Financial cybercrime in 2019 Securelist

Financial cybercrime in 2019 Securelist



Monetary cyberthreats are malicious packages that focus on customers of companies akin to on-line banking, e-money, and cryptocurrency, or that try to achieve entry to monetary organizations and their infrastructure. These threats are often accompanied by spam and phishing actions, with malicious customers creating pretend financial-themed pages and emails to steal victims’ credentials.

To be able to examine the menace panorama of the monetary sector, our researchers analyzed malicious exercise on the gadgets of particular person customers of Kaspersky’s safety options. Statistics for company customers had been collected from company safety options, after the purchasers agreed to share their information with Kaspersky.

The knowledge obtained was in contrast with information for a similar interval in 2018 to watch the tendencies in malware improvement.

Introduction and key findings

In 2019, we witnessed numerous vital adjustments within the cyberthreat panorama. Cybercriminals began to lose curiosity in malicious cryptocurrency mining and turned their consideration to the broader subject of digital belief and privateness points.

How did all these adjustments have an effect on monetary safety world wide? As our report for the primary half of 2019 demonstrated, there isn’t any room for complacency – cyberthreats that goal to steal cash are nonetheless on the market.

Though the monetary trade didn’t witness any main instances in 2019, the statistics present that specific classes of customers and companies are nonetheless being focused by criminals. We now have ready this report to offer a extra detailed image of the scenario.

This publication continues our collection of Kaspersky stories (see right here, right here, and right here) offering an summary of how the monetary menace panorama has advanced over time. It covers the widespread phishing threats that customers encounter, together with Home windows-based and Android-based monetary malware.


  • In 2019, the share of monetary phishing elevated from 44.7% of all phishing detections to 51.4%.
  • Nearly each third try to go to a phishing web page blocked by Kaspersky merchandise is said to banking phishing (27% share).
  • The share of phishing-related assaults on cost techniques and on-line shops accounted for nearly 17% and over 7.5% respectively in 2019. This is kind of the identical as 2018 ranges.
  • The share of monetary phishing encountered by Mac customers fell barely from 57.6%, accounting for 54%.

Banking malware (Home windows):

  • In 2019, the variety of customers attacked with banking Trojans was 773,943 – a lower in comparison with the 889,452 attacked in 2018.
  • 1% of customers attacked with banking malware had been company customers – a rise from 24.1% in 2018.
  • Customers in Russia, Germany, and China had been attacked most steadily by banking malware.
  • Simply 4 banking malware (ZBot, RTM, Emotet, CliptoShuffler) households accounted for assaults on the overwhelming majority of customers (round 87%).

Android banking malware:

  • In 2019, the variety of customers that encountered Android banking malware dropped to simply over 675,000 from round 1.Eight million.
  • Russia, South Africa, and Australia had been the international locations with the very best share of customers attacked by Android banking malware.

Monetary phishing

Monetary phishing is among the hottest methods for criminals to generate income. It doesn’t require a variety of funding but when the criminals get the sufferer’s credentials, they’ll both be used to steal cash or bought.

As our telemetry techniques present, this kind of exercise has accounted for round half of all phishing assaults on Home windows customers in recent times.

The share of monetary phishing assaults (from general phishing assaults) detected by Kaspersky, 2014-2019 (obtain)

In 2019, the general variety of phishing detections stood at 467,188,119. 51.4% of these had been finance-related assaults. That’s the second-highest share ever registered by Kaspersky; the very best proportion of monetary phishing was 53.8% in 2017.

The distribution of several types of monetary phishing detected by Kaspersky in 2019 (obtain)

In comparison with the earlier yr, bank-related phishing grew from a share of 21.7% to nearly 30% in 2019. The opposite two principal finance classes remained kind of on the similar stage.

Monetary phishing on Mac

As is now customary, we additionally examine the above statistics with these for MacOS: whereas the latter has historically been thought of a comparatively safe platform with regards to cybersecurity, no one is aware of the place the newest threats could strike. Furthermore, phishing is an OS-agnostic exercise – it’s all about social engineering.

In 2018, 57.6% of phishing assaults in opposition to Mac customers tried to steal monetary information. A 3rd of these had been bank-related assaults. In 2019, the general stage was barely much less – simply over 54%.

In 2019, the breakdown of classes was as follows:

The distribution of several types of monetary phishing detected by Kaspersky on Macs in 2019 (obtain)

The share of financial institution phishing really grew by round 6% in comparison with 2018. On the similar, the E-shop class’s share dropped from round 18% to round 8%. The Fee techniques class remained kind of unchanged. General, our information exhibits that the monetary share of phishing assaults on Macs can also be fairly substantial – like that for Home windows. Let’s take a better take a look at each classes.

Mac vs Home windows

In 2017, we found an fascinating twist when Apple turned probably the most steadily used model title within the on-line procuring class each within the MacOS and Home windows statistics, pushing Amazon all the way down to second place for the latter platform. Much more fascinating is that in 2018 Apple maintained its place within the Home windows statistics, however Amazon led the MacOS statistics for the primary time since we began monitoring this exercise. In 2019, the scenario was as follows:

Mac Home windows
1 Apple Apple
2 On-line Buying On-line Buying
3 eBay eBay
4 groupon Steam
5 Steam Americanas
6 ASOS groupon
7 Americanas MercadoLibre
8 Shopify Alibaba Group
9 Alibaba Group Allegro

Essentially the most steadily used manufacturers within the E-shop class of monetary phishing exercise, 2019

What’s most fascinating within the desk above is that the highest three locations seem like OS agnostic and are the identical for each Mac and Home windows.

In the case of assaults on customers of cost techniques, the scenario is as follows:

Mac Home windows
1 PayPal Visa Inc.
2 MasterCard Worldwide PayPal
3 American Categorical MasterCard Worldwide
4 Visa Inc. American Categorical
5 Authorize.Internet Cielo S.A.
6 Stripe Stripe
7 Cielo S.A. Authorize.Internet
8 adyen cost system adyen cost system
9 Neteller Alipay

Essentially the most steadily used manufacturers within the Fee techniques class of monetary phishing exercise, 2019

The information above could be considered as a warning to customers of the corresponding techniques: they illustrate to what extent malicious customers exploit these well-known names to fraudulently acquire cost card particulars in addition to on-line banking and cost system credentials.

Phishing marketing campaign themes

The listing of 2019 phishing campaigns coated under consists of the standard suspects: pretend variations of on-line banking and cost techniques or internet pages mimicking web shops.

Financial cybercrime in 2019 Securelist

A phishing web page masquerading as a cost service

Financial cybercrime in 2019 Securelist

 Phishing pages masquerading as cost service pages

Financial cybercrime in 2019 Securelist

Financial cybercrime in 2019 Securelist

Financial cybercrime in 2019 Securelist

Phishing pages masquerading as an e-store pages

In fact, by clicking a hyperlink or getting into credentials on pages like these, a person won’t be accessing their account – they are going to be passing on vital private info to the fraudsters.

A number of the most typical scams used to trick customers embrace messages that discuss with the hacking or blocking of an account or presents of unbelievable bargains.

Banking malware on PCs

For readability, when discussing monetary malware on this paper we imply typical banking Trojans designed to steal the credentials used to entry on-line banking or cost system accounts and to intercept one-time passwords. Kaspersky has been monitoring this specific kind of malware for numerous years:

The variety of customers attacked with banking malware, 2016-2018 (obtain)

As we will see, all through 2016 there was a gradual development within the variety of customers attacked with bankers – following downward tendencies in 2014 and 2015. 2017 and the primary half of 2018 noticed a return to a downward development. The variety of attacked customers worldwide fell from 1,088,933 in 2016 to 767,072 in 2017 – a decline of just about 30%.

Under are the figures for 2019.

The variety of customers attacked with banking malware 2019 (obtain)

In 2019, the variety of customers attacked with banking Trojans stood at 773,943 – a slight lower in comparison with 889,452 in 2018.

The geography of attacked customers

As proven within the charts under, greater than half of all customers attacked with banking malware in 2018 and 2019 had been situated in simply 10 international locations.

The geographic distribution of customers attacked with banking malware in 2018 (obtain)

The geographic distribution of customers attacked with banking malware in 2019 (obtain)

In 2019, Russia’s share elevated and accounted for over one-third of assaults. Germany remained in second place, whereas China ended the yr in third place.

The kind of customers attacked

It is usually fascinating to take a look at the patron/company break up in victimology.

The distribution of attacked customers by kind in 2018-2019 (obtain)

The primary actors and developments

For years, the banking malware panorama has been dominated by a number of main gamers.

The distribution of probably the most widespread banking malware households in 2018 (obtain)

In 2018, we noticed the foremost gamers reducing their assaults – Zbot fell to 26.4% and Gozi to a little bit over 20%.  2019 produced the next scenario.

The distribution of probably the most widespread banking malware households in 2019 (obtain)

Zbot remains to be probably the most widespread malware, whereas second and the third locations are occupied by RTM and Emotet. Gozi dropped out of the highest three, ending the yr in sixth place.

Cellular banking malware

In 2018, we reviewed the methodology behind the cell part of this report. We had beforehand analyzed Android banking malware statistics utilizing KSN information despatched by the Kaspersky Web Safety for Android resolution. However as Kaspersky developed new cell safety options and applied sciences, the statistics gathered from one product alone turned much less related. That’s the reason we determined to shift to expanded information, gathered from a number of cell options. The information for 2016 and 2017 on this report was recalculated utilizing the brand new methodology.

The change within the variety of customers attacked with Android banking malware, 2016-2019 (obtain)

In 2019 the variety of customers that encountered Android banking malware dropped to 675,000 from round 1.Eight million in 2018.

To get a clearer image of what’s behind these dramatic adjustments we took a better take a look at the panorama and reviewed probably the most widespread households throughout the yr. In 2018, the scenario was as follows:

Essentially the most widespread Android banking malware in 2018 (obtain)

Asacub’s share greater than doubled YoY to nearly 60%, adopted by Agent (14.28%) and Svpeng (13.31%). All three skilled explosive development in 2018, particularly Asacub because it peaked from 146,532 attacked customers in 2017 to 1,125,258.

Essentially the most widespread Android banking malware in 2019 (obtain)

In 2019, there was nearly no change among the many most widespread households. The Asacub household was the one exception – it conceded a few of its share to its nearest rivals. Nonetheless, it nonetheless accounted for nearly half of all assaults.

Geography of attacked customers

In earlier stories, we calculated the distribution of customers attacked with Android banking Trojans by evaluating the general variety of distinctive customers attacked by this kind of malware with the general variety of customers in a area. There was all the time one downside – the vast majority of detections in Russia historically got here from this malicious software program as a result of prevalence of SMS banking within the area, which allowed attackers to steal cash with a easy textual content message if an an infection was profitable. Beforehand, the identical was true for SMS Trojans, however after regulative measures, criminals discovered a brand new approach to capitalize on victims in Russia.

In 2018, we determined to alter the methodology and changed the general variety of attacked distinctive customers with the share of distinctive customers that confronted this menace from the general variety of customers registered within the respective area.

The image for 2018 was as follows:

Share of Android customers who encountered banking malware by nation, 2018 (obtain)

The highest 10 international locations with the very best share of customers that encountered Android banking malware in 2018:

Russia 2.32%
South Africa 1.27%
US 0.82%
Australia 0.71%
Armenia 0.51%
Poland 0.46%
Moldova 0.44%
Kyrgyzstan 0.43%
Azerbaijan 0.43%
Georgia 0.42%

In 2019 it modified to:

Share of Android customers who encountered banking malware by nation, 2019 (obtain)

The highest 10 international locations with the very best share of customers that encountered Android banking malware in 2019:

Russian Federation 0.72%
South Africa 0.66%
Australia 0.59%
Spain 0.29%
Tajikistan 0.21%
Turkey 0.20%
US 0.18%
Italy 0.17%
Ukraine 0.17%
Armenia 0.16%

Australia changed the US within the high three. Additionally of curiosity is the truth that the common share fell for all international locations – generally 2-digit lower could be seen.

Main adjustments to the Android banking malware panorama

Whereas the figures inform their very own story, there are various extra methods to discover the adjustments and developments within the menace panorama. Our key methodology is the evaluation of precise malware discovered within the wild.

As this evaluation exhibits, 2019 was a comparatively secure yr with regards to malicious cell software program. One focal point, nonetheless, could also be a brand new method that we lately noticed with Ginp and Cerberus Trojans.

On the very starting of 2020, we discovered a brand new model of the Ginp banking Trojan that was first found by a Kaspersky analyst in 2019. Other than the usual features of an Android banker – the power to intercept and ship textual content messages, and carry out window overlays – the brand new model entails a extremely unconventional perform to insert pretend textual content messages within the inbox of an ordinary SMS app.

These messages are made to appear to be notifications from respected app distributors informing customers about an undesirable occasion (blocked account entry, for instance). To be able to resolve the problem, the person is requested to open the applying. As soon as the sufferer does that, the Trojan overlays the unique window and asks the person to enter their bank card or checking account particulars, which then find yourself within the arms of cybercriminals.

We subsequently detected an increase in a method utilized by the notorious Cerberus banker on Android gadgets. This malware more and more produces pretend push notifications to customers on behalf of a number of banking functions. The detected messages urge Polish-speaking targets to open functions and examine their playing cards and financial institution accounts by getting into their login credentials. This method is on the rise with extra pretend notifications being produced on behalf of increasingly banking functions.

Conclusion and recommendation

2019 has demonstrated that cybercriminals proceed to replace their malware with new options, investing sources in new distribution strategies and strategies to keep away from detection. The rise in banking Trojan exercise concentrating on company customers can also be of concern as such assaults might deliver extra issues than assaults on atypical customers.

This all signifies that malicious customers are nonetheless gaining financially from their actions.

Because the above menace information exhibits, there’s nonetheless loads of motivation for monetary fraud operations involving phishing and specialised banking malware. On the similar time, cell malware regained its potential to jeopardize customers the world over.

To keep away from dropping cash on account of a cyberattack, Kaspersky consultants advise the next.

To guard in opposition to monetary threats, Kaspersky recommends that customers:

  • Solely set up functions from trusted sources akin to official shops;
  • Verify what entry rights and permissions the applying requests – if they don’t correspond to what this system is designed to do, then it needs to be questioned;
  • Don’t observe hyperlinks in spam messages and don’t open paperwork hooked up to them;
  • Set up a dependable safety resolution – akin to Kaspersky Safety Cloud – that protects in opposition to a variety of threats. The service additionally incorporates the Permission Checker function for Android that permits customers to see which functions have entry to a tool’s digicam, microphone, location and different non-public info and prohibit them if needed.

To guard your small business from monetary malware, Kaspersky safety specialists advocate:

  • Introducing cybersecurity consciousness coaching on your workers, significantly those that are answerable for accounting, to show them the way to distinguish phishing assaults: don’t open attachments or click on on hyperlinks from unknown or suspicious addresses;
  • Explaining to customers the chance of putting in packages from unknown sources. For crucial person profiles, akin to these in monetary departments, change on default-deny mode for internet sources to make sure they’ll solely entry reputable websites;
  • Putting in the newest updates and patches for all of the software program you utilize;
  • Enabling safety on the stage of web gateways because it shields from many monetary and different threats even earlier than they attain worker endpoints. Kaspersky Safety for Web Gateways protects all gadgets within the company community from phishing, banking Trojans and different malicious payloads;
  • Utilizing cell safety options or company web visitors safety to make sure worker gadgets should not uncovered to monetary and different threats. The latter helps shield even these gadgets for which antivirus is unavailable;
  • Implementing an EDR resolution akin to Kaspersky Endpoint Detection and Response for endpoint stage detection, investigation and well timed remediation of incidents. It may possibly even catch unknown banking malware;
  • Integrating Risk Intelligence into your SIEM and safety controls in an effort to entry probably the most related and up-to-date menace information.

cyber attacks on financial institutions 2019,cyber threats to financial institutions,cyber threats to financial sector,cyber threats to banking industry,cyber attacks on banks 2019,cyber attacks on banks 2018,cyber security threats to the financial sector,cyber attacks on banking industry

More Stories
Ripple20 Vulnerability Mitigation of Best Practices