By Nick Viney, Senior Vice President & General Manager, Partner BU, Avast

Recently, Avast Threat Labs researchers were able to obtain information on possible victims of Ursnif malware. Ursnif is a malware that has been around since 2007 and has specialized in stealing banking and payment processor information typically through malicious email campaigns.

Our threat researchers were able to find banking and payment information that had been stolen from victims and worked to pass that information back to their banks and payment processors so those organizations could take action to protect their customers and stop their and their customers’ losses. All total, in the information we obtained and passed on, our researchers found over 100 Italian banks targeted, information on over 2,200 individual victims and information from over 1,700 customers of a single payment processor.

Most if not all of those records represented some real financial loss to those customers and their banks and payment processors and that information potentially represents a great deal of financial loss. For banks and payment processors, it also represents losses in terms of resources spent investigating the information our teams passed on to them and taking actions.

Perhaps the most important thing to call out here is that likely almost none of the customers whose information we passed to their banks and payment processors knew they were victims and their information had been stolen. If our researchers hadn’t obtained this information and passed it to the banks and payment processors, the losses likely would have continued for everyone.

Unfortunately, while this particular story has a relatively happy ending, it represents a small victory against a broader background of daily cybercrime activity that dwarfs victories like these. In March 2021 alone, Avast blocked 4,579 Ursnif malware attacks in the UK, and Avast protected 2,563 UK users from Ursnif malware.

Ursnif has been seen in malicious email campaigns for years with volumes in the tens of thousands of messages per day. Some malware operators like those behind Ursnif in recent years have seen the “value” of using native-language email messages to make their malicious messages more believable and thus more likely to succeed. Ursnif for example has targeted Italian banking users with native-language Italian messages for years. This is likely why we found so many Italian banks’ information in what we obtained.

Ultimately, a banking Trojan problem like this for customers is a problem for their banks and payment processors. They are the ones who incur and absorb the financial losses and the operational costs associated with fighting fraud and protecting their customers. One indicator of the impact of financial fraud on customers and thus on banks and payment processors comes from the United States Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3). In their 2019 Internet Crime Report, they note that their Recovery Asset Team (RAT) which assists with the recovery of  funds for victims who made transfers to domestic accounts under fraudulent pretenses saw 1,307 incidents with US $384,237,651 in losses. This is one country in one year, but it helps us with a glimpse into the losses we’re looking at.

This serves as a reminder too that proactive steps that banks and payment processors take to help their customers to not fall victim to malware like this can save a lot of money and time. As the saying goes “an ounce of prevention is worth a pound of cure”.

So what can banks and payment processors do as part of these “ounces of prevention”? 

First and foremost, ongoing user education. The messages of “don’t click links”, “don’t open attachments” is well-known but needs to be continually reinforced. Also encouraging customers to move to two-factor or multi-factor authentication can help prevent malware like Ursnif from being successful. 

You can and should look at educating your users by not just telling them what they shouldn’t do but showing them the right way to do things for your institution with the tools and options you make available to them. In my experience, few if any people WANT to have malware on their system or be the victim of cybercrime: it happens because they’re confused, distracted or uncertain about the right way to do things. The more you help them understand the positive steps they can and should take, the more you empower them to be safer.

User education is important because people are the first and last line of defense against cybercrime. But you can and should help people help themselves better with technology tools and solutions, too. As part of your education of your customers of the positive, right way to do online banking and shopping, you can also make them aware of the tools they have at their disposal to help them. You can explain security features that are present in their computers and devices that can help and how to use them. You can normalize the idea that they should be using antivirus software on all of their computers and devices all the time. You can even look to provide additional tools like antivirus directly to them. Once again, an ounce of prevention can lead to a pound of cure since antivirus and other tools help people make better decisions and provide an additional layer of protection if and when people do make a poor choice.

Most importantly our recent work on Ursnif reminds us that the cybercriminals aren’t taking breaks. Every day your customers are facing inboxes full of malicious emails that are just clicks away from giving cybercriminals their (and your) money. That means that every day, many times a day, they need to make good, smart decisions to elude those traps. And it also means every day that your customers can use your help to make each and every one of those decisions a better, smarter and safer one.