[email protected] +603-2181 3666
Dyre Wolf Banking Malware
April 7, 2015
0

As we can see, cybercriminals are relentless in their pursuit of quick money, and at the same time creating fear in us.

Dyre1Dyre Wolf, named by IBM Security researchers, is a variant of Dyre Trojan which first made its appearance in June 2014.  It has been used in a succession of phishing campaigns across the globe, including major banks such as Royal Bank of Scotland, Citigroup and Bank of America.  At that time the malware’s target list included 100 banks and was a cause of concern for the industry.

The malware used a technique called “browser hooking”.  This technique allows the attacker to route unsuspecting customers to fake banking websites, and to trick them into surrendering their login credentials.  The stolen credentials are then used to conduct an account takeover (ATO).

Fast forward to today; Dyre has evolved to become more sophisticated.  It utilizes sophisticated social engineering tactics that is likely to get around two-factor authentication.  It has been reported that organizations have lost between $500,000 and $1.5 million to attackers.

A point to note is that banking Trojans normally target individuals, but Dyre has always targeted organizations.  Why? There is a bigger payout for the cybercriminals by targeting organizations.  The Dyre attacks are waged using spear-phishing (see Definition) campaigns.

The Dyre Wolf is a mixture of malware, social engineering (see Definition) and DDoS.  According to the Senior Threat Researcher at IBM Managed Security Services, an experienced and resource-backed gang operates Dyre.  Since Dyre first came onto the scene last year, it has moved onto the stage of “attacking corporate accounts via the incorporation of skilled social engineering schemes.”

If this isn’t enough, Dyre now employs Distributed Denial-of-Service (DDoS) attacks (see Extol Advisory, 6th April) against targeted banks or businesses in order to distract attention from the wire transfer (see Definition) of money until it is too late.  These criminals are several steps ahead of everyone.

Here are some points of importance to note:

  1. Cybercriminals are growing in resourcefulness and productivity and sharing expertise on a global scale.
  2. They are launching carefully planned, long-term attacks to gain highest return on investment.
  3. Targeting organizations that frequently conduct wire transfers with large sums of money.
  4. Dyre is programmed to monitor hundreds of banks websites.
  5. When victims logs on to the website, a screen appears explaining that it is experiencing some difficulties and request the victim to call the number provided for help in logging in.
  6. Attackers used the same telephone number for each website and know when the victims will call and which bank to answer as.
  7. Victims are then duped into providing the organizations’ banking credentials.
  8. When the victim hangs up, the wire transfer is complete.

To avoid detection by law enforcement, the money is moved from one foreign bank to another.

Dyre2
It has been said that organizations are only as strong as their weakest link, and the weakest link are people.  All too often, it is human error that allows cybercriminals ‘in’ through the front door. A report by IBM indicated that 95 percent of all attacks involved some kind of human error.

We have seen from the past advisories and many other reports that is it almost always human error that results in successful cyber attacks.  Cybercriminals understand human weakness very well and resort to enticing unsuspecting users to open that malicious email attachment or link, so that they can rob them blind, to the tune of thousands or even millions of dollars.

With such huge sums of money at stake, organizations can’t afford to be complacent.  They have to be proactive to stem the tide of such an onslaught.


Recommendation


  1. Train employees on security best practices and how to report suspicious activity.
  2. Conduct mock phishing exercises where employees receive emails or attachments purporting to be from attackers, and see how they respond.  This will give you an idea as to how many potential incidents would occur if the attacks were real.
  3. Carry out awareness training to help employees understand threats and measures to undertake in protecting the organization.
  4. Regular reminders to employees on phishing and spam campaigns; that they shouldn’t open suspicious attachments or links from both work and personal email.
  5. Train bank employees to never provide banking credentials to anyone.

Definition


  1. Spear phishing – an email that targets a specific individual, department or organization seeking unauthorized access to confidential information.
  2. Social engineering the art of manipulating people so they give up confidential information.  The social engineer will pretend to be somebody that he / she is not in order to trick people into revealing more than they should.
  3. Wire transfer – electronic funds transfer from one person or entity to another.

Source


  1. The Hacker News.
  2. Security Intelligence.
  3. IBM (pics).