As cybersecurity researchers are reporting, identity theft scams are improving over time. There’s a resurgence of different types of hacking schemes from several years ago that fell off the radar while newer scams took their places. The reality is, many tricks of the trade were being improved in the background, only to come back with even more sophisticated tactics.
TrickBot is one type of malware that continues to go through many versions since its arrival in 2016. Each tweak over two years included improvements, and a change of focus from other countries to the U.S. in 2017. For TrickBot and its newest version, it’s not just about hijacking banking credentials anymore. And it’s more difficult to detect and defend against than ever.
TrickBot is a financial trojan targeting customers of major banking institutions, as well as past attacks in the U.S. to include Amazon, AMEX, and PayPal. TrickBot uses phishing campaigns designed to trick users into entering their financial data, including passwords, into bogus banking websites designed to look legitimate. The latest spin on the malware uses a fake Excel document alerting users that a file uses an earlier version of Excel, needing an update to view it. Once the user takes the bait, Trojan malware is installed on the device and steals not only usernames and passwords from system applications, but it takes all sorts of browser information like history, cookies, and autofill information. It works on popular browsers like Google Chrome, Internet Explorer, Mozilla Firefox, and Microsoft Edge. Hijacking all that data puts victims at risk of fraud and theft of much more than just banking information. Having that sensitive data also puts TrickBot in a prime position for ransomware, with the threat of locking a device until a ransom is paid.
TrickBot email phishing spoofs legitimate banking websites, offering a juicy bit of information in the subject line such as “Your Payment is Attached.” Many curious and hopeful recipients can’t resist opening the email and clicking on an attachment or a link. Once that happens, the TrickBot Trojan infects, installs and embeds malware on the device. A seemingly innocent email is responsible for stealing banking credentials to start, but then takes so much more.
The lesson is not to assume that everything in your inbox is legitimate, no matter how high spam filters are set. Hackers use an email phishing trojan like TrickBot because it works. Improvements over time are refined not only by the level of damage they cause, but also by creating an improved message that more users respond to. Keeping aware of email phishing means avoiding subjects that aggressively prey on any type of emotion, threaten, or make you believe something is urgent. Those should be deleted immediately. Extreme caution is necessary, and always avoid following embedded links and opening any attachments. If you cannot be 100% sure that link is good to go, verify it independently of any email with the sender. Remember not to enable macros unless you either created them or are certain they are safe. Macro malware is becoming more common these days. If you haven’t checked, make sure your macros are disabled by default.
To succeed, TrickBot is counting on users not having secure email cyber-sense. Don’t be one of them!