Deadlier trojans pave way for major bank fraud

New malware operated remotely neutralises usual anti-fraud controls

Attackers have made the trojans more complex, adding supporting infrastructure to make them even more surreptitious and effective

Attackers have made the trojans more complex, adding supporting infrastructure to make them even more surreptitious and effective

 

Highly adept trojan malware that is operated remotely, conceals itself from detection and allows fraudsters to transfer large sums of money from victim accounts is a growing, serious threat in the financial industry.

According to malware experts speaking at a session at the recent RSA security conference, remote access trojans (RATs) such as Dyre and Dridex are complex and combine many features of older malware to hide their presence in a user’s device or computer.

They are directly controlled remotely by criminals, and use authentic-looking “social engineering” messages to lure victims into providing access to their accounts.

According to Uri Rivner, head of cyberstrategy at BioCatch, RATs such as Dridex take an average of 31 minutes to detect and the average amount they transfer from a single account is $26,000. Such amounts are far greater than what has been seen in the past with banking malware, he said.

Dridex, Dyre, Dyreza and other variations on this form of trojan are relatively new – Dyre and Dridex first came to notice in 2014, principally targeting European institutions. In the following months attackers have made the trojans more complex, adding supporting infrastructure to make them even more surreptitious and effective.

Fraudsters

Rivner said that while standard fraud detection systems miss the trojan, they’ve been able to spot it in action and understand how fraudsters are utilising it by tracking the movement of the mouse cursor in the browser when the bank’s website is being accessed by attackers.

Rivner showed animations of the victim’s cursor activities, which show that cursor movements shift from even horizontal movements by the victim, to jerky, vertical movements of the attacker’s cursor, which occur while the victim goes off to look at a different webpage.

“The whole hand and eye coordination is off,” he said, with an immediately noticeable difference between the user and attacker.

“So, we can look at the [user] session and think, hey, have we seen this user before, or is there some anomaly indicator?”

In one Dyre-based fraud case at a top-25 US bank, the attack came from the user’s device. “You could compare the user’s activity [by tracing cursor movements], and it was very different between four days in January 2015.”

Rivner said it looked almost as if the user did not have control of the mouse.

In this attack, a link on the page was clicked, but not by the user. Then, the user went away from the bank’s website for about three minutes. Rivner said this was because Dyre spoofs the user into visiting a fake site to enter sensitive information, while Dyre changes the user’s phone number contact for the bank, enabling the attackers to use that new number to fool the bank into thinking they are the user.

Yet that single click, and brief three-minute break from the website, “was the only thing about that session that was a little bit strange”. The fraud happened weeks later, in June, when a large amount of money was transferred from the account.

In this second phase, the jerky vertical movements of the cursor were the only trace of the attack – “the Dyre operator inside the victim’s computer, almost like a digital signature from the operator”. Yet to the bank, the session appeared to be a normal interaction from the victim with the bank.

“The social engineering of Dyre is perfect,” Rivner said. “It looks like a normal interaction. The bank was surprised, and said everything about these attacks was different, except for the ‘signature’ of the criminal. That same person kept coming back for more and more attacks.”

In another attack, at a top- five British corporate bank, the user received a spoof social engineering message asking which type of device the owner was using to contact the bank.

Fake website

The user was then sent to a fake Dridex website to enter information. As with Dyre, sending the victim to a separate website makes the attackers harder to track, he said.

“The gamechanging part of the new malware is that they use remote access to actually do the fraud, to move money. This is a cloaking device. Dridex and Dyre both redirect people to a fake website and do the social engineering there,” Rivner said.

In another case, at a top-five wealth management bank in the UK, the attackers rang the victim, told him he had a virus, then told him to go to Google and get and install TeamViewer – widely used remote access software – that lets the attackers gain control of the victim’s computer.

They then told the user to go get some coffee and relax while they “ran some tests” to get rid of the virus. Again, on the actual bank site, it appears as if the victim has logged in. “But two minutes in, something changes. Activity gets very erratic.”

Attackers then transferred a significant sum of money from the victim’s account.

Dyre and other RAT attacks can happen anywhere now, said Rivner, on either PCs or mobile devices.

In mobile attacks, fraudsters can remotely lock a device. Though the attackers are at a remote computer, they only need to open the banking application in a browser, without needing the victim’s login details, because the bank site thinks the contact is coming from a trusted device. “You don’t even have to log in. Then you just move money.”

Rivner, who says Dridex is becoming the most dangerous trojan, cautioned these RATs signal “a gamechanging moment”, as they “neutralise the usual anti-fraud controls”.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.