An active campaign using a variant of the Dyre malware has successfully stolen over $1 million from a variety of enterprise organizations.
It's part of a pattern: In recent Dyre campaigns, organizations have lost between $500,000 and $1.5 million each to attackers—and the malware infection rate continues to increase.
The campaign, named “The Dyre Wolf” by IBM Security researchers, sees the formerly simple Dyre malware add sophisticated social engineering tactics—likely to circumvent two-factor authentication.
While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations. Since its start in 2014, Dyre has evolved to become ever more sophisticated and easy to use, enabling hackers to go for the bigger payout. In this case, the social engineering and the resulting banking credentials theft is the focus of this new campaign and is ultimately what is used to illicitly transfer money from victims’ accounts.
“What do the dire wolf, the wolf in sheep’s clothing and 'The Wolf of Wall Street' have in common? Deception and a ferocious appetite to get what they want,” said IBM researchers John Kuhn and Lance Mueller, in a blog post. “The Dyre Wolf campaign is no different. From an initial infection via the Upatre malware through a spear-phishing email to a distributed denial-of-service (DDoS) attack, the criminals carrying out this latest string of attacks are using numerous sophisticated techniques.”
Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.
As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement. One organization targeted with the campaign also experienced a DDoS. IBM assumes this was to distract it from finding the wire transfer until it was too late.
IBM said that an experienced and resource-backed cybercrime gang operates Dyre.
“Cybercriminals grow in resourcefulness and productivity at alarming rates,” the researchers said. “They are sharing expertise on a global scale via the Deep Web and launching carefully planned, long-term attacks to attain the highest return on investment.”
This campaign highlights the fact that organizations are only as strong as their weakest link, and in this case, it’s their employees. IBM’s Cyber Security Intelligence Index indicated 95 percent of all attacks involved some type of human error. These attackers rely on that factor so someone will open a suspicious attachment or link and they can successfully steal millions.