The campaign, dubbed "The Dyre Wolf" by researchers from IBM's Security Intelligence division, targets businesses and organizations that use wire transfers to transfer large sums of money, even if the transaction is protected by 2-factor authentication.
A MIXTURE OF MALWARE, SOCIAL ENGINEERING & DDoS
Nowadays, cybercriminals not only rely on banking Trojans to harvest financial credentials, but also using sophisticated social engineering tactics to attack big corporations that frequently conduct wire transfers to move large sums.
"An experienced and resource-backed [cyber criminal] gang operates Dyre," John Kuhn, Senior Threat Researcher at IBM Managed Security Service, wrote in a blog post published Thursday.
"[Dyre] was used in wide-stroke [cyber] attacks for the past year and has now moved into a more [indecent] stage of attacking corporate accounts via the incorporation of skilled social engineering schemes."
In addition to the advanced social engineering tricks, the Dyre criminal gang also employs distributed denial-of-service (DDoS) attacks against the targeted bank or businesses in order to distract attention and resources from the theft and to prevent victims from logging into the bank account until it was too late.
HOW THE ATTACK WORKS
The attack starts with a spear phishing email reaches into your organization with an attachment claiming to be a document of financial importance, like an invoice, but is actually an 'Upatre downloader'.
Once opened, Upatre downloads and executes the Dyre Trojan into the victim's system which, according to IBM researchers, went undetected by the majority of antivirus software programs.
Dry Trojan has capability to hijack victim's address book and send out mass emails to all of them via Outlook. The malware then monitors victim's activities and waits for further action.
The process gets interesting when the victim with an infected computer tries to log into one of the hundreds bank sites which the trojan is programmed to monitor, Dyre displays new screen with a message stating that the site is experiencing some issues and that you must call the number provided to make the transaction.
Once you call the number given, you'll assisted by a real person, not an automated one. This is the uniqueness and the extent of social engineering trick used by Dyre attackers that use real persons as the part of their attack.
The attackers then retrieve all the information from the victim, and as soon as the victim hangs up the phone, the wire transfer is made by the crooks on the other end of the phone.
At the time, when the money is being bounced from bank to bank to circumvent detection by the bank and law enforcement, the targeted organization's website will be subjected to a DDoS attack. The idea behind the DDoS attack is to prevent the victim from accessing the bank account.
STEPS TO PROTECT AGAINST THE DYRE WOLF
IBM security researchers recommend the following steps to users in order to protect against the attack:
- Organizations should train its employees on security best practices.
- Conduct periodic mock phishing exercises where employees receive emails or attachments that simulate a malicious behavior. Then using that findings, discuss the growing security threats with them.
- Provide security trainings to its employees in order to help understand threats and measures they can take to protect their organization.
- Regular reminders on phishing and spam campaigns should be provided to employees in order to prevent them to open any suspicious attachments or links.
- As the banks never ask for banking credentials, employees should be trained to never provide this information to anyone.
The Dyre Wolf campaign has already ripped off organizations for $500,000 (€450,000) and more than $1 Million (€910,000) per attack. However, this much large sums of money are not transferred without alarming the organizations, but cybercriminals have focused only on those banks that transfer large sums of money without triggering alarms.
