IBM Security researchers recently uncovered a new campaign called Dyre Wolf, which uses a variant of the Dyre malware along with sophisticated social engineering techniques to bypass two-factor authentication.
In recent incidents, the campaign has resulted in in losses to organizations of between $500,000 and $1.5 million.
“While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations,” IBM senior threat researcher John Kuhn notes in a blog post detailing the threat.
“An experienced and resource-backed cybercrime gang operates Dyre,” Kuhn writes. “It was used in wide-stroke attacks for the past year and has now moved into a more brazen stage of attacking corporate accounts via the incorporation of skilled social engineering schemes.”
Key to Dyre’s spread, Kuhn notes, is a mechanism that distributes malicious spam through a mass mailing of victims’ contact lists. “This methodology has always proven effective for malware authors, and Dyre takes advantage of it with dramatic results,” he writes.
Once an infected victim tries to log into one of the bank websites monitored by Dyre, a Web page appears claiming the site is experiencing issues, and offering a phone number for the victim to call for help logging in.
Because the attackers can determine when the victim will call and which bank to answer as, they’re often able to trick victims into providing their organizations’ banking credentials.
The attackers then initiate a wire transfer that bounces from foreign bank to foreign bank to avoid detection.
“One organization targeted with the campaign also experienced a DDoS,” Kuhn writes. “IBM assumes this was to distract it from finding the wire transfer until it was too late.”
The Dyre Wolf campaign, Kuhn notes, highlights the fact that any organization is only as strong as its weakest link — in this case, its employees.
“IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error,” Kuhn writes. “These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.”
IBM offers the following advice for organizations seeking to minimize the risk of compromise:
- Train employees on security best practices and how to report suspicious activity
- Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior
- Offer security training to employees to help understand threats and measures they can take to protect the organization
- Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links
- Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information
Rapid7 global security strategist Trey Ford told eSecurity Planet by email that organizations need to put more effort into protecting sensitive login credentials. “Technology companies have spent an amazing amount of energy working to minimize friction in this user process, making authentication and online workflows an ideal target,” he said.
“Phishing is a serious threat, and there are two actions companies can take to minimize risk immediately: (1) Treat login activities with the same level of suspicion that banks observe credit card transactions; and (2) Conduct phishing tests against your users,” Ford added.
“Increased verification and occasional testing will do more to inspire a healthy level of doubt and distrust for out-of-place requests, fostering more meaningful and appreciative relationships with security programs,” he said.