​Banking Trojans are growing smarter. But will banks keep up?

With infections from banking malware on the rise, researchers ask whether banks could do more to differentiate legitimate transactions from phishing attempts.
Written by Andrada Fiscutean, Contributor

"Banks make it easier for Trojan makers to thrive," says Righard Zwienenberg, senior research fellow at security firm ESET.

Image: iStock

Infection rates of banking Trojans continue to run high, despite the best efforts of financial institutions and security companies to keep this type of malware in check.

According to Morten Kjaersgaard, CEO of Danish security specialist Heimdal, the number of campaigns involving the Dyreza Trojan, also known as Dyre, has spiked while Tinba remains the most common piece of banking malware.

"We're seeing an infection rate averaging about 1,000 machines per day for Tinba alone," he says. "Tinba is the most widely spread, but Dyreza is the most used."

Dyreza, also referred to as Dyzap by others, notably Microsoft, hooks into browser processes and then monitors for connections to specific domains, collecting credentials as the victim types them, in a style of attack known as 'man in the browser'.

Heimdal parent company CSIS Security Group says it first uncovered and named the Tinba banking Trojan family, alias Zusy, in 2012.

The firm described Tinba as the smallest banking Trojan it had encountered, at about 20KB in size, including config and webinjects. Hence the malware's name: Tinba, which means 'tiny banker'.

Like Dyreza, Tinba is a data-stealing Trojan that uses man-in-the-browser techniques and webinjects to change the look and feel of certain webpages to circumvent two-factor authentication.

This kind of malware adapts quickly. Dyreza now includes support for Windows 10 and can also attempt to use Microsoft Edge to collect data. The Trojan is prevalent in Australia, Canada, the UK, and the US, while Tinba has the highest traction in Poland.

"Banking Trojans constantly evolve to fit the banking space, making sure that they can circumvent two-factor authentication," Kjaersgaard says.

"The biggest evolution for the banking Trojan, in my view, will be gaining access to the system, creating the infection. Once inside, the malware can easily morph to adapt to the banking environment. So that's a secondary concern for malware makers."

The Heimdal CEO also believes that banking Trojans will continue to grow more complex and harder to detect over time.

Meanwhile, there is a concern that financial organizations are failing to keep their procedures in line with the nature of the evolving threat from banking Trojans.

According to Righard Zwienenberg, senior research fellow at security firm ESET in Bratislava, "Banks make it easier for Trojan makers to thrive."

For example, sometimes it's difficult to differentiate a legitimate transaction from a phishing attempt, the researcher says.

"Banks don't follow best practices. They ask for IBAN and date of birth, and don't use the URLs they should," Zwienenberg says.

That's exactly what happened recently, when he tried to book a hotel in Vietnam. His bank's process of diverting him to a third-party site that asked for personal information was a response that he felt more closely resembled a phishing attempt than a procedure provided by a legitimate bank.

Zwienenberg also shuns online banking on his phone because of the potential vulnerabilities of the communications methods sometimes used by institutions.

"One reason is that the bank sends me a verification message on my phone, by text," he says.

As a result, the cybersecurity researcher instead uses a more secure computer dedicated to online payments at home.

Read more about banking malware

Editorial standards