Hackers targeting users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander

19,000 malicious emails have been sent in three days from spam servers worldwide, inviting users to download an archive containing a malicious .exe file.

Bitdefender warns that the file acts as a downloader that fetches and executes the Dyreza banker Trojan, also known as Dyre. This represents a sizeable risk for customers of reputable financial and banking institutions from the UK, France, Germany, the US, Australia and Romania, many of whom have been targeted.

Posing as a follow-up email from a tax consultant, the message asks users to urgently download the attached archive and provide information to complete a financial transaction. A very similar email from the second day of the blast pretends to attach financial documentation and asks the user to verify its authenticity.

A third email warns the recipient of penalties imposed on his or her company, with an invitation to the business owner to see the administrative determination.

First seen in 2014, Dyre is very similar to the infamous Zeus, states Catalin Cosoi, Chief Security Strategist at Bitdefender. It installs itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Through a man-in-the-browser attack, hackers inject malicious Javascript code, allowing them to steal credentials and further manipulate accounts, all completely covertly.

In the UK, customers of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander have been targeted by hackers.

In the US, clients of Bank of America, Citibank, Wells Fargo, JP Morgan Chase and PayPal may have been exposed to theft.

Germany has also been affected with Deutsche Bank, Valovis Bank and volkswagenbank.de customers potentially having had credentials and money stolen from their accounts.

Catalin Cosoi continues, If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page. The server will then respond with the compressed version of the web page with malicious code added to it. This altered web page is then displayed on the victims web browser. Its appearance remains exactly the same, but the added code harvests the victims login credentials.