Cyber Crime: A Focus on Financial Gain (Zeus Trojan, Emotet Trojan, Carbanak)

Monetary Gain as the Core Driver of Cybercrime Cyber criminals are motivated by financial profit, making their targets somewhat predictable—they go where the money is. These attackers prefer low-effort, high-reward methods and often avoid challenging targets.

Common Attack Techniques in Financial Cybercrime

1. Online Banking Trojans

Banking Trojans target online banking users, aiming for mass infections and small-value thefts. Notable examples include:

• Zeus, Citadel, Emotet, and Dridex: These Trojans infect users’ devices to steal small amounts of money from each infected account.

• POS and ATM Malware: Tailored malware targeting point-of-sale systems and ATMs to steal data and cash.

2. Advanced Attacks Against Financial Institutions

Criminals are targeting banks directly, infecting business users involved in handling large fund transfers:

• Carbanak Attack (2015): Cybercriminals infiltrated bank networks, learning fund transfer procedures and stealing millions.

• Bangladesh Bank Heist (2016): Attackers exploited the SWIFT system, resulting in an attempted theft of $951 million.

3. Targeted Ransomware

Since 2015, ransomware has surged, targeting any entity that values its data:

• Victims: From individuals to corporations and government bodies, anyone with data worth protecting is a potential target if they’re willing to pay to retrieve it.

Key Online Banking Trojans

Zeus Trojan: The "King" of Banking Malware

• Overview: Zeus, a versatile Trojan, performs various attacks, including keylogging and "man-in-the-browser" (MitB) attacks, which intercept and manipulate data in a user’s browser.

• Tech Support Scams: Zeus also supported fake virus warnings, leading users to pay for fraudulent antivirus services.

• Open-Source Adaptation: In 2011, Zeus’s source code was leaked, giving rise to many new variants like Citadel.

• ZitMo (Zeus-in-the-Mobile): This mobile version intercepts authentication codes to facilitate fraudulent transactions.

Emotet Trojan: Evolving Financial Malware

• First Identified (2014): Initially, Emotet bypassed security to steal banking credentials, later evolving with features like self-propagation through email.

• Infection via Spam: Emotet spreads via email with malicious Office documents, often disguised as invoices or delivery notices.

• Notable Attack (2019): In Lake City, Florida, Emotet infected the city’s network, later dropping Trickbot and leading to Ryuk ransomware deployment, resulting in a $460,000 ransom payment.

Carbanak: The First APT Against Banks

• Discovery (2015): Carbanak, an APT (Advanced Persistent Threat) campaign, targeted financial institutions, amassing $500 million through fraudulent transactions.

• Attack Method: Phishing emails with malicious attachments led to malware installation, allowing remote control and surveillance of bank operations.

• Techniques: Carbanak gang learned banking procedures by recording screens and keystrokes, enabling them to conduct transactions themselves.

• Cash-Out Techniques: These included programming ATMs to dispense cash on command, transferring funds to mule accounts, manipulating the SWIFT network, and creating fake bank accounts.

Summary of Financial Losses: Carbanak alone caused losses of up to $10 million per institution, potentially totaling $1 billion across all affected banks.

Until than stay safe and keep learning!