India Ranks Third in Financial Trojan InfectionsSecurity Experts Detail Ways to Detect, Defeat Banking Trojans
Indian banks and financial institutions are increasingly vulnerable to financial Trojans, with cybercriminals circumventing some of the well-established security controls, new research shows.
A survey conducted by Symantec reveals that India is now #3 in the rankings for countries with the most number of financial Trojan infections. Over 60, 000 computers in India were compromised with financial Trojans in 2015. Only the U.S. and Germany rank higher than India, which placed fifth in the rankings in 2014 and seventh in 2013.
"The primary reason behind the increase in infections is definitely the growing capability of the financial Trojans, followed by the motivation of the cybercriminals to gain monetary benefits," says Tarun Kaura, Director - Product Solutions Management - APJ, Symantec.
The research Version 1.0 released on March 22 was conducted by Symantec's Security Response team on 'Financial threats 2015', across USA, Germany, India, Japan and United Kingdom and others.
Most Common Attacks, Vectors
This new report also sheds light on some of the leading Trojans affecting the banking sector last year. Among the key findings:
- The number of detections for the Dridex/Cridex family more than doubled in 2015, making it one of the top financial Trojans for last year, followed by Dyre. ( See: is Dridex the Most Dangerous Banking Trojan?)
- Dridex has emerged as one of the most dangerous financial threats over the past year, targeting a total of 315 different institutions globally.
- Zeus, along with all its variants, was responsible for most of the financial Trojan detections in 2015. The Zeus family grew from 400,000 detections in 2012 to nearly 4 million in 2014, but then dropped to just under 1million in 2015. This could be because cybercriminal groups are moving to other, more current, financial malware families with similar features. (See: Lessons from Gameover Zeus Takedown/)
In general, the infection vectors used by financial fraud Trojans were:
- Malicious emails:Plenty of people still get their computers infected through this method. Attachment names like "invoice.pdf.exe" are often used as bait and have a remarkably high success rate.
- Drive-by download sites: The use of web attack exploit toolkits to infect visitors of websites has been widely used by cybercriminals. They are constantly updated to include new exploits for recent vulnerabilities in browsers and third-party plug-ins.
- Social engineering: It a common component of the infection process, be it a convincing email or a distracting pop-up message. Attackers use sensational messages to trick the user into visiting a link in a post.
- Supply chain attacks: The method involves the attackers breaching a vendor's website and replacing a software update with a Trojanized package, which later gets downloaded by unknowing victims.
Attack Trends: Why India?
Responding to the report, multiple information security practitioners say that the increasing number of internet and mobile bank users makes India a lucrative target for cyber criminals.
At the same time, the methods used by banks to secure transactions have not changed to keep pace with the quantity and sophistication of attacks.
The study says that many of India's security measures are being circumvented by determined and sophisticated attackers. Some banks in India are even discussing the possibility of removing two-factor authentication for smaller transactions to save costs, which will only increase vulnerabilities.
Hyderabad-based Milind Rajhans, CISO of A.P Mahesh Co-operative Urban Bank, agrees with the study's findings and believes the reason for India's change in rank is because information security is not being looked at in a holistic manner by the banks. It's still largely driven by compliance with inappropriate security controls.
"With the most diversified and complex set of applications running across various functions, banks will have to ensure that information security is tightly integrated to the system," he says. "Other than looking at data and application level security, Indian banks can start thinking about securing customer transactions."
The unique challenge that India faces is the large number of online and mobile banking users who unknowingly leave the doors open to their sensitive data.
"Although banks have a fairly matured protection mechanism, lack of user awareness in safeguarding their systems with appropriate controls is the biggest concern," says Prem Kumar Boddu, chief manager-IT & IS of Vijaya Bank.
"Most users do not have any anti-malware or rudimentary software to safeguard themselves against such attacks," he says. "Besides, a lot of them do not adhere to security guidelines or best practices given by the banks."
Quite naturally, they easily fall into the trap of emails with malicious attachments or links to malicious files, he says.
"This is one of the reasons why the peripheral security solutions and authentication processes installed by the banks often become inadequate in tackling Trojans," Boddu argues.
In addition, many banks do not pay enough attention to the kind of devices to which their applications are downloaded, which increases the vulnerabilities, says Rajhans.
Experts in India warn that attackers are shifting their focus away from small infections that are launched en masse. "Cybercriminals are now more strategic and are targeting the organizations directly," Rajhans adds.
According to Rajhans, many cybercriminals have changed to ransomware and other money-making schemes in India. "For instance, we have seen increased incidents of Locky in the BFSI sector in India. Attackers mainly use malicious email to distribute the malware," he adds.
How to Fight Back
While some security practitioners argue that the financial organizations have ensured a reliable prevention mechanism, these controls are not being effectively used.
"With security experts facing a rapidly-changing threat environment, one thing is clear: Existing solutions are not the efficient answer," says Kaura of Symantec.
Kaura recommends use of advanced threat protection methods to uncover, prioritize and remediate advanced threats and zero day attacks much faster.
Prem Kumar says banks should focus on deploying risk-based solutions to tackle Trojans. "Such solutions help you understand the reputation of a particular IP using threat intelligence and take adequate measures to prevent malware."
Experts put forth certain compelling initiatives for practitioners. They include :
- Educate users about the potential risk associated with online/mobile banking, and creating awareness around security best practices within and outside the organization.
- Create an information sharing forum that can provide guidance and best practices to banks across the country
- Form a government watchdog agency which ensures that banks across the country follow the guidelines and security policies.
- Invest in intrusion prevention systems, email filtering services and behavior-based detection
- Consider advanced threat protection technologies to uncover sophisticated attacks.
- Incorporate advanced threat monitoring, cyber readiness and incident response to achieve higher levels of security.
"Indian Banks need to look beyond the traditional methods and adopt next-generation techniques that can protect computers from many email borne attacks by removing the malicious content from the attached documents before they even reach the user," Kaura says.