In 2007, there was also an upsurge in the number of password stealing Trojans designed to steal all data entered into web forms. These target the most popular browsers i.e. Internet Explorer, Opera and Firefox. Such Trojans can obviously be used to steal credit cards, and using such malware may be enough to breach a bank's defences – it all depends on the sophistication of the security measures employed. Many banks which use single-factor authentication are vulnerable to relatively simple attacks.
The overall trends in infection vectors used by malware are mirrored by financial malware, with the vast majority of malicious programs targeting banks infecting the victim machine or systems via web surfing. While a certain number of such programs are still delivered to the victim via email, there are clear reasons why those attacking financial institutions prefer to use the Internet.
Firstly, malicious programs delivered via email are more likely to attract the attention of antivirus vendors and financial institutions, not to mention the media and end users. Stealth is a key factor in the success of attacks on financial institutions, so conducting a drive-by download using exploits is obviously an attractive method. If the user does not notice anything wrong with his/ her machine, s/he will continue to use it as normal – and in this case, continue to enter confidential data which can then be stolen and used by cyber criminals.
Secondly – and this is a significant factor in terms of evading quick detection by antivirus solutions – malicious programs which infect victim systems via the web are hosted on a web server. This means that the cyber criminals using these programs to conduct attacks can modify the malicious files very easily using automated tools – a method known as server-side polymorphism. In contrast to regular host polymorphism (where the algorithm used to modify the code is contained in the body of the malicious program) it's impossible for antivirus researchers to analyse the algorithm used to modify the malware, as it's located on the remote server. Although it is possible to create generic detection routines for programs which use server-side polymorphism, this takes longer.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.