Skip navigation
industry news

U.K. Bank Customers Targeted With Phishing Campaign and Malware

Dyre - oh, Dyre; the banking Trojan we love to hate - is sticking around, as a recent phishing campaign against U.K. banks revealed. Targets include U.K. customers of Barclays, Royal Bank of Scotland, HSBC (Hongkong and Shanghai Banking Corporation), Lloyds Bank and Santander.

Criminals have sent 19,000 malicious phishing emails equipped with the malware Dyre (also known as Dyreza), in attempts to steal banking credentials. The U.K. phishing emails pretend to be follow-ups from tax consultants that urge users to download attachments to complete financial transactions, while another email attempts to get personal and financial data from the users.

But this certainly isn’t the first time Dyre has been leveraged to target online banking customers and the passwords to their bank accounts.

Last year, a phishing campaign targeted JP Morgan Chase customers, sending out 150,000 phishing emails with exploit kits. The email was titled ‘JPMorgan Chase SecureMail Error’ and it prompted users to download and install a new Java update by clicking on a link.

The link downloaded the exploit kit, checked for certain known Microsoft, Flash and Java vulnerabilities, then installed the Dyre Trojan on their machine. Whenever a user would visit a certain banking site, the malware would effectively steal credentials that could be sold or used to empty customer bank accounts.

Other banks targeted with this malware include Bank of America, NatWest, Citibank, RBS and Ulster Bank, according to

In another incident late last year, Salesforce found that the Dyre Trojan may have been targeting some users, prompting them to recommend the use of their Salesforce Authenticator App that supported time-based one-time passwords (OTPs). Other authentication methods, like push notifications, can provide a more secure, out-of-band authentication experience.

It’s no surprise Dyre has become as popular as it has - as long as banks and customers fail to properly secure their bank accounts and logins with more than just a password, it’ll continue to be effective.

In a talk given by IBM Security’s Etay Maor earlier this year at the RSA Conference, he highlighted the fact that most types of malware decline in the number of attacks over time, but Dyre has continued to work persistently over the past year.

The malware has spawned variants that continue to leverage current vulnerabilities. FireEye recently published security research on new variants of Dyre that exploit a patched vulnerability in Microsoft Windows, CVE-2015-0057. This vulnerability exists in a component of the Windows Kernel which can be exploited to escalate local privileges.

Over 95 percent of web-based application security incidents involve harvesting credentials from customer devices, then logging into web applications with them, according to the 2015 Verizon Data Breach Investigations Report (DBIR). With those kind of figures, the focus of any security professional should be directed at securing remote access.

Protecting against phishing and other credential-harvesting attacks and malware is possible with preventative security measures, like two-factor authentication, which requires the use of a personal device to verify your identity before granting access to your bank account.

Banks and other financial organizations can protect their employees with an advanced, enterprise-level two-factor authentication solution that also gives them insight into the types of devices on their network, as well as who is logging in from where, and when. With advanced policy and controls, organizations can blacklist or whitelist logins from certain locations and types of networks (like anonymous ones). That means you get greater control over who can access your internal network, and a better chance of keeping remote attackers out.

Learn more about two-factor authentication for banking and financial services.