Churn Under the Surface of Global Cybercrime

Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography.

Moving malware across borders to a new target geographic means more resources for everything, from a relatively easy change to the malware configuration file to the acquisition of new target email lists, new spam delivery mechanisms, an understanding of local banks’ authentication requirements, new local money mules and the development of webinjections to correspond with the transaction flow for each target.

Testing the Waters

After the initial investment and establishment of a connection with local crime factions, the time comes to launch actual infection and attack campaigns. To test the waters, cybercrime gangs deploy small rates of infections in a new geography and check the malware’s operation to ensure success before ramping up to a large deployment. They do that to estimate the potential for success in the new geography, reduce the risk that they will be caught early on and, for astute observers, foreshadow a bigger boom in the malware.

The crew operating TrickBot, which emerged in August 2016, launched the malware during a testing and development period to turn it into a banking Trojan and work out the bugs before its actual deployment in the U.K. and other English-speaking countries. It then promptly moved to Germany.

Growing Attack Sophistication, or Just Growing Attacks?

In some geographies, such as Brazil, for example, local cybercriminals are collaborating with their more advanced counterparts in other parts of the world to learn how to improve their own malware. In some cases, fraudsters are taking old tactics such as phishing and elevating them to new heights. A recent study reported that more than half of companies saw an increased rate of phishing attacks in 2016 compare to the previous year.

Even classic malware such as ransomware is morphing into cyber extortion, as seen in the case of TeamXRat in Brazil. This group of attackers moved from banking malware to ransomware as it infected Brazilian hospitals with a remote desktop protocol (RDP) brute-force attack.

Read the complete report: The shifting panorama of global financial cybercrime

Major Global Cybercrime Players Remain Active

The big names of malware families that topped the charts in 2016 are familiar. Based on data from IBM X-Force and IBM Trusteer, Zeus, Neverquest, Gozi and Dridex were the most active by attack activity across the world in 2016.

Zeus continues to be the malware that keeps on giving. After the source code leaked, it was used as the foundation for new malware variants such as Ramnit in 2011 and Zeus Panda, Zeus Sphinx and Flocki Bot in 2016.

By looking at nearly 300 million protected endpoints across the globe, IBM Trusteer and IBM X-Force monitor the latest threat trends including vulnerabilities, exploits, active attacks, viruses and other malware, spam, phishing and malicious web content. To learn more about trends in global cybercrime in your geography, read the full report.

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.