“An experienced and resource-backed cybercrime gang” is using the relatively new Dyre/Dyreza banking Trojan coupled with effective social engineering to steal millions from businesses, IBM Security Intelligence researchers John Kuhn and Lance Mueller warned.
The campaign, dubbed “Dyre Wolf” is still active, and starts with spear-phishing emails delivered to enterprise employees, some of which are tricked into downloading an attachment that contains the Upatre downloader.
This malware then downloads a variant of the Dyre Trojan which is not detected by most AV solutions used by organizations.
“Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in,” the researchers explained.
“One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as. This all results in successfully duping their victims into providing their organizations’ banking credentials,” they noted.
“As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement.”
What’s interesting is that on one occasion, the targeted organization was hit with a DDoS attack immediately after the transfer was made, likely to temporarily distract the company so that they would not find out about it until it was too late.
Training employees to spot phishing emails and to never provide banking credentials to anyone – either by phone or email – is crucial in preventing this type of attack, the researchers pointed out.