Financial Cyberthreats in 2020

[harlan4096]

2020 was challenging for everyone: companies, regulators, individuals. Due to the limitations imposed by the epidemiological situation, particular categories of users and businesses were increasingly targeted by cybercriminals. While we were adjusting to remote work and the rest of the new conditions, so were scammers. As a result, 2020 was extremely eventful in terms of digital threats, in particular those faced by financial institutions.

At the same time, some of the known APT (Advanced persistent threats) groups that are not generally targeting financial institutions have tried their hand at it. Existing at a special crossroads between APT and financial crime, the Lazarus group has already been among the most active ones in the financial sphere. In 2020, the group tried its hand at the big extortion game with the VHD ransomware family. Later on other groups, such as MuddyWater, followed suit.

Moreover, in 2020, we saw regional actors go global. A few Brazilian malware families expanded their operations to other continents, targeting victims in Europe and Asia. We have dubbed the first four families to have done this (Guildma, Javali, Melcoz, Grandoreiro) “the Tétrade”. Later on the authors of Guildma also created the new banking malware Ghimob targeting users located in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.
Of course, the known financial threats have remained, too. Thus, the year 2020 saw a surge in the use of Emotet, described by Interpol as “the world’s most dangerous malware”. In the beginning of 2021, law enforcement agencies all over the world joined their forces to disrupt the botnet’s infrastructure. According to Kaspersky experts, the operation will frustrate Emotet’s activities for at least several months. In the meantime, at least some of Emotet customers have switched to Trickbot.

Even though, in 2020, we have seen ever more sophisticated cyberattacks, the overall statistics look encouraging: the number of users hit by computer and mobile malware declines, so does financial phishing. Still, that does not mean that the cyber world has become a safer place – it means that the cybercriminals’ goals and tactics have undergone a number of changes. Despite the decreasing general statistics, we see that attacks have become more targeted and business-oriented. At the same time, we observe cybercriminals to skillfully adapt themselves to the global changes and benefit from the teleworking vulnerabilities and the rising popularity of online shopping. This report aims to shed a light on more details of financial cyberthreats in 2020.

This research is a continuation of our annual financial threat reports (2019, 2018 and 2017) providing an overview of the latest trends and key events across the financial threat landscape. Traditionally, the study covers the common phishing threats encountered by users, along with Windows and Android-based financial malware.

Methodology

In this research, by financial malware we mean several types of malevolent software. Firstly, we identify as financial the malware targeting users of financial services such as online banking, payment systems, e-money services, e-shops, and cryptocurrency services. Secondly, we use the term to define the malware attempting to gain access to financial organizations and their infrastructure. In most cases, financial malware attacks rely on spamming and phishing activities, such as creating and distributing fake finance themed web pages and emails to steal the victims’ payment info.

To examine the financial sector threat landscape, Kaspersky researchers have analyzed the malicious activities on devices owned by individuals using the Kaspersky security products, which they volunteered to make available to us through the Kaspersky Security Network. The corporate user statistics were collected from the enterprise security solutions, after our customers agreed to share their data with Kaspersky.

The data for 2020 was mostly compared against 2019 to monitor the malware development trends. However, in some parts, for better insight into the financial malware evolution, the study also refers to earlier times.

Key findings

Phishing:

• In 2020, the percentage of users hit by phishing declined slightly from 15.7% to 13.21%.
  
• This time around, e-shops became the target of choice for phishing attacks. Almost every fifth attempted visit to a phishing page blocked by Kaspersky products has been related to online store phishing.
  
• Phishing attacks against PayPal users soared from 26.8% in 2019 to 38.7% in 2020. The longtime leader of the category, Visa, dropped to the fourth place with 10.2% of phishing attacks against users of payment systems successfully prevented by Kaspersky in 2020.
  

PC:

• In 2020, 625,364 users were attacked by banking Trojans – 148,579 less from 773,943 in 2019.
  
• This year, users in Russia, Germany and Kazakhstan were the most frequent targets of financial malware.
  
• Zbot is still the most widespread banking malware (22.2 % of attacked users), the second place is now held by CliptoShuffler (15.3%), with Emotet (14.5%) in the third place as before.
  
• 36% of users hit by banking malware are corporate ones – an increase of one percentage point from the previous year.
  

Mobile:

• This year, the number of users attacked by Android banking malware rapidly dropped by more than 55%: from 675,772 in 2019 to 294,158 in 2020.
  
• Japan, Taiwan and Spain ended up with the highest percentage of users hit by Android banking malware.
  

...

Continue Reading