The promise of easy money remains the biggest motivation for cybercrime today. Cybercriminals thus make it their main objective to steal information that would lead them to the money, like online banking information. Once stolen, the information can be used to transfer funds illegally from victims’ accounts.
In 2013, the total amount of money stolen through this exact method in Japan has amounted to 1.4 billion yen. This is purportedly the biggest amount to date, and it seems 2014 is well on its way to catching up, with 600 million yen already stolen, according the publication of the National Police Agency (NPA). We have reason to believe that those numbers will continue to climb, which poses a challenge on how to stop cybercrime once and for all.
As part of our efforts to stop cybercrime, our dedicated team of researchers, the Forward-Looking Threat Research Team have been doing research about what it takes to prevent financial losses from online account theft by cybercriminals. Moreover, we have identified some methods to track down and identify these cybercriminals responsible, such as command-and-control (C&C) server analysis, analyzing stolen information, and malware analysis.
For instance, cybercriminals behind the recent popular banking Trojan called Citadel (TSPY_ZBOT) use WebInjects to display fake screen displays needed to carry out online banking logging theft. By analyzing the WebInject modules, it is possible to find out more about the server where the stolen information has been sent to.
Because any information from victims which victims input in the fake screen will be stored in the server, we can immediately pinpoint the existence of victims by monitoring the server’s stored information. As a result, we can quickly prevent actual financial loss through reactionary methods, such as freezing the compromised bank accounts before the money is transferred to the cybercriminals.
Figure 1. Webinject Banking Trojan’s Infection Chain
These kind of measures, of course, can’t be pulled by just a security vendor such as TrendMicro. It is absolutely necessary to collaborate with concerned organizations such as the police and the bank involved. Trend Micro’s TM-SIRT, which is a contact point of cooperation for security-raising activities in Japan, provides concerned organizations with information obtained from internal research groups such as the FTR (forward-looking threat research) team in order to help combat this kind of theft by cybercriminals.
Taking down the server involved in the financial theft is another method of combating such cybercriminal activity, but it is a temporary solution at best. This is because it may not affect the cybercriminal’s efforts as much as we would like it to be, and it may even motivate them to more sophisticated attacks.
Server monitoring is a more preferable. It allows security experts to grasp the picture of attack and control the situation better. Moreover, it may help to identify the cybercriminals by simply waiting for them to log into the server to obtain their stolen information. Server monitoring can then be expected to prevent new attacks by the same cybercriminals and also to prevent other attacks.
On April 28, Trend Micro received a certificate of appreciation from the Japan Metropolitan Police Department. This commendation was awarded for providing useful information in combating online financial theft in Japan. Trend Micro will continue to study and provide a holistic and fundamental approach to security, as well as cooperate with law enforcements around the globe for our company vision: a world safe for exchanging digital information.