Anti-Fraud , DDoS , Fraud

New Malware Attacks Prey on Banks

Security Vendors Warn of Sophisticated Threat Using Dyre Variant
New Malware Attacks Prey on Banks

Experts advise banking institutions to take several steps, including enhancing online banking authentication and ramping up commercial customer education, as a result of a recent increase in sophisticated attacks involving a new variant of Dyre malware.

See Also: Avoid 75% of all Data Breaches by Keeping Privileged Credentials Secure

IBM Security recently warned banks and their commercial customers that hackers are using a variant of Dyre, christened "The Dyre Wolf," to attack online banking systems. The malware attacks, which begin with sophisticated phishing schemes, have successfully circumvented dual-factor authentication and evaded most anti-virus detection systems, IBM reports.

To help deflect these attacks, Al Pascual, director of fraud and security at Javelin Strategy & Research, recommends stronger authentication methods.

"More secure forms of secondary authentication, such as biometrics, are another option that needs to be pursued," he says. "This type of threat proves that the general perception of what is commercially reasonable is actually anything but."

$1 Million Stolen in Past Month

In a blog posted April 2, IBM senior threat researcher John Kuhn, notes that The Dyre Wolf malware has been used to steal more than $1 million from businesses within the past month.

What's so concerning about attacks waged with The Dyre Wolf malware is that they involve sophisticated social engineering and, in some cases, even distributed-denial-of-service attacks, security experts say.

It's also clear, they say, that the fraudsters behind The Dyre Wolf malware attacks are extremely knowledgeable about banking institutions' back-end systems and online-banking platforms.

The new Dyre variant is programmed to monitor hundreds of online banking sites, so it's able to launch a convincing spoofed page or screen when a user tries to log into online banking systems. "The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in," Kuhn says.

Once users call the number provided on the fake page, they are tricked into revealing details and credentials that allow the fraudsters to schedule wire transfers, Kuhn says. The criminals then use that same numbers to verify the transactions, circumventing the out-of-band phone call authentication, he adds.

"Over 200 banks and over 500 URLs from those banks were listed in the Dyre malware [code]," he says. "These are the banks and the URLs that it is tracking. So we know the attackers are aware of these banking websites and how they run. They are very aware of changes that banks put in place to prevent Dyre infections, and they are spending a lot of time researching these sites to know how they work and how wire transfers are conducted."

Wire Fraud

The Dyre Wolf malware was used to make fraudulent wire transfers totaling between $500,000 and $1.5 million from various businesses that are IBM customers in recent weeks, Kuhn tells Information Security Media Group.

"I won't say those losses have just been isolated to North America. But I will tell you that these attacks are impacting North America heavily; but it is an international problem."

One threat researcher who asked not to be named says the gang behind Dyre is "the No. 1 current threat to online banking across the globe."

And Andy Chandler, senior vice present at threat-intelligence firm Fox-IT, says his firm is working with numerous customers across the world to gain more knowledge about Dyre's masterminds. "We see Dyre being used from Australia to the U.K., from the U.S. to South Korea," he says. "The actors are mature and sophisticated, and bear a lot of the traits of gangs which used P2PZeus in 2013 and earlier."

A Social Engineering Edge

Dyre is a class of malware that is delivered via phishing attacks. It's usually distributed via an attached document or zipped executable, says Patrick Belcher, director of security analytics at endpoint security provider Invincea. And while Dyre has been around since mid- to late 2014, it has evolved quickly, he says.

"This malware has been coupled with the advanced social engineering attack to score a much larger payout," Belcher says. "This also shows the adaptable capabilities of common malware to be customized for targeted criminal campaigns."

These new Dyre attacks are waged via spear-phishing campaigns that target businesses and organizations that frequently conduct high-dollar wire transfers, IBM's Kuhn says.

"It's a bit of luck," he says, because there no easy way for criminals to know which companies conduct large wire transfers on a regular basis. "But when you get infected, the malware sends out emails to all of your contacts, so it's able to accumulate business addresses. ... How they calculate which business to go after from there, though, I'm not sure."

Stall Tactics

Knowing banking institutions' detection patterns, the attackers don't wire funds directly to their final destinations. Instead, the funds bounce from one foreign bank to another, Kuhn says. One bank through which a fraudulent wire was scheduled by a Dyre Wolf attack also was hit by a DDoS attack as the money was being transmitted, he says.

"IBM assumes this was to distract the bank from finding the wire transfer until it was too late," Kuhn says.

These tactics - account bouncing and DDoS - slow down the bank's or credit union's ability to detect fraudulent activity, Kuhn adds.

To date, IBM is not aware of any institution or business that has recovered stolen funds or stopped fraudulently wires that were linked to a Dyre Wolf attack.

Detection and Prevention

Invincea's Belcher says most modern malware, including Dyre, is designed to evade anti-virus detection. "Today, malware changes itself frequently, so that each attack looks like a brand new piece of malware from a hash perspective," he says. "Advanced endpoint detection and prevention technology can protect users from malware that attempts to make changes to the local system via phishing, weaponized documents, drive-by downloads and zero-day exploits."

But Javelin's Pascual says education is key in thwarting these attacks. "The ultimate takeaway for me is that this kind of attack represents a concerted effort on the part of cybercriminals to defraud an organization," he says. "While banks can exert some control over whether or not their clients are infected through the use of tools like client- or server-side anti-malware, education is another potent tool that needs to be leveraged to mitigate the threat of Dyre Wolf."

Pascual says banks and credit unions must educate their commercial clients about how to identify and respond to socially engineered fraud attempts waged through all channels. "Just as criminals bring more tools to bear when attempting to compromise the accounts of these high-value targets, banks need to pull out all of the stops," he says.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network