The overall trends in infection vectors used by malware are mirrored by financial malware, with the vast majority of malicious programs targeting banks infecting the victim machine or systems via web surfing. While a certain number of such programs are still delivered to the victim via email, there are clear reasons why those attacking financial institutions prefer to use the Internet.
Firstly, malicious programs delivered via email are more likely to attract the attention of antivirus vendors and financial institutions, not to mention the media and end users. Stealth is a key factor in the success of attacks on financial institutions, so conducting a drive-by download using exploits is obviously an attractive method. If the user does not notice anything wrong with his/ her machine, s/he will continue to use it as normal – and in this case, continue to enter confidential data which can then be stolen and used by cyber criminals.
Secondly – and this is a significant factor in terms of evading quick detection by antivirus solutions – malicious programs which infect victim systems via the web are hosted on a web server. This means that the cyber criminals using these programs to conduct attacks can modify the malicious files very easily using automated tools – a method known as server-side polymorphism. In contrast to regular host polymorphism (where the algorithm used to modify the code is contained in the body of the malicious program) it's impossible for antivirus researchers to analyse the algorithm used to modify the malware, as it's located on the remote server. Although it is possible to create generic detection routines for programs which use server-side polymorphism, this takes longer.
In addition to the factors above, some of the more sophisticated Trojan-Downloaders used to deliver financial malware to its eventual destination are designed to self-destruct (or 'melt') once they have successfully or unsuccessfully downloaded the financial malware. This naturally hinders analysis conducted by antivirus and forensic specialists.
The increase in financial malware is the result of the increasing criminalization of cyberspace, with malware being used to make money. In addition to stealing funds, cyber criminals need a method for accessing these funds. Obviously, the criminals can't transfer stolen money to their own accounts as this would make them easily identifiable and significantly increase the risk of arrest and prosecution. Banks have responded to the increased number of attacks by investing more time, money and effort into developing mechanisms for detecting fraud and illegal activity. One safeguard is for an alert to be triggered if a large amount of money is transferred to a 'suspicious' region of the world.
In order to sidestep this, cyber criminals have taken to using 'money mules'. Mules are often recruited via seemingly legitimate job offers – for instance, the cyber criminals might advertise for a 'financial manager'. If the would-be mule accepts the offer s/he is likely to receive official looking documents to sign to make it all seem legitimate. The mule makes his/ her bank account available to receive transactions, and then transfers 85% - 90% of the money onwards via a service such as MoneyGram or E-Gold. Such services are used because they guarantee anonymity, reducing the likelihood that the cyber criminal will be caught. The remaining funds are the mule's 'commission' – naturally money which has been earned illegally via phishing or financial malware.