibaba Group Alibaba Group Bell Canada Steam Steam eBay Wal-Mart Stores, Inc. Focus Technology Co., Ltd Netflix Inc NOVA PONTOCOM COMERCIO ELETRONICO S.A Apple Wal-Mart Stores, Inc. Fi

41、g. 6: The most frequently used brands in online shop financial phishing schemes When it comes to attacks on payment systems, the situation is as follows: Mac Windows MasterCard International Visa Inc. PayPal PayPal American Express American Express Visa Inc. MasterCard International Xoom qiwi.ru Net

42、eller Western Union alipay Cielo S.A. Skrill Ltd. Skrill Ltd. Western Union alipay Fig. 7: The most frequently used brands in payment systems financial phishing schemes In 2016, the leader was PayPal. It has now been replaced with Mastercard for Mac and Visa for Windows. 9 The tables above can serve

43、 as advisory lists for the users of the corresponding systems: they illustrate that criminals will use these well-known names in an attempt to illegally obtain user payment cards, online banking and payment system credentials. Phishing campaign themes Today, cryptocurrency is no longer only for comp

44、uter geeks and IT pros. Its starting to affect peoples daily lives more than they realize. At the same time, it is fast becoming an attractive target for cybercriminals. Some cyber threats have been inherited from e- payments, such as changing the destination wallet address during transactions and s

45、tealing an electronic wallet, among other things. However, cryptocurrencies have opened new and unprecedented ways to monetize malicious activities. In 2017, the main global threat to users was ransomware: in order to recover files and data encrypted by attackers, victims were required to pay a rans

46、om in cryptocurrency. Further, in the first eight months of 2017, Kaspersky Lab products protected 1.65 million users from malicious cryptocurrency miners, and by the end of the year we saw this number exceed two million. In addition, in 2017 we observed the return of Bitcoin stealers after a few ye

47、ars in the shadows. This also affected the topics that criminals use in their scams. The list of topics is no longer limited to fairly old copies of online banking, payment systems or internet shop web pages. Fig. 8: A phishing message sent in under the guise of block chain wallet One very interesti

48、ng example emerged in the early part of 2017. The domain previously belonged to a real and legitimate major European bank. 10 Fig. 8: The banks domain In 2014, it stopped and the domain was acquired by fraudulent users who then uploaded phishing content to it. The phishing content was not only aimed

49、 at financial organizations, but also at the very same bank that previously owned the domain. 11 Fig. 9: The phishing page This is a good example of how a domain with a good reputation allows criminals to reduce the risk of being caught or their attacks being blocked, and to increase victims trust. Another interesting case was the use of PayPal phishing pages placed on servers belonging to the state. 12 Fig. 10: A phi