Despite Arrests and Takedowns, Online Banking Threats Persist

By Cklaudioney Mesa (Threat Response Engineer) and Christopher Ordoñez (Threat Response Engineer)

While takedowns and/or arrests slow down or severely damage cybercriminal operations, they could also pave the way for other threat actors to up their ante when it comes to their nefarious activities and “battle” it out to fill the void left by those who said operations were hampered. Regardless who emerges the victor, in the end, it’s still the users and organizations that fall victim to these attacks who lose.

This must be the case with QAKBOT, a multi-component, information-stealing threat that has been active since 2007. Data from Trend Micro Smart Protection Network suggests a dramatic increase in detections since the tail end of 2015 until today. Most of these detections (75%), particularly of newer variants which we detect as WORM_QAKBOT.SMUV and WORM_QAKBOT.SMUX, are from users in the Americas— the United States, Canada, and Brazil. It is also currently the top malware family for this month.

Figure 1. Top countries affected by QAKBOT from December 2015-February 10, 2016

Interestingly, QAKBOT’s comeback comes on the heels of the arrest of the alleged cybercriminal group behind DYRE/DYREZA last November. We believe that the operators behind the former are taking advantage of the void left the latter. Figure 2 below shows that DYRE initially had higher detection as opposed to QAKBOT, and this eventually declined towards the end of 2015. QAKBOT, on the other hand, steadily increased starting from November until this month.

Figure 2. Detection comparison between DYRE and QAKBOT

Other online banking threats are still at large

DYRE and QAKBOT are just some of the prevalent online banking threats to date. Based on our 4Q 2015 data, the majority of user systems were infected with DRIDEX (55.59%). This threat is known for its use of malicious macros and stealing information via HTML injections. One may recall that last October, US and UK law enforcement joined forces in toppling down malicious servers that weakened the DRIDEX botnet. However, just a month later, we spotted DRIDEX-related spam targeting US. This further drives home the point that takedowns do not always translate to a malware’s ending.

Figure 3. Top online banking threats in 4Q

The arrest of any cybercriminal group is certainly a big win for law enforcement and security vendors, but the battle against these banking threats is far from over. As the risks these threats pose continues to loom, users and organizations can arm themselves with basic countermeasures. For instance, since most of these threats arrive via email messages, it is best to always verify first the legitimacy of any messages received even if these come from known sources. It is also advisable for banking sites to adopt two-factor authentication to provide another layer of protection thus preventing attackers from stealing user information and credentials. Trend Micro protects its users from online banking threats by detecting the malicious files and its infection vectors.

Additional analysis by Rhena Inocencio, Karla Agregado, and John Roan