Skip navigation
Industry News

Banking Malware Targets Wire Transfers; Evades Antivirus

The Trojan Dyre (also known as Dyreza) has been around for quite awhile now, terrorizing the banking industry, stealing passwords and enabling malicious hackers to make off with money stolen directly from individual accounts.

Now IBM security researchers are reporting on a recent campaign they’ve dubbed, “The Dyre Wolf” that leverages social engineering to steal account information and money from corporate accounts - resulting in higher payoffs. IBM reports that attackers have stolen upwards of a million dollars using this campaign.

IBM researchers have found that attackers are targeting companies that often conduct high-dollar wire transfers. They also noted that most antivirus tools were unable to detect this Dyre malware variant, suggesting that traditional security solutions aren’t enough to stop password-stealing malware.

Social Engineering to Steal Wire Transfers

The attackers have crafted an elaborate scheme involving a call center to intercept wire transfers. Once infected, users are presented with a fake prompt when they attempt to visit a banking website. The prompt tells the user that the site is experiencing issues, and urges him/her to call a phone number for customer service assistance - effectively stealing both their login and the wire transfer money.

Attackers may target some companies with a DDoS (Distributed Denial-of-Service) attack in order to distract them from finding the wire transfer until it was successfully delivered to their own bank account, a commonly used and effective diversion tactic.

In addition, if the Dyre malware detects that Microsoft Outlook is installed on the user’s computer, it attempts to spread itself via emails and attachments to contacts listed in their email account, according to the IBM report, The Dyre Wolf: Attacks on Corporate Banking Accounts (PDF).

The spread of this malware isn’t slowing down. According to research in October 2014, IBM found that instances of Dyre infection had risen from 500 to nearly 3,500 - an increase of 600 percent.

Moar Banking Malware & Drive-By Downloads

And obviously, Dyre isn’t the only banking trojan out there. Another recent malware campaign targeting more than 15 Canadian financial institutions involves the Neverquest banking trojan, according to SCMagazine.com. Vawtrak, the latest variant of Neverquest, leverages man-in-the-middle attacks, videos and screenshots to steal online banking credentials and log into accounts via remote connections to their PCs to evade detection.

The malware is spread to victims via drive-by download. Drive-by downloads also targeted jQuery.com visitors last September, when a malicious script was added to the website by attackers in an invisible iframe. Visitors were redirected to an exploit kit that installed credential-stealing malware on their machines. Learn more in jQuery Credential-Stealing Attack Targets Sys Admins and Web Developers.

Last October, Spin.com and Popular Science magazine were also hit by drive-by download malware that similarly redirected to an exploit kit that installed data-stealing malware on vistors’ computers. The exploit kit searched for known vulnerabilities in different applications, including those affecting Microsoft IE, Silverlight, Oracle Java SE and Adobe Flash Player.

Find out more about how website owners can check for malicious code and deter infection in University, Online Magazines & JavaScript Sites Hit By Drive-By Malware.

How can you protect your organization from banking malware? IBM’s recommendations include:

  • Reboot after any type of detection
  • Restrict execution of programs from temp folders
  • Maximize network visibility
  • End-user education

They also recommend using the maximum security features available your financial institution’s websites in order to protect corporate bank accounts, including using two-factor authentication with banking sites. IBM recommends enabling two-factor authentication for all users that can login and make transactions. They also suggest using a designated host for corporate banking with separate login credentials that is only allowed to communicate with known or trusted destinations.

To avoid the success of social engineering attempts, it’s good to note that a legitimate bank employee will never ask for login credentials or your two-factor passcode. Learn more about two factor in our Two-Factor Authentication Evaluation Guide.