Financial data theft soared at Easter

An increase in Trojans designed to steal financial data from businesses was detected over the Easter weekend, and it's 'virtually guaranteed' that some firms were compromised

A four-fold increase in financially motivated electronic information theft attempts occured in the two days prior to the Easter weekend, according to Web services company Scansafe.

An "unusual" combination of older malware and emerging threats was aimed at businesses, with attackers apparently hoping users would let their guard down leading up to the holiday weekend, Scansafe said.

"The rapid increase has been dramatic, but also highly unusual in longevity and the mix of malware included," John Edwards, ScanSafe's chief technology officer, told ZDNet UK.

"It's virtually guaranteed that many organisations have been breached and have had personal data stolen. Attackers are clearly looking for weak spots in a company's defences and targeting the quiet holiday period," Edwards added.

Hackers attempted to steal data using Trojan horse programs that installed key logging, screen capture or site monitoring payloads. Employees were mostly attracted to malicious sites hosting the Trojans through online advertising, according to Eldar Tuvey, Scansafe's chief executive officer.

"They generally come [to sites] through services like Google AdWords, which drive them through to infected Web sites," said Tuvey.

Once employees have navigated to the malicious sites, they are encouraged to download infected MP3 or other file types.

Scansafe said the mixture of older and newer malware suggested that several criminal groups with different levels of experience and organisation were involved.

"Forty-five percent of the Trojans we saw were older, and more likely to be used by amateurs. Fifty-five percent was brand new malware, used by elite groups," said Scansafe security analyst Saalim Chowdhury. Newer Trojans tend to be more directed, more numerous, and have a more limited shelf life, according to Chowdhury.

Trojans are becoming more sophisticated in their methods of attack. Last month, banks in the UK, Germany and Spain were targeted by the MetaFisher Trojan.

After infecting a computer, MetaFisher waits until the user visits a legitimate bank Web site, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.

Companies who fell victim to the pre-Easter malware blitz may soon start to realise they have been compromised, according to Tuvey.

"We believe a large amount of the corporate base is not protected adequately. These attacks are still so recent, we will see the effects over the next week or so, and start hearing about repercussions," he said.

One out of every four threats to businesses seen by Scansafe over the last week attempted to steal financial data, the company said.

"If anything, I think that's likely to be an underestimate," said Graham Cluley, senior technology consultant for Sophos. "Money is the big driver for malware, and everyone needs to have proper multi-layered defenses in place to ensure that they are not hit hard in the pocket."

At the end of last year Sophos found that over 66 percent of all new malware was designed to steal money, information and resources from computer users.