TrickBot Redirection Attacks Launched in Canada

The TrickBot Trojan, which emerged in the wild only this summer, continues to widen its attack scope, spreading farther in its target geographies and developing new redirection attacks. The most recent additions to TrickBot’s redirection targets are three Canadian banks.

According to IBM X-Force researchers following the TrickBot Trojan’s ongoing technical advances, the malware operators frequently release new configurations. The gang continues to focus on the U.K. and Australia, but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.

TrickBot research

Figure 1: TrickBot’s current bank targets — per locale, per URL count (November 2016, IBM Security)

Redirection Attacks, Mafia Style

TrickBot is the fourth known gang-operated banking Trojan to bring redirection attacks to Canada. Redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its nefarious web browser manipulation techniques. At the time, Dyre targeted business accounts of a handful of banks in Canada. After Dyre’s disappearance, the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking in Canada, and now TrickBot is entering that same turf.

This matters because the only malware operators with the extra resources to build and carry out redirection attacks are the top-known organized cybercrime gangs in the fraud arena today. The fact that all these heavy hitters invest in attacks specific to Canadian banks suggests that they’ll see more attacks, more potential fraud and a level of operational sophistication comparable to organized crime.

These mob-style cybercrime gangs are higher up on the food chain of online fraud than other malware operators, and they are nothing short of devastating to individuals and businesses. To make stolen funds disappear, gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

Recent events in the news, such as the arrest of two Dridex gang members who were caught in October with access to more than 220 compromised U.K. bank accounts and £2.5 million, bring the concept to life. In a larger case made public in November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over $13 million in the past two years. In both cases, only the low-level crooks linked with these gangs’ activity were apprehended.

Canada’s Cybercrime Landscape

Given the rising threat from the most sophisticated malware gangs, it’s surprising that the Canadian government has yet to establish a federal reporting agency for financial cybercrime. This makes it rather difficult to tally specific complaints and losses. Overall, statistics from previous years are alarming: Canadian police observed a 40 percent increase in cybercrime incidents around the country between 2011 and 2013. That number has likely risen in the three years since.

Canadian businesses are also struggling with other types of cyberattacks. According to the Ponemon Institute’s “2016 Cost of a Data Breach Study: Canada,” Canada suffered the highest detection and escalation costs. The cost of a breach rose 12.5 percent for Canadian companies, and the average total cost of a breach was $6.03 million in 2016.

Canada weathers attacks from similar cybercrime groups as those observed on the global map. Commercial malware factions top the chart, followed by the organized crime groups that operate malware such as GootKit, Dridex, URLZone, GozNym and others.

Financial Malware Families 2016

Figure 2: Most active malware in Canada by attack volume (November 2016, IBM Security)

TrickBot Takes On Canada

At this time, TrickBot’s activity in Canada is only beginning, but the malware is advancing rapidly and aggressively, according to X-Force researchers. TrickBot’s operators appear to be connected to well-known spamming and infection services, use redirection attacks and seem to have some ties to the Dyre crew. For this reason, we expect to see this malware’s activity increase during the holiday season and into 2017.

For TrickBot indicators of compromise (IOCs), check out — and share — via X-Force Exchange. Banks looking for technology solutions to mitigate threats like TrickBot and other sophisticated malware are invited to learn more about the IBM Trusteer anti-fraud suite. As always, users should reference these security tips to mitigate threats like the TrickBot Trojan and reduce risk.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.