Asacub banker trojan, Cyber Security, Daily news, Fraud & Security, Kaspersky, Mobile Banking, mobile financial attacks, mobile Trojan, Risk & Compliance, Svpeng banker trojan, Trojan -

Financial threats in H1 2019: Mobile financial attacks rise by 107%

According to a recent report by Kaspersky, the number of mobile financial attacks it detected in the first half of the year rose by 107%, rising to 3,730,378. Analysts at the company said they discovered 3.7 million mobile financial attacks from January to June this year and found 438,709 unique users attacked by mobile Trojan bankers.

In the first half of 2019, attackers actively used the names of the largest financial services and banking organisations to attack mobile platform users. Researchers found 438,709 unique users attacked by mobile Trojan bankers. For comparison, in the first half of 2018, the number of attacked users was 569,057, a decrease of 23%.

Findings by Kaspersky showed the activity of a bank Trojan called Asacub banker, which attacked an average of 40,000 people per day, peaked rapidly in the second half of 2018 and reduced in half year 2019. The number of attacked users and detected attacks peaked rapidly in the second half of 2018; 1,333,410 users were attacked and there were 10,256,935 attacks.

The cybersecurity firm identified another malware, Anubis Trojan, which intercept data for access to services of large financial organisations and two-factor authentication data in order to extort money from users. The firm described the banking Trojan as one that spreads via instant e-messaging apps such as WhatsApp and sends a link to the victim’s contact list.

Main findings:

  • In the first half of 2019, more than 430,000 unique users were attacked by financial threats – seven percent more than during the same period in 2018
  • The number of financial attacks in the first half of 2019 was 10,493,792 – 93% more than in the first and second quarter of 2018
  • The number of malware samples from financial threats received by Kaspersky in the first half of 2019 was 5,242,462 – 74% more than the previous year
  • The countries with the largest share of users attacked by financial malware were China and Belarus (2.3% each). In second and third place were Venezuela (2.2%) and South Korea (2.1%), respectively
  • During the first half of 2019, Kaspersky blocked more than 339,000 attempts to switch users to phishing pages pretending to be big banks
  • 438,709 unique users encountered mobile financial threats in the first half of 2019 – 23% less than in the same period in 2018
  • The number of mobile financial attacks in the first half of 2019 was 3,730,378 – 107% more than in the first half of 2018

Threats to PC: banking malware and phishing

In the first half of 2019, Kaspersky experts detected 431,088 unique users[1] attacked by banking Trojans aimed at stealing funds and financial data, which was a seven percent increase compared to the same period in 2018 (400,830).

The number of unique attacked users, Q1 2018 – Q2 2019

The number of unique attacked users by user type, Q1 2018-Q2 2019

At the same time, the share of users attacked through corporate devices in the first half of 2019 reached 30.9%, while in the first half of 2018, this figure was half as much (15.3%).

Researchers also noticed an increased number of malicious files in 2019. Thus, in the first quarter, the number of samples in the Kaspersky collection more than doubled, compared to the same period in 2018, reaching 335,000. But in the second quarter, growth slowed down.

Number of samples of new financial malware, Q1 2018 – Q2 2019

Attacks have also become more frequent: the number of attempts to infect a device detected by Kaspersky’s protective solutions in both the first and second quarter of 2019 exceeded the corresponding figures of 2018 by 51% and 27%, respectively.

The number of attempts to infect financial malware, Q1 2018 – Q2 2019

Geography

The top 10 countries with the largest share of users attacked by financial malware do not have geopolitical similarities and are not situated in a specific region. In the first place were China and Belarus (2.3%), followed by Venezuela (2.2%) and South Korea (2.1%).

 

Country*   %**
China     2.30
Belorussia     2.30
Venezuela     2.20
South Korea     2.10
Serbia     1.80
Greece     1.70
Cameroon     1.60
Indonesia     1.50
Pakistan     1.50
Russia     1.40

* Countries where the number of users of Kaspersky’s security solutions is relatively small (less than 10,000) are excluded from the ranking.
** The share of unique users attacked in relation to all users of Kaspersky ‘s security solutions in the country.

Top 10 countries by the proportion of unique users attacked by financial malware

Threats to mobile platforms

In the first half of 2019, attackers actively used the names of the largest financial services and banking organisations to attack mobile platform users. Researchers found 438,709 unique users attacked by mobile Trojan bankers. For comparison, in the first half of 2018, the number of attacked users was 569,057, a decrease of 23%.

The number of users attacked by financial threats for mobile platforms, H1 2018 – H1 2019

Similar cases can be seen in the table representing the total number of attacks over this period.

The number of attacks of financial threats for mobile platforms, H1 2018 – H1 2019

The number of attacked users and detected attacks peaked rapidly in the second half of 2018. 1,333,410 users were attacked and and there were 10,256,935 attacks. The reason behind this is the rapid growth in activity of the Asacub banker trojan and an increase in the distribution of the Svpeng banker trojan. As it can be seen from Kaspersky’s records during this period, the number of Asacub attacks peaked in in the second half of 2018, multiplying almost a thousand times, comparing to figures of H1 2018. However, the epidemics then calmed in H1 2019.

The influence of Asacub on the overall statistics can be clearly seen in the graph below.

The number of users attacked by Asacub banking trojan, H1 2018 – H1 2019

The overall number of detected malicious files (installation packages) has decreased since the first half of 2018: in the first half of 2019, there were 43% fewer. At the same time, researchers recorded an increase in the number of attacks, rising by 107%.

Number of malicious files for mobile platforms, H1 2018 – H1 2019

The top-five malware families for mobile platforms in the first half of 2019 is almost identical to the overall rating for 2018.

More than half (51),39% of users faced representatives of the Asacub malware, which recorded powerful growth last year. At the peak of its “popularity” this malicious software attacked up to 40,000 users per day. This was partly due to the Trojan distribution method; when it reached the victim’s phone, it sent messages to all its contacts with links to download the installation file.

The Asacub family is followed by the Agent family (16.75%). This is the general verdict for banking trojans that cannot be classified into particular families or are represented by only one sample.

14.91% were attacked by the Svpeng Trojan. Like most banking Trojans, Svpeng slips a false login page to the user, and then intercepts the data entered in the login and password fields.

The Anubis Trojan is particularly interesting: it intercepts data for access to services of large financial organisations and two-factor authentication data (scode from SMS), which encrypts the data in order to extort money. It is one of the few banking Trojans that spreads via instant e messaging apps, such as WhatsApp, and sends a link to the victim’s contact list. Anubis is known to be one of the first threats in which comments on the YouTube platform were used as a command centre – a platform from which attackers manage malware. This usually works in the following way: malware writers create a video on Youtube and write a description or comment containing a command. Malware then connects to this video page, reads the description or comment and executes the command.

This happened in this way because Youtube is a public resource, so when one analyses an infected user’s traffic, and sees a YouTube link in the list of accessed pages, even a cybersecurity expert may not consider it suspicious. They could even be unaware that those requests were not sent by the user but instead by malware. Moreover, such communication can not be blocked as there the user could be blocked from accessing the entire YouTube website.

Conclusion and recommendations

In the first half of 2019, researchers recorded an increase in the number of users attacked by financial malware for personal computers compared to the same period in 2018, and a decrease in the activity of cybercriminals targeting mobile platforms.

The main families of malware that attacked users in 2019 remained the same: for mobile platforms, the leaders turned out to be the Asacub family, and for PC RTM (for corporate users) and Zbot (for private users) trojans were the most prolific.

It was not possible to single out specific geographic locations where financial threats are most active, since they turned out to be approximately equal for users in all regions.

 

The post Financial threats in H1 2019: Mobile financial attacks rise by 107% appeared first on Payments Cards & Mobile.