Dyre Wolf Scheme Targets Corporate Accounts
IBM revealed a sophisticated bank funds transfer scheme that uses a mixture of phishing, malware and phone calls to appropriate large sums of money from U.S. companies. However, credit unions appear to be unaffected for now.
“The Dyre Wolf” scheme utilizes Dyre, or Dyreza, malware to target corporate banking accounts. In addition to using “one of the most effective banking Trojans active in the wild because of its feature-rich capability,” the Eastern European gang of cyber criminals apparently has the type of expertise and backing to steal “upwards of a million dollars from unsuspecting companies,” IBM Security Services said in a report posted on its website.
“The organization behind the Dyre malware campaign has not only consistently updated and maintained the malware, they have added more tricks to further their deception,” the IBM unit wrote. “Social engineering via phone calls and denial of service are now part of their toolkit.”
“Dyre Wolf is an evolution to the Dyre malware that came out last year,” Carl Mazzanti, founder/CEO of IT consulting firm eMazzanti Technologies, said. “This new strain is an example of the evolution of malware-in-the-wild morphing and slips by undetected by spyware and antivirus programs.”
According to IBM, the attackers have been targeting people working in companies since last year by sending spam email with unsafe attachments in order to inject a variation of the Dyre malware into as many computers as possible.
“This malware and technique is not new, but it is the first time it is being combined and utilized on such a large scale,” Paul Kubler, digital forensics and cyber security examiner at LIFARS LLC., said. “It targets organizations rather than end users, and has been particularly effective.”
Read more: The attack begins when a victim receives an error message on his or her corporate account...
In a typical assault on a corporate account, according to the IBM unit, a victim logs into a corporate account on their bank’s website. Then, they receive an error notification that invites them to call the bank about accessing the account. The victim calling this number reaches a very professional-sounding person posing as the financial institution representative. After a brief conversation, this individual prompts the victim to give the username and password in question for the account and verifies it several times. The attacker may also ask for a token code. During this verifying stage, the attacker might ask to speak with a coworker with similar access to the account, and who may be one of the authorized persons on that account, and ask the coworker to verify information and give a token code over the phone.
To be vulnerable, a number of user actions need to take place, Mazzanti explained. To start, a user must click on a phishing email to accept the package installation on his or her computer. Next, that user needs to use that computer to access one of the hundreds of websites that Dyre is programmed to monitor. The user will then be redirected during the log-on phase to a “false” web page that instructs him or her to call a phone number and interact with a live operator. Once engaged the operator collects the details from the victim and uses the website malfunction to authenticate the user and later empty the bank account with a bank wire.
“Now our credit union community is largely sheltered from this strain, as the writers of the threat focused on the larger banking targets,” Mazzanti said.
But, he warned credit unions not to lower their shields yet. “As the perpetrators earn money, we can be sure that the investments to increase the scope of target to banks and credit unions will increase rapidly.”