The TrickBot Trojan, which emerged in the wild only this summer, continues to widen its attack scope, spreading farther in its target geographies and developing new redirection attacks. The most recent additions to TrickBot’s redirection targets are three Canadian banks.

According to IBM X-Force researchers following the TrickBot Trojan’s ongoing technical advances, the malware operators frequently release new configurations. The gang continues to focus on the U.K. and Australia, but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.

Figure 1: TrickBot’s current bank targets — per locale, per URL count (November 2016, IBM Security)

Redirection Attacks, Mafia Style

TrickBot is the fourth known gang-operated banking Trojan to bring redirection attacks to Canada. Redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its nefarious web browser manipulation techniques. At the time, Dyre targeted business accounts of a handful of banks in Canada. After Dyre’s disappearance, the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking in Canada, and now TrickBot is entering that same turf.

This matters because the only malware operators with the extra resources to build and carry out redirection attacks are the top-known organized cybercrime gangs in the fraud arena today. The fact that all these heavy hitters invest in attacks specific to Canadian banks suggests that they’ll see more attacks, more potential fraud and a level of operational sophistication comparable to organized crime.

These mob-style cybercrime gangs are higher up on the food chain of online fraud than other malware operators, and they are nothing short of devastating to individuals and businesses. To make stolen funds disappear, gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

Recent events in the news, such as the arrest of two Dridex gang members who were caught in October with access to more than 220 compromised U.K. bank accounts and £2.5 million, bring the concept to life. In a larger case made public in November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over $13 million in the past two years. In both cases, only the low-level crooks linked with these gangs’ activity were apprehended.

Canada’s Cybercrime Landscape

Given the rising threat from the most sophisticated malware gangs, it’s surprising that the Canadian government has yet to establish a federal reporting agency for financial cybercrime. This makes it rather difficult to tally specific complaints and losses. Overall, statistics from previous years are alarming: Canadian police observed a 40 percent increase in cybercrime incidents around the country between 2011 and 2013. That number has likely risen in the three years since.

Canadian businesses are also struggling with other types of cyberattacks. According to the Ponemon Institute’s “2016 Cost of a Data Breach Study: Canada,” Canada suffered the highest detection and escalation costs. The cost of a breach rose 12.5 percent for Canadian companies, and the average total cost of a breach was $6.03 million in 2016.

Canada weathers attacks from similar cybercrime groups as those observed on the global map. Commercial malware factions top the chart, followed by the organized crime groups that operate malware such as GootKit, Dridex, URLZone, GozNym and others.

Figure 2: Most active malware in Canada by attack volume (November 2016, IBM Security)

TrickBot Takes On Canada

At this time, TrickBot’s activity in Canada is only beginning, but the malware is advancing rapidly and aggressively, according to X-Force researchers. TrickBot’s operators appear to be connected to well-known spamming and infection services, use redirection attacks and seem to have some ties to the Dyre crew. For this reason, we expect to see this malware’s activity increase during the holiday season and into 2017.

For TrickBot indicators of compromise (IOCs), check out — and share — via X-Force Exchange. Banks looking for technology solutions to mitigate threats like TrickBot and other sophisticated malware are invited to learn more about the IBM Trusteer anti-fraud suite. As always, users should reference these security tips to mitigate threats like the TrickBot Trojan and reduce risk.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…