Publications

Financial cyberthreats in 2023

Money is what always attracts cybercriminals. A significant share of scam, phishing and malware attacks is about money. With trillions of dollars of digital payments made every year, it is no wonder that attackers target electronic wallets, online shopping accounts and other financial assets, inventing new techniques and reusing good old ones. Amid the current threat landscape, Kaspersky has conducted a comprehensive analysis of the financial risks, pinpointing key trends and providing recommendations to effectively mitigate risks and enhance security posture.

Methodology

In this report, we present an analysis of financial cyberthreats in 2023, focusing on banking Trojans and phishing pages that target online banking, shopping accounts, cryptocurrency wallets and other financial assets. To gain an understanding of the financial threat landscape, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN).

Key findings

Phishing

  • Financial phishing accounted for 27.32% of all phishing attacks on corporate users and 30.68% of phishing attacks on home users.
  • Online shopping brands were the most popular lure, accounting for 41.65% of financial phishing attempts.
  • PayPal phishing accounted for 54.78% of pages targeting electronic payment system users.
  • Cryptocurrency phishing saw a 16% year-on-year increase in 2023, with 5.84 million detections compared to 5.04 million in 2022.

PC malware

  • The number of users affected by financial malware for PCs dropped by 11% from 2022.
  • Ramnit and Zbot were the prevalent malware families, together targeting over 50% of affected users.
  • Consumers remained the primary target of financial cyberthreats, accounting for 61.2% of attacks.

Mobile malware

  • The number of Android users attacked by banking malware increased by 32% compared to the previous year.
  • Agent was the most active mobile malware family, making up 38% of all Android attacks.
  • Users in Turkey were the most targeted, with 2.98% encountering mobile banking malware.

Financial phishing

In 2023, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. The attackers employed social engineering techniques to trick victims into sharing their financial data or making a payment on a fake page.

This year, we analyzed phishing detections separately for users of our home and business products. Among phishing and scam pages blocked on the devices of business users, 27.32% were financial phishing pages (pages mimicking online banks, payment systems and online stores). For fake pages blocked on home devices, this number was even higher at 30.68%.

TOP 10 organizations mimicked by phishing and scam pages that were blocked on business users’ devices, 2023 (download)

TOP 10 organizations mimicked by phishing and scam pages that were blocked on home users’ devices, 2023 (download)

Overall, among the three major financial phishing categories, online store users (41.65%) were targeted the most, followed by banks (38.47%) and payment systems (19.88%).

Distribution of financial phishing pages by category, 2023 (download)

Online shopping scams

Online stores were the most targeted category, comprising more than 40% (41.65%) of all financial phishing pages. Fraudsters impersonated popular online store websites, such as Amazon, eBay and Shopify, as well as brand websites and popular streaming services, such as Spotify and Netflix.

TOP 10 online shopping brands mimicked by phishing and scam pages, 2023 (download)

The most frequently impersonated e-commerce site was Amazon, which was mimicked in more than one third (34%) of all online store phishing attempts. Apple came in second with 18.66% of fraudulent pages, followed by Netflix, with 14.71%.

Sample of a phishing site that impersonates Amazon

Sample of a phishing site that impersonates Amazon

The tenth most-copied site was the Latin American online market MercadoLibre, which was mimicked by 1.77% of phishing pages. Fake sites also frequently targeted Louis Vuitton (5.52%), Shopify (4.73%), Alibaba Group (3.17%), Spotify (3.14%), eBay (3.12%) and Luxottica (2.94%) users.

Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites

Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites

One of the most common scam types targeting online shoppers consists in cybercriminals offering heavy discounts (which, of course, expire soon), special offers, early access to goods or entertainment, and other “bargains”. Both home users and businesses were targeted. For instance, in the screenshot below, a fake page presumably is offering a bus at an attractive price. If the user attempts to buy the vehicle, they are prompted to log in with their eBay account, which is then stolen.

Fake page offering a bus at a relatively low price

Fake page offering a bus at a relatively low price

Fraudsters use similar scams on social networks. For example, in the screenshot below, a fake Instagram store is offering Louis Vuitton products.

Fake Louis Vuitton store on Instagram

Fake Louis Vuitton store on Instagram

As new and more secure, authentication technologies appear, scammers find ways to evade these, too. The phishing page in the screenshot below, mimicking the Shopify sign-in form, implements a scenario for when the victim uses a passkey as the authentication method. Passkeys can only be used on websites and apps they are created for. To authorize passkey authentication, the user has to unlock the device the passkey was issued for. That means passkeys are of no use to phishers. To trick users into choosing to authenticate with a manually entered one-time code, the fake page displays an error message.

Fake Shopify page trying to bypass passkey authentication

Fake Shopify page trying to bypass passkey authentication

Payment system phishing

Payment systems were mimicked in 19.88% of financial phishing attacks detected and blocked by Kaspersky products in 2023.

TOP 5 payment systems mimicked by phishing and scam pages (download)

Among these, PayPal (54.73%) was the one that received the most attention, with more than half of attacks using its image.

Fake page targeting PayPal users

Fake page targeting PayPal users

Other most frequently victimized payment systems included MasterCard (16.58%), Visa (8.43%), Interac (4.05%) and PayPay (2.96%). Notably, of these, Visa and MasterCard are typically mimicked on fake payment pages linked to a variety of phishing and scam sites.

Cryptocurrency scams

In 2023, the number of phishing and scam attacks relating to cryptocurrencies continued to grow. Kaspersky antiphishing technologies prevented 5 838 499 attempts to follow a cryptocurrency-themed phishing link, which is 16% more than in 2022. This may be due to the fact that the Bitcoin rate, after hitting rock bottom in 2022, started to climb again in 2023. With the price of the number-one cryptocurrency setting new records at the beginning of 2024, this trend can be expected to develop further.

We have seen a number of different cryptocurrency-related schemes throughout the year. Scammers impersonated well-known cryptocurrency exchanges and offered coins in the name of major companies. Among the most notable schemes was a phishing campaign that targeted hardware crypto cold wallets. This type of wallet, normally disconnected from the internet, is considered quite safe. However, under the guise of a crypto giveaway, the attackers tricked users into connecting their hardware wallets to a fake website.

We have also seen crypto wallet phishing using well-known non-cryptocurrency brands as a lure. For example, a phishing website bearing the Apple logo and photos of Apple products invited users to get cryptocurrency called “AppleCoin”. Interestingly, a coin under that name does exist, but it has nothing to do with Apple Inc.

Phishing website touting AppleCoin in the name of Apple Inc

Phishing website touting AppleCoin in the name of Apple Inc

If the user believes that Apple has at last issued its own cryptocurrency and enters their wallet credentials, the scammers grab their funds.

PC malware

In 2023, the decline in the number of users affected by financial PC malware continued. Our data showed a decrease from 350,808 in 2022 to 312,453 in 2023, reflecting an 11% drop. This trend has persisted for the past years, and there are several reasons for that. First, users increasingly prefer mobile banking, and sign in to their online bank accounts on PCs less frequently than on smartphones. Although they may still store their banking credentials in browsers on their desktop computers, most notorious banking malware for PCs was repurposed to deliver other malware, such as ransomware, to infected systems. Often, these banking Trojans are used in more sophisticated targeted attacks, which usually means they infect fewer users.

Changes in the number of unique users attacked by banking malware in 2023 (download)

As can be seen in the graph above, banking malware attacks spiked in March. This coincided with a fourfold increase in Emotet‘s activity, which was its last large-scale campaign observed in 2023.

Key banking malware actors

The notable strains of banking Trojans in 2023 included Ramnit (35.1%), Zbot (22.5%) and Emotet (16.2%), which remained the top three financial malware families for the PC. The percentages of all three grew compared to 2022, together comprising nearly three-quarters of all financial malware attacks on desktop computers.

Name Verdict %*
Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 35.1
Zbot/Zeus Trojan-Banker.Win32.Zbot 22.5
Emotet Trojan-Banker.Win32.Emotet 16.2
CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.9
Danabot Trojan-Banker.Win32.Danabot 2.2
Tinba Trojan-Banker.Win32.Tinba 2.1
SpyEyes Trojan-Spy.Win32.SpyEye 1.9
Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.8
BitStealer Trojan-Banker.Win32.BitStealer 1.3
IcedID Trojan-Banker.Win32.IcedID 1.2

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware

These three Trojans have a range of capabilities apart from stealing banking credentials. They can download additional modules and third-party malware, collect various types of data, such as passwords stored in browsers, and perform other malicious activities.

Fourth and fifth were CliptoShuffler (6.9%) and Danabot (2.2%), both frequently appearing in the rankings, and in sixth place was Tinba (2.2%), also known as “Tiny Banker Trojan”. Although we have not seen this family among the most active banking Trojans in previous years, it dates back to 2012, and its source code has been leaked. It is written in Assembler and gets its name for a remarkably small size.

Among other most active banking malware types were SpyEyes (1.9%), QakBot (1.8%), BitStealer (1.3%) and IcedID (1.2%).

Brazilian malware

While the overall number of desktop financial malware attacks has steadily declined, we have observed a trend for Brazilian families attempting to fill the void. In the beginning of 2023, we shared insights into new functionality added to Prilex, a type of malware known to target ATMs and PoS (point of sale) terminals. Kaspersky experts found the new modification was specifically designed to exploit contactless payments. When someone tries to pay with a contactless card, the infected PoS terminal displays an error message, prompting the buyer to insert the card and thus helping attackers to capture sensitive payment details. Cybercriminals can then run unauthorized transactions and potentially steal large sums of money from unsuspecting victims.

Another interesting malware strain is GoPIX, which targets the Brazilian instant payment system PIX. It spreads by impersonating the WhatsApp web app. Once successfully installed, it starts monitoring clipboard contents. If the malware detects PIX transaction data, it substitutes it with malicious data, tricking the user into transferring money to cybercriminals. It targets Bitcoin and Ethereum transactions in the same manner.

Recently, our Global Research and Analysis Team (GReAT) discovered Coyote, a new banking Trojan of Brazilian origin. Targeting more than 60 banking institutions, primarily in Brazil, this malware uses a sophisticated infection chain that utilizes various relatively new technologies. Spreading via the Squirrel installer, it leverages a NodeJS environment and the Nim programming language to complete infection. Coyote is capable of keylogging, taking screenshots, and setting up fake pages to steal user credentials.

Geography of PC banking malware attacks

To highlight the countries where financial malware was most prevalent in 2023, we calculated the share of users who encountered banking Trojans in the total number attacked by any type of malware in the country. The following statistics indicate where users are most likely to encounter financial malware.

The highest share of banking Trojans was registered in Afghanistan (6%), Turkmenistan (5.2%) and Tajikistan (3.7%). Switzerland (3.2%) and Mauritania (3%) were also among the worst affected by this type of threats.

TOP 20 countries by share of attacked users

Country* %**
Afghanistan 6
Turkmenistan 5.2
Tajikistan 3.7
China 3.2
Switzerland 3
Mauritania 2.4
Sudan 2.3
Egypt 2.2
Syria 2.1
Yemen 2
Paraguay 2
Algeria 1.9
Venezuela 1.9
Uzbekistan 1.7
Libya 1.7
Zimbabwe 1.7
Spain 1.6
Pakistan 1.6
Iraq 1.6
Thailand 1.5

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users whose computers were targeted by financial malware as a percentage of all Kaspersky users who encountered malware in the country.

Types of attacked users

Consumers (61.2%) were the main target of financial malware attacks in 2023, with their share unchanged from 2022.

Financial malware attack distribution by type (corporate vs consumer), 2021–2022 (download)

Mobile Malware

In 2023, 32% more Android users encountered mobile banking malware than in the previous year: 75,521 attacks compared to 57,219 in 2022. Moreover, we observed notable growth in the number of affected users in the last quarter of the year, which may be due to a new financial malware family called Mamont that targets mainly users in the CIS.

Number of Android users attacked by banking malware by month, 2022–2023 (download)

The most active Trojan banker was Bian.h (22.22%), followed by Agent.eq (20.95%), whose share grew by 17.50 pp compared to 2022. Third was Faketoken.pac, which affected 5.33% of all users who encountered mobile financial threats in 2023.

Verdict %*, 2022 %*, 2023 Difference in pp Change in ranking
Trojan-Banker.AndroidOS.Bian.h 23.78 22.22 -1.56 0
Trojan-Banker.AndroidOS.Agent.eq 3.46 20.95 +17.50 +6
Trojan-Banker.AndroidOS.Faketoken.pac 6.42 5.33 -1.09 +1
Trojan-Banker.AndroidOS.Agent.cf 1.16 4.84 +3.68 +13
Trojan-Banker.AndroidOS.Agent.ma 0.00 3.74 +3.74
Trojan-Banker.AndroidOS.Agent.la 0.04 3.20 +3.16
Trojan-Banker.AndroidOS.Anubis.ab 0.00 3.00 +3.00
Trojan-Banker.AndroidOS.Agent.lv 0.00 1.81 +1.81
Trojan-Banker.AndroidOS.Agent.ep 4.17 1.74 -2.44 -4
Trojan-Banker.AndroidOS.Mamont.c 0.00 1.67 +1.67

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security users who encountered banking threats.

Geography of the attacked mobile users

To find out which countries were worst affected by mobile financial malware in 2023, we calculated the percentage of users who encountered mobile banking Trojans among all active Kaspersky users in the country. Users in Turkey were attacked the most at 2.98%, with Saudi Arabia coming in second at 1.43% and Spain (1.38%) in third place.

TOP 10 countries by number of users who encountered mobile banking malware, 2023:

Country* %**
Turkey 2.98%
Saudi Arabia 1.43%
Spain 1.38%
Switzerland 1.28%
India 0.60%
Japan 0.52%
Italy 0.42%
South Korea 0.39%
Azerbaijan 0.24%
Colombia 0.24%

* Countries and territories with relatively few (under 25,000) Kaspersky mobile security users have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.

Conclusion

Although the number of users affected by PC banking malware continues to decline, there are other financial threats that underscore the need to stay vigilant and protect your digital assets. Unlike 2022, the year 2023 saw the number of users encountering mobile banking Trojans increase significantly. Cryptocurrency-related phishing and scams continued to grow, too, and they are not expected to stop in the nearest future.

To protect your devices and finance-related accounts:

  • Use secure authentication methods, such as multifactor authentication, strong unique passwords, and so on.
  • Do not follow links from suspicious messages, and do not enter your credentials or payment details, unless you are 200% sure that the website is legitimate.
  • Download apps only form trusted sources, such as official app marketplaces.
  • Use reliable security solutions capable of preventing both malware and phishing attacks.

To protect your business:

  • Regularly update your software and install security patches in a timely manner.
  • Improve your employees’ security awareness, conduct regular security training and encourage safe practices, such as proper account protection.
  • Implement robust monitoring and endpoint security to detect and mitigate threats at an early stage.
  • Implement network segmentation and default deny policies for users with access to financial assets.
  • Stay aware of the latest cybercrime trends by obtaining threat intelligence from trusted sources and sharing it with industry partners.

Financial cyberthreats in 2023

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox