CISOs have been warned to steel themselves for a pre-Christmas mass malware attack on online banking users, courtesy of a new trojan called Neverquest.
The malware is being tracked by Kaspersky Lab principal security researcher Sergey Golovanov and he told SCMagazineUK.com that Neverquest is one of a number of new infections bidding to take the place of top banking malware like ZeuS and Carberp.
Kaspersky has recorded several thousand attempts to infect computers using Neverquest, a self-replicating online banking Trojan, since it first surfaced on 18 July. But the weeks leading up to Christmas are traditionally a time of high malware activity and they have warned that a sharp rise in the number of attacks can now be expected, resulting in financial losses for users all over the world.
“This threat is relatively new, and cyber criminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time,” confirms a Kaspersky advisory dated 26 November.
Neverquest currently targets Internet Explorer and Firefox users accessing the websites of 28 banks and financial institutions, including global investment fund firm Fidelity Investments and numerous international banks.
The trojan takes users to an authentic bank website page with added malicious content designed to capture their data including username and password details. The cyber criminals use this to transfer money to their own accounts or – to cover their trail – to the accounts of other victims, say researchers.
Golovanov said that the malware has lots of “special tricks to help cyber criminals”. He said Neverquest criminals can also collect social media data from users' Facebook, Twitter, Flickr, Skype and MySpace accounts, but added that they are not yet using social media as an additional way to propagate the malware.
Referring to the fight back by banks and law enforcement against criminals using ZeuS and Carberp, Golovanov said: “A lot of members of those groups are in jail right now. When the biggest player has left the market, the small groups are trying to take the place of this biggest. Neverquest is one of the examples of the malicious software that is trying to conquer this market.”
He said it is not currently known how much money has been stolen or who or where the victims are.
Other active functions mean that Neverquest can replenish the “list of targeted banks and develop code to be seeded on new websites that were previously not on the target list”, says Kaspersky. It can also steal the user's email contacts to send out mass spam mailings with attachments that install Neverquest on the new victims' systems.
The research team say that Neverquest is capable of attacking “any bank in any country” and reveal that it uses the same self-replication mechanisms as Bredolab, which ranked among the top three most widespread malware on the internet back in 2010.
To protect users, Kaspersky says that CISOs can install a dedicated defence solution or internet security products, but Golovanov says that the users themselves can take preventative measures.
“There are some pretty good steps against the old techniques that the cyber criminals are using with Neverquest. If it is propagating via their spam messages then users do not open these spam messages. If the malware is installed on the computer and the user is seeing some additional messages from their bank, then please dear user, call the bank and ask them what is going on.”