- First time Asian banks being targeted ahead of US or European institutions
- Tinbapore able to activate itself and continues running without a C&C server
CYBERCRIMINALS are constantly finding new ways to attack businesses, and financial institutions can be the most vulnerable, since their threat surface includes their large customer bases.
The latest strain of the Tinba malware, Tinbapore, aims to take advantage of that. This is the fifth version of the malware seen since the release of the Tinba source code in the wild in July 2011.
Like others in its family, Tinbapore has a small file size and sneaks into your system to collect data and make changes.
Tinba is especially persistent, and can run even after its command and control (C&C) server, the centralised system that issues a malware’s instructions and collects its data, is taken down.
But the main difference with Tinbapore is that this variant seems to be targeting Asian banks, including those in Indonesia, Malaysia and Singapore, according to a report released by F5 Networks in January.
This is the first time Asian banks are the main targets, said Lim Chin Keng (pic above), Asia Pacific director of security solutions at F5 Networks.
“This is the first time they are targeting Asian banks before the United States or Europe and the Middle East,” he told Digital News (DNA) in Singapore.
In its Tinbapore: Millions of Dollars at Risk report, F5 Networks said that Singapore has been the country most targeted by the Tinbapore malware, accounting for 30% of the attacked institutions identified by the company’s Security Operations Centre.
“Indonesian financial institutions also are at risk of losing millions of dollars, as another 20% of the targeted entities are based in this country,” F5 Networks said.
Financial services in Asia might appear to be lower-hanging fruit for cybercriminals, and this could herald more such onslaughts in the region.
“Perhaps fraudsters feel that the Asian banks are less ready to protect themselves … compared with those in Europe and the United States,” said Lim.
“I think this trend will continue – Tinbapore is just the start of it, and Asian banks need to be proactive,” he added.
Persistent and pernicious
Tinbapore is a trojan, a type of malware that disguises itself as useful code. Trojans are usually used to launch distributed denial-of-service (DDoS) attacks, such as those suffered by Yahoo and eBay in the latter part of 1999.
Today, trojans are most often used to gain backdoor access – remote and surreptitious access – to a victim’s computer.
F5 Networks discovered Tinbapore last November and uncovered its links to the Tinba malware family, according to Lim.
“What we did when we discovered it in November was to take down its C&C servers, but one of its unique features is that Tinbapore does not need to be connected to a C&C server,” he said.
“Even though the servers were taken down, the malware could activate itself, which is one of the key features in the Tinba family,” he added.
Trust in us
Banks are good at, well, being banks, but they should get experts to help them with their cybersecurity needs, Lim argued.
“Today, if they were to do everything themselves, it would be a lot of work and it is not their core business.
“Banks now have the opportunity to work with the security intelligence companies to offload [these tasks] and take advantage of the presence such corporation have in detecting malware.
“That way they can be more proactive in discovering and mitigating attacks,” he added.
While banks might point to two-factor authentication (2FA) or multi-factor authentication (MFA) as a good measure against malware-initiated fraud, Lim argued that such techniques do not completely address the issue.
“2FA and MFA do help reduce the fraud, but they don’t completely [eradicate] it, and that’s why Tinbapore and other malware – together with the social engineering that fraudsters typically employ – can bypass such measures,” he said.
“And that’s also why you need to take a more holistic approach – to detect and step up security with various mechanisms to address the attack,” he added.
Ultimately, the reality is that banks still only find out about attacks after victims call them, according to Lim, and this needs to change.
With the recent arrests of the cybercriminals behind the Dyre financial malware, Lim cautioned against thinking that such threats are over once the criminals have been put behind bars.
“The Dyre arrests is a good thing, it cut down the cybercriminals’ activities, but unfortunately the reality is that another set of criminals can take over and bring Dyre to the next level,” he said.
“There will be the next Dyre and the next Tinba, and banks can’t catch up on their own; they are not geared towards that,” he added.
This is more critical now that online banking is moving to include native apps and not just web-based transactions, which opens up a new vector of attack.
“You need to cover both the browser-based and native app – for cybercriminals to conduct a fraudulent transaction, they can do it by attacking either the bank or its customers,” said Lim.
“It is easier to go through the customers – they are not as protected and are easy to fool, hence malware attacks on both mobile devices and browsers are becoming more pervasive,” he added.
Singapore is world’s No 1 target for banking trojans: Kaspersky
Mobile banking apps more vulnerable than you think: Researcher
Malaysia among countries most hit by e-banking malware: Trend Micro
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.