Last week, IBM Security reported on an active cyberheist campaign using a variant of the Dyre Trojan that has successfully stolen more than $1 million at a time from targeted enterprise organizations.
The campaign, named “The Dyre Wolf” by IBM, shows furious innovation from the once-simple Dyre malware by adding advanced social engineering tactics geared to circumvent two-factor authentication. In recent incidents, organizations have lost staggering amounts of $500,000 and $1.5 million to this sophisticated criminal cyber gang.
Most banking Trojans target individuals, but Dyre has always been used to target organizations. Dyre started in 2014 and during the last year has improved significantly in both features and ease of use. This allows Eastern European cybercriminals to go for much larger cyberheists. One powerful feature that allows them to quickly penetrate targeted organizations is that Dyre's criminal coders included the ability to spread Trojans using their victims’ email contacts lists.
A Combo of Spear Phishing, Social Engineering and DDoS Attacks
IBM reported that the last 12 months, spear phishing campaigns were used to initially infect employee workstations with the Upatre downloader. Once infected, this pulls down the Dyre Trojan which starts monitoring the machine and records which bank sites are accessed. As part of the installation, the Dyre malware establishes persistence by creating a service innocuously named “Google Update Service”. This service is set to run automatically each time the system restarts.
Once one of the hundreds of bank sites that Dyre was built to exploit comes up, Dyre creates a fake screen that tells the user that the bank's site is having problems and to call a certain number. The employee who calls the number is connected to an English-speaking criminal operator who already knows what bank the users think they are contacting.
The operator then social engineers the user and gets their banking details. Immediately after, large wire transfers are made out of the compromised account. The wires are then rapidly moved over a series of international banks until they are cashed out by money mules. In one instance, IBM said, the gang hit the victim company with a denial of service attack — essentially bringing down their Web capabilities — so it would not discover the theft until much later.
"What's very different in this case, is we saw a pivot of the attackers to use a set of social engineering techniques that I think are unprecedented," said Caleb Barlow, vice president of IBM Security. "The focus on wire transfers of large sums of money really got our attention."
What To Do About It
IBM recommends several technical measures to block this infection in their technical report on Dyre: https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/dyre_wolf_4-2-2015.html?
And they also clearly stated the following:
"Organizations will remain only as strong as their weakest link. Proactive end-user education and security awareness training continue to be critical in helping prevent incidents like the one described in this advisory.
- Train employees on security best practices and how to report suspicious activity.
- Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.
- Offer security training to employees to help understand threats and measures they can take to protect the organization.
- Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
- Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.
We could not agree more. Effective security awareness training is a must these days to protect against these kinds of attacks. Find out how affordable this is for your organization today.
Related Pages: Spear Phishing
