A new, coordinated attack based on a variant of the Dyre banking malware is responsible for stealing more than $1 million from corporations. The new campaign was discovered by IBM Security researchers, who are calling the attack “The Dyre Wolf." The campaign has added elements of social engineering designed to defeat security measures such as two-factor authentication.
Dyre is a Trojan that first made its appearance last year in a series phishing attacks against large banks such as Citigroup, JPMorgan Chase, and Bank of America. Since its debut, the Trojan has grown more sophisticated and easier to use, making it even more dangerous to the corporations targeted by it.
Long-Term Attacks, High Return on Investment
The Dyre Wolf attack begins when an e-mail containing the Upatre malware is sent to an employee of the targeted enterprise. Once the e-mail is opened, Upatre installs itself on the enterprise network and opens a connection to the attacker, who can then install the Dyre Trojan.
From there, Dyre can alter the response from a bank’s Web site to include instructions to users to call the bank at a number used by the attacker. The attacker then cons the user into providing authentication information that the attacker can then use to initiate a wire transfer from the victim’s account to several offshore accounts.
The attacker finishes the attack by mounting a distributed denial-of-service attack that prevents anyone from investigating the wire transfer until it has already been completed.
The attack is being conducted by an experienced cybercrime organization with significant resources at its disposal, according to IBM security researchers. “As we continue to see, cybercriminals grow in resourcefulness and productivity at alarming rates,” John Kuhn, senior threat researcher at IBM, wrote in a blog post. “They are sharing expertise on a global scale via the deep Web and launching carefully planned, long-term attacks to attain the highest return on investment.”
Humans Are the Weak Links
Unlike other Trojan campaigns, which have primarily targeted individuals, Dyre Wolf is focusing its attacks on corporate accounts that frequently make wire transfers with large sums of money. By carefully targeting such organizations, Dyre Wolf makes it difficult to catch illegal transfers until it's too late. Furthermore, most of the antivirus tools used by enterprises as their first lines of defense against such attacks have so far been unable to stop Dyre Wolf.
“This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees,” Kuhn wrote. “IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error. These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.”
Companies can best protect themselves against Dyre Wolf and similar attacks by training their employees on security best practices and how to report suspicious activity. Enterprises should also consider conducting periodic mock-phishing exercises where employees receive e-mails or attachments that simulate malicious behavior, IBM said. And employees in charge of corporate banking should be trained to never provide banking credentials to anyone.
Posted: 2015-04-03 @ 3:12pm PT
Perhaps all corporate email accounts should be set to not auto run, similar to viewing email through a browser. It would seem the human element just cannot be trusted.