Two threat reports issued by cybersecurity firms Proofpoint and Kaspersky Labs highlight several unexpected changes to the malware landscape this year, suggesting a shift from the enormous ransomware campaigns that dominated the threat matrix in the past two years.  Proofpoint reported here and here that banking Trojans have stepped in to fill a downturn in ransomware emails, so much so that banking Trojans have reclaimed the top position in email malware for the first time since 2016.  Similarly, antivirus developer Kaspersky Labs reports an all-time high in the prevalence of banking Trojans targeted specifically at mobile devices.

Ransomware is displaced by banking Trojans in 2018

Proofpoint reported a significant shift in the types of malware distributed via email in the first half of 2018, as banking Trojans constituted the majority of malicious email payloads.  Banking Trojans are viruses that harvest bank account usernames and passwords to enable cyber thieves to illicitly withdraw funds; some recent versions simply transfer funds directly from domestic bank accounts to accounts overseas.  These viruses have been ubiquitous for years, most commonly entering a network when an unsuspecting person opens an attachment or clicks on an URL in an email, or less frequently via a web download.  In recent years, ransomware dominated the malware landscape with large-scale campaigns that delivered bulk emails infected with ransomware, easily overtaking banking schemes as the preferred methodology.

In a corresponding development, Kaspersky Labs reported historic highs in the prevalence of banking Trojans designed for mobile devices.  These Trojans harvest credentials similarly to those for laptops and other workstations; for example, the virus may display its own interface over the banking app’s legitimate interface and steal the login information that the user types in.  Kaspersky reported that in Q2 2018, the number of mobile banking Trojans exceeded any figures since the firm began recording these threats.   

The Proofpoint report explains that the recent decline in ransomware email traffic is traceable to decreased activity by a single spammer known as TA505 who launched massive ransomware email campaigns.  With his/her notable absence, the illicit email operations in 2018 have been smaller and more diverse in payloads using more traditional cybercrime techniques, including remote access Trojans, keyloggers, and credential stealers. The increase in the use of remote access Trojans is troubling, as these viruses give hackers complete administrative rights to the victim’s system and allow detailed reconnaissance, harvesting of credentials, and exfiltration of valuable files. 

And while the popularity of ransomware has declined, Proofpoint emphasized that these viruses remain an active threat.  Gandcrab, Globelmposter, and Sigma, three new ransomware strains, appeared frequently in email campaigns.  Sadly, the notorious WannaCry ransomware that wreaked global havoc last year also continues to appear in network traffic, pointing to a recurring problem in combating malware: some Microsoft Windows users still have not installed the highly-publicized patch to fix the EternalBlue vulnerability that this virus exploits.

The report also observed a notable shift in one technique used by email scammers, as emails containing URLs that link to malware outnumbered those containing malicious attachments by a ratio of 4-1 in Q1 2018. This represents a dramatic shift from Q4 2017, which was characterized by high-volume email campaigns delivering malware via attachments. 

Email Fraud Schemes Grow in Prevalence and Sophistication

Email fraud schemes continue to dominate the corporate cybercrime landscape.  In these schemes, a phony email purportedly written by a top company executive instructs an employee with disbursement authority to wire money in response to a variety of seemingly legitimate needs.  Proofpoint reports that approximately 90 percent of businesses were targeted by these schemes in Q1 2018. On average, businesses received 35 such attacks in Q2, representing a 26 percent increase over last quarter and a startling 87 percent increase over Q2 in 2017. Significantly, the report found no correlation between the likelihood of an email fraud attack and company size—all sizes of victims are apparently equally desirable. Targeted companies in the United States experienced an average of 24 attacks. Notably, Proofpoint observes that as companies train employees to be wary of emails from the CEO or CFO directing the transfer of money, criminals are researching more deeply and exploiting publicly available information about lower-level supervisors and employees to broaden the population of people to impersonate. 

Our Take

Email-based threats in many varieties and forms remain a primary danger to network security.  With the noise linked to ransomware turned down a bit, we see the persistence of some of the classic forms of malware such as banking Trojans and other credential harvesters.  Meanwhile, email fraud campaigns are growing more prevalent and more sophisticated, with criminals exploiting the expanding repository of public information contained on company websites and social media accounts.  Companies must continue to invest in their defenses to harmful activity that flows via email.  As viruses continue to be delivered via email attachments or embedded URL, employee training programs and unannounced testing exercises help to discourage unwanted clicks on these dangerous payloads.  Companies also must require multiple approvals and secondary verification before transferring money in response to emailed instructions.  Together with an effective security system that identifies and quarantines email threats, these practices will continue to pay dividends and reduce the company’s risks of becoming victims of ransomware and other schemes.