Banking trojans are on the rise: here’s how to avoid being robbed

Banking trojans are helping cybercriminals to commit the perfect crime:  stealing money from the accounts of unsuspecting victims, almost untraceably and at minimal risk.  As such it’s no surprise that from June to December 2016, banking trojans were only fractionally behind ransomware in being the most prevalent type of malware, and in Asia-Pacific countries they far outstripped ransomware in the number of attacks.  So how do banking trojans work, and how can users protect themselves against an online bank robbery?

First, banking trojans are among the stealthiest of all malware types.  After a banking trojan infects a user’s PC or web browser, it will lie dormant and wait for the user to visit their online banking website.  When the user does this, the trojan activates, using keylogging to steal the account username and password and sending it stealthily to the criminals behind the attack.  They can then log into the user’s bank account and transfer funds, usually through a complex network of transactions using ‘mule’ accounts to cover their tracks.


The thief in your browser

Many trojans can perform sophisticated Man-in-the-Browser (MiB) techniques such as web injections or redirection mechanisms:  these disguise the trojan’s actions in real time, subtly changing what the user’s browser displays so that it appears as if transactions are proceeding normally while the theft is happening.  Other tactics include displaying fake warning pages that ask a user to re-enter their login information, or showing users a fake logout page while keeping them signed into their accounts.  The aim is to conceal the trojans’ actions from users for as long as possible, to enable the criminals to continue stealing from their accounts.

According to the Check Point 2016 H2 Global Threat Intelligence Trends report, the most common banking trojans seen globally in the second half of 2016 were:

  1. Zeus – which targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
  2. Tinba – a trojan that steals the victim’s credentials using web-injects, activated as the users try to login to their bank website.
  3. Ramnit – designed to steal banking credentials, FTP passwords, session cookies and personal data.


In fact, during all of 2016, Zeus, Tinba and Ramnit never left Check Point’s overall top 20 malware list, and frequently occupied the top 10 malware seen globally.


Mobile banking:  the moving target

We’re also seeing the evolution of mobile banking trojans.  These typically involve malware which displays fake overlays on the mobile device’s screen when a user tries to use an application.   The overlays look the same as the login pages of banking apps, and can steal login credentials, or intercept SMS messages from the user’s bank, enabling the criminal to harvest mobile transaction authentication credentials.

So with the growing threat from banking trojans, how can you protect yourself against the risk of an online bank robbery?  Check Point has teamed up with Europol’s European Cybercrime Centre (EC3) to produce a detailed report, Banking Trojans: from Stone Age to Space Era, which shows how the threat has evolved from its earliest days to the current trends.  It also covers how criminals use the malware, and launder the money they steal.

In the meantime, these are the steps we strongly recommend all users take to protect themselves against banking Trojans:

  • Be cautious – when opening emails, even when they appear to come from trusted sources, and don’t run macros on Microsoft Office files.
  • Have a comprehensive, up-to-date, security solution – High quality security solutions and products protect you from a variety of malware types and attack vectors. Check Point Sandblast Zero-Day Protection efficiently detects and blocks banking Trojans samples, and extracts malicious content from files delivered by spam and phishing campaigns.
  • Be alert for “weird” behavior of banking and financial services websites – Pay attention to extra login fields you weren’t used to seeing in the past (especially of personal data or things that the bank is not supposed to ask for), changes in the login page design, and any tiny flaws noticeable in the web site display.
  • Install mobile applications, and especially bank applications, only from known and trusted sources such as Google Play and Apple’s app store. This will not guarantee that you do not download malicious apps, but will protect you from most threats.
  • Back up your most important files – Make an offline copy of your files on an external device and an online cloud stage service. Common banking Trojans today follow the infostealing phase with deploying other malware, including ransomware which can hold your files hostage until you pay.


By using these measures, you can help to ensure that crime doesn’t pay for those behind banking trojan attacks.