F5 Labs attack series education articles help you understand common attacks, how they work, and how to defend against them.
A trojan is any type of malicious program disguised as a legitimate one. Often, they are designed to steal sensitive information (login credentials, account numbers, financial information, credit card information, and the like) from users.
Trojan malware takes its name from the classic Trojan horse ploy from the war between the Greeks and the independent city of Troy. The ancient Greeks were able to defeat the city of Troy by hiding soldiers inside a giant wooden horse they left behind as a gift while they feigned retreat following a 10-year war. Little did the Trojans realize that by taking the horse as a trophy of war, they were bringing an elite Greek fighting force right inside the walls of their city, ultimately leading to the fall of Troy. A malicious gift thus became known as a Trojan Horse.
A banking trojan operates in much the same way—disguising itself as something good or beneficial to users, but having a far more sinister, hidden purpose. Even a mobile app that appears to serve a genuine purpose (for example, a game, flashlight, or messaging service) can secretly be a trojan looking to steal information. Trojans evade detection by having dormant capabilities, hiding components in other files, forming part of a rootkit, or using heavy obfuscation.
Every individual family of malware has its own “signature moves,” and with each iteration, malicious actors grow more sophisticated. Banking trojans are a specific kind of trojan malware. Once installed onto a client machine, banking trojans use a variety of techniques to create botnets, steal credentials, inject malicious code into browsers, or steal money.
It took almost 20 years for banking customers to get comfortable with the idea of online banking, which began in the 1980s. With the majority of banks offering online banking by the year 2000, it wasn’t long before attackers found ways to exploit this new attack surface using banking malware. Banks were quick to realize that they were attractive targets to attackers, and they responded by hardening their systems. In turn, cybercriminals soon realized that it was difficult to attack the institutions themselves, so they pivoted, targeting customers instead. Stealing customer credentials was a more feasible avenue of attack, and out of this the first banking trojans were created. Banking trojans targeted users primarily through spam, phishing, advertising, drive-by-downloads, or social engineering. They can falsely advertise themselves as attachments or games.
Since then, the scope, technical ability, and focus of the malware authors has changed. What first started as malware that primarily targeted customers of financial institutions evolved to target a range of industries, including online advertisers, digital analytics firms, financial tech companies, social media sites, and communication platforms. Today, banking trojans are pervasive across the Internet, and all sorts of institutions—not just financial institutions—need to be aware of how to protect themselves and their customers.
Before we look at specific banking trojans, there’s a bit of malware jargon that helps make these descriptions easier to understand:
The number of banking malware families—and strains within those families—is constantly evolving. What follows is not a comprehensive list of all banking trojans, but includes some of the most destructive banking trojan families seen since 2007.
While it can be difficult for the average user to detect that their device has been compromised, there are a number of clues to watch for. These clues can also be useful for security professionals managing user systems:
Enterprises should consider implementing the following security controls based on their specific circumstances: