'Trickbot' Banking Trojan
Attacks designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII).
A 'trojan' is a type of malware or virus disguised as legitimate software, that is used to hack into the victim's computer. Trickbot infections can be very damaging, as the malware can download new capabilities on to a victim's device without any interaction from the victim. Aside from the theft of PII as described above, these capabilities can allow attackers to gather detailed information about networks, and spread. In some cases, Trickbot is used to infiltrate a network, and once inside it's used to deploy other malware such as ransomware.
Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from trusted commercial or government brands. These emails often contain attachments (or link to attachments) which victims are instructed to open, leading to their machine being exploited.
AdviceSpotting the signs of a possible Trickbot infection
Victims of Trickbot have observed a number of malicious activities, including:
- Unauthorised access attempts to online accounts.
- Successful, fraudulent bank transfer activity.
- Unauthorised changes to their network infrastructure.
- Consider changing passwords and memorable information for corporate, business, or personal internet banking facilities accessed from the infected network.
- Review bank and credit card statements for suspicious activity, and report any findings to your bank.
- Advise any employees who have accessed online banking facilities from the affected network to do likewise.
- Running a full scan on all devices using up-to-date antivirus software, such as Windows Defender should detect and remove Trickbot infections.
- Keep your antivirus up to date, and consider using a cloud-backed antivirus product that can benefit from intelligence which larger scale operations bring. Ensure that antivirus software is capable of scanning 'Microsoft Office macros' (these are often exploited in Trickbot attacks).
- Use the latest supported versions of operating systems and software, and apply security patches promptly.
- Make sure you regularly back up your important data. These backups should not be connected to your network, or they'll be at risk of infection, just like any other device.
- It's a good idea to test your backups to make they work too!
- Also known as 2-factor authentication (2FA), this involves supplying either an additional one-time code, or use of biometrics to further secure the login process. Most online services and accounts provide a 2FA/MFA option, so enable this wherever you can.
- In general, authenticator apps are more secure than using SMS tokens, but if that's the only option available then it's better than nothing.
- It pays to have some sort of monitoring in place so you have the data needed to detect and analyse network intrusions.
- The more accurate information you have, the quicker you'll be able to recover from cyber incidents.
- This will also reassure your customers, suppliers, investors and regulators that you've taken all measure necessary to protect your data and systems.
Network segregation involves separating critical networks from less sensitive networks. You may not be responsible for implementing this, but it's a good concept to be aware for your organisation.
Instead of listing all the potential bad stuff you don't want to use (which is a lot nowadays!), it's simpler to create a short list of trusted applications and processes that are authorised to run. This is essentially what whitelisting is.
You need to report cyber crime to Action Fraud, which is the UK's national cyber crime reporting portal. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk
Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.
Remember, Action Fraud operate a 24/7 live cyber reporting line for organisations! Further details at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses
This advice is taken from the NCSC's Trickbot advisory on their website at https://www.ncsc.gov.uk/news/trickbot-advisory