January 11, 2019
There has been a significant rise in cyber security activity involving banking trojans recently, including Trickbot [1]and Emotet [2]. Banking Trojans are becoming more dangerous and disruptive, and once infected, users may have a hard time detecting and removing them from their devices. It's more important than ever to prevent them from gaining a foothold and to respond effectively if they do.
Banking Trojans are a type of malware designed to steal credentials, with a specific focus on banking credentials for online banking services. Once cybercriminals have your online credentials they may use them to access to your financial accounts, steal your money, and steal your identity.
This type of malware typically spreads via:
- Email - Messages spreading banking trojans will often use stolen logos and are designed to look exactly like they came from a trusted financial institution. They may simulate alerts about account activity and direct you to a fake web page or they may include a Microsoft Office or PDF attachment purporting to be an invoice or other document needing your review. These documents typically contain macros which will launch on opening to install or download additional malware. A recent attack using email sent users fake Amazon order confirmations - https://www.bleepingcomputer.com/news/security/fake-amazon-order-confirmations-push-banking-trojans-on-holiday-shoppers/ [3]
- Malicious mobile apps - In many cases cybercriminals disguise banking trojans as legitimate apps and lure people into installing the malware on their mobile device. This includes apps downloaded from third-party sites, but there have also been several cases where banking trojan apps have been made available on Apple and Google's official app stores. Below are a few news articles describing similar attacks:
- iOS Fitness Apps Robbing Money From Apple Victims - https://threatpost.com/ios-fitness-apps-robbing-money-from-apple-victims/139546/ [4]
- Malware-Laced App Lurked on Google Play For a Year - https://threatpost.com/malware-laced-app-lurked-on-google-play-for-a-year/139015/ [5]
- Android malware steals money from PayPal accounts while users watch helpless - https://www.zdnet.com/article/android-malware-steals-money-from-paypal-accounts-while-users-watch-helpless/ [6]
Awareness of this threat is one of the most important steps you can take to help avoid infection:
- Know how to recognize a phishing message [7]
- Exercise caution with your email. Verify embedded links and scrutinize email attachments, particularly Office documents that contain macros
- Practice safe web browsing habits. Keep your browser and extensions patched, do not click on pop-ups, use a pop-up blocker, avoid clicking on unknown links, and only visit known trustworthy sites
- Only download mobile apps from official app stores and carefully read reviews before installing new apps
- Take cyber security awareness training available in CourseLink (Students [8]- Employees [9])
- Keep all of your computers and mobile devices current with security updates [10]
- Run anti-malware on all of your computers and mobile devices. This applies to Macs and Linux systems as well - they are not immune
- Carefully monitor your bank account and credit cards for suspicious activity
If you have reason to believe your system has been infected with a banking trojan:
- Disconnect infected machines from the network (wired and wireless) as soon as possible
- Change passwords for any personal accounts they may have accessed through the machine
- Contact the CCS Help Centre for assistance
- Contact your bank if you have detected suspicious activity on your account
Written by: Stephen Willem (Manager, Information Security)