Recently, IBM Security researchers took the lid off an active campaign using a variant of the Dyre banking malware. So far, the malware has swiped over $1 million from its enterprise victims.
Dubbed The Dyre Wolf, IBM senior threat researcher John Kuhn said the variant shows a “brazen twist” from past Dyre malware strains because it adds sophisticated social engineering tactics that could circumvent two-factor authentication.
“From an initial infection via the Upatre malware through a spear-phishing email to a distributed denial-of-service (DDoS) attack, the criminals carrying out this latest string of attacks are using numerous sophisticated techniques,” Kuhn explained in an IBM security intelligence article. “However, social engineering and the resulting banking credentials theft is the focus of this new campaign and is ultimately what is used to illicitly transfer money from victims’ accounts.”
A Non-Tech Savvy Audience
So who’s to blame? The user or the enterprise? Philip Lieberman, president of identity management software developer Lieberman Software, told us the attack was very well targeted and hit a generally non-tech savvy audience outside the United States.
“Unfortunately the same advice goes about not clicking on links or opening attachments when you are not expecting them. The statistics are generally in favor of the attackers in this and most other cases that will reward them handsomely for their efforts,” Lieberman said. “I expect that attacks will pick up outside the USA as criminals exploit the generally poor security of EMEA-based individuals and companies that are hamstrung by their governments' regressive privacy policies that protect criminals.”
IT Needs To Innovate
So, then, is it the end user’s fault for clicking? We turned to Richard Blech, CEO of digital security solutions firm Secure Channels, to get his thoughts. He told us if the definition of technology is the application of scientific knowledge for practical purposes, especially in industry, why are we blaming the user for not knowing enough?
“Technology leaders need to stop blaming the user for inadequacies and ‘needing training.’ Our duty in the technology industry is to provide options for the user, based on innovation not blame,” Blech said. “By forcing the user to call in with the Dyre malware, it is basically the human being breached by forcing them to engage with the nefarious entity.”
As Blech sees it, instead of allowing the hacker the access, enterprises should set technology to multi-factor authentication and simplify the process at the same time. He’s calling for innovation around multi-factor authentication, including tokenized identity using binary and biometrics resources that avoid outdated, easily hacked, and easily forgotten alphanumeric passwords.
“The hackers may be able to hack the human, but they cannot hack the heart. Designing authentication based on emotional memory rather than rote will simplify the burden for the user,” Blech said. "This explains the differences between IT and TI -- technical innovators use technology to design and make changes that enhance the life of its users, not train them to accept complacency.”