IBM Managed Security Services, working with IBM’s Emergency Response Services, has uncovered a cyber-fraud scheme with a whole new level of sophistication.
“The Dyre Wolf” utilizes Dyre, or Dyreza, malware that targets corporate banking accounts, stealing “upwards of a million dollars from unsuspecting companies,” IBM Security Services said in a report posted on its website.
“The organization behind the Dyre malware campaign has not only consistently updated and maintained the malware, they have added more tricks to further their deception,” the unit wrote. “Social engineering via phone calls and denial of service are now part of their toolkit.”
In a typical attack on a corporate account, says the IBM unit, a victim logs into a corporate account on their bank’s web site and they are presented with an error notice that invites them to call the bank about accessing the account.
“The victim calls this number and is greeted by a very professional-sounding person with an American accent who states he works with the relevant bank, as if he knew the victim was about to call. After a brief conversation, this individual prompts the victim to give the username and password in question for the account and verifies it, several times. The attacker may also ask for a token code. Within this verifying stage, the attacker might ask to speak with a co-worker with similar access to the account, and who may be one of the authorized persons on that account, and ask them to verify information as well, and give a token code over the phone.”
In addition to using “one of the most effective banking trojans active in the wild because of its feature-rich capability,” the group behind the new fraud scheme has the type of expertise and backing to steal large sums of money, according to IBM Security.
IBM Security vice president Caleb Barlow Thursday told Reuters that the use of a live phone operator is what makes the scheme unique.
“What’s very different in this case, is we saw a pivot of the attackers to use a set of social engineering techniques that I think are unprecedented,” Barlow said. “The focus on wire transfers of large sums of money really got our attention.”
The report recommends that companies configure their email servers to strip any executable file, including files within archives that are not password protected that have an EXE, COM, or SCR extension. IBM Security also advises that companies ensure their antivirus solutions are updated with the latest virus definitions to maximize their effectiveness.
“The Dyre malware is constantly evolving and changing in an effort to avoid detection,” the unit said. “New versions are appearing each day and often go undetected by popular corporate antivirus products for several days.”