Dyre Wolf malware hungry for cash in SMB accounts

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

A cyber gang spe­cial­iz­ing in rip­ping off online bank­ing accounts has been suc­cess­ful­ly exe­cut­ing a mul­ti­step cam­paign to pull off six- and sev­en-fig­ure heists from the accounts of small- and mid-size busi­ness­es, as well as large enterprises.

This intel comes from IBM Secu­ri­ty in a report dis­clos­ing details of a gang using the Dyre fam­i­ly of mal­ware, which has been wide­ly used for rou­tine man-in-the-mid­dle attacks, by which the attack­er manip­u­lates online transactions.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Sub­scribe to stay informed 

This par­tic­u­lar cam­paign, dubbed Dyre Wolf by IBM, has been con­duct­ed at a mod­est scale com­pared to the Car­banak cyber gang that has pil­fered an esti­mat­ed $1 bil­lion from more than 100 banks glob­al­ly, accord­ing to Kasper­sky Lab. The Car­banak gang infil­trat­ed bank net­works, repro­grammed servers, and remote­ly trig­gered ATM machines to spit out cash.

The Dyre Wolf gang, by com­par­i­son, has been tak­ing aim at small and mid-size busi­ness­es, doing intel to fig­ure out who they bank with and what kind of trans­ac­tions they do online, and then using a com­bi­na­tion of tech­niques to trig­ger wire trans­fers of $500,000 to $1 million.

IMB did not esti­mate a total take for the Dyre Wolf gang, nor how many were hit. But the dam­age to the busi­ness­es, espe­cial­ly small and mid-size com­pa­nies, obvi­ous­ly has been mate­r­i­al, if not crippling.

Start­ing last year, these crim­i­nals began tar­get­ing peo­ple work­ing in cer­tain com­pa­nies and send­ing them phish­ing emails craft­ed to get them to click on an attach­ment car­ry­ing a vari­ant of the Dyre malware.

Dyre stays dor­mant until the vic­tim nav­i­gates to a bank web­site. It then loads a spoofed page with a faked alert that the bank’s site is hav­ing prob­lems. The vic­tim is then instruct­ed to call the dis­played phone number.

An Eng­lish-speak­ing operator—part of the crim­i­nal gang—is stand­ing by with a script to talk the vic­tim into divulging account details need­ed to quick­ly trig­ger a large wire transfer.

One of the many inter­est­ing things with this cam­paign is that the attack­ers are bold enough to use the same phone num­ber for each web­site and know when vic­tims will call and which bank to answer as,” says IBM researcher John Kuhn. “This all results in suc­cess­ful­ly dup­ing their vic­tims into pro­vid­ing their orga­ni­za­tions’ bank­ing credentials.”

Here’s IBM’s flow chart of the caper:


More on emerg­ing threats and best practices:
5 data pro­tec­tion tips for SMBs
Why deb­it cards are riski­er than cred­it cards
A call for a data breach warn­ing label




Posted in Data Breach, News & Analysis