It has been reported that for the first time since Q2 2016, banking Trojans have displaced ransomware as the top malware in email, accounting for almost 59% of all malicious email payloads in Q1. Emotet was the most widely distributed banking Trojan, accounting for 57% of all bankers and 33% of all malicious payloads. Gerhard Oosthuizen, CTO at Entersekt commented below.
Gerhard Oosthuizen, CTO at Entersekt:
“Trojans are effective because they exploit weaknesses on different levels. Fraudsters often bait unsuspecting users to click on links in emails that seem to be legitimate, which lead them to a fake website or to download a malicious app. These fakes can look frighteningly real, and the emails baiting users often mimic the bank’s official communications in design and tone. It makes it very hard for users to know when an email, the site they’re clicking through to, or the app they’re downloading, is legitimate.
Trojans also exploit weak security in banking apps and internet banking platforms. It’s all about the low-hanging fruit – it’s very unlikely that fraudsters would target systems with robust security measures in place when so many others are easy targets. Relying on one-time passwords and solely knowledge-based authentication factors does not offer sufficient protection against fraud and malware, and banks need to realize this.
Beating banking trojans does require users to be vigilant and make sure they’re only using their bank’s official digital platforms. But more than that, the growing threat of banking trojans show how important it is for banks to implement the strongest possible security measures to protect their customers. There’s an opportunity here for digital-savvy banks: by leveraging the power of the mobile device, they can implement virtually frictionless out-of-band two-factor authentication that provides robust security while inspiring confidence and trust in their customers.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.