A Dyre Situation: Malware Targets Corporate Banking Accounts

Within the past six months, the FBI has released several bulletins and updates to the banking industry regarding two different malware: Dyre and Carbanak/Anunak. According to an article on AmericanBanker.com (not affiliated with the ABA), the Dyre malware is being used with social engineering in order to get around two-factor authentication typically required by banks for large wire transfers. As a result, $500,000 to over a $1 million at a time has been stolen and moved into offshore accounts. We asked Heather Wyson-Constantine, senior director of payments and cybersecurity policy at the American Bankers Association to discuss in more detail the issues around this disruptive and damaging malware called “Dyre.”

Within the past six months, the FBI has released several bulletins and updates to the banking industry regarding two different malware: Dyre and Carbanak/Anunak. According to an article on AmericanBanker.com (not affiliated with the ABA), the Dyre malware is being used with social engineering in order to get around two-factor authentication typically required by banks for large wire transfers. As a result, $500,000 to over a $1 million at a time has been stolen and moved into offshore accounts. We asked Heather Wyson-Constantine, senior director of payments and cybersecurity policy at the American Bankers Association to discuss in more detail the issues around this disruptive and damaging malware called “Dyre.”

First discovered by researchers in June 2014, the Dyreza or “Dyre” malware has quickly become one of the most prominent banking Trojans targeting corporate customers’ bank accounts today. A system infected with the Dyre malware, which is delivered and downloaded via the Upatre malware through phishing and spam campaigns, will attempt to harvest customers’ information and online banking credentials to conduct unauthorized transfers.

This can lead to significant losses for the corporate customer, as well as reputational damage to and lawsuits against the bank for not identifying and preventing the takeover of the account. According to recent reports, Dyre has infected more than 12,000 targets, which include nearly 250 financial institutions, and has caused millions in known and reported losses. [Editor’s Note: Because the malware infects corporate customers outside of the bank, these losses are not typically covered by insurance.]

Cyber criminals often target their corporate victims through spam and phishing emails designed to pique the recipients’ interest or scare them into opening the email and the attachments or links contained in it. For example, emails may purport to originate from business partners submitting an invoice for payment or from law enforcement agencies serving a subpoena. Once the infected attachment is opened, the Trojan is installed onto the user’s machine and then uses web injects to insert objects such as log-in error messages onto pages and intercept banking credentials and other sensitive information that is keyed in. 

A simple flowchart of the crime is as follows:

Researchers note that the group behind the malware, dubbed Dyre Wolf by security firms, is sophisticated, well-funded and has a working knowledge of banking systems. They have the manpower and infrastructure to integrate social engineering into their scam and convince victims to contact phony call support centers and provide their passwords and PIN codes to unlock accounts. Distributed Denial of Service (DDoS) attacks have also been launched against the targeted banks or organizations to draw attention and resources away from unauthorized account activity and transfers. In addition, the cybercriminals are constantly maintaining and updating the malware to avoid detection by standard security mechanisms and signature-based detection products. 

The United States Computer Emergency Readiness Team (US-CERT) recommends that users and administrators employ the following preventive measures to protect their computer networks from phishing campaigns:

Alert (TA14-300A): Phishing Campaign Linked with “Dyre” Banking Malware provides more information, including links to the referenced tips.

An FBI FLASH (FBI Liaison Alert System) bulletin, issued April 2015, outlines technical details, indicators, and IP addresses known to be utilized by the cyber actors to deliver and utilize the Dyre malware. The FBI encourages those who identify the use of the tools or techniques discussed to report the incident and information to the FBI’s 24/7 Cyber Watch, aka “CyWatch,” at 855-292-3937 or CyWatch@ic.fbi.gov. Activity can also be reported to local FBI field offices. Visit fbi.gov/contact-us/field to identify the office nearest you.

To enhance information sharing, banks are also encouraged to join the industry’s Financial Services Information Sharing and Analysis Center (FS-ISAC), which allows financial institutions and their critical technology service providers to anonymously report and monitor cyber threats and vulnerabilities, thereby allowing them to enhance their risk management and internal controls. For more information, visit fsisac.com.


Resources available from the American Bankers Association
The ABA Center for Payments and Cybersecurity is an ABA member online resource which provides information about evolving cyberthreats, including corporate account takeover and DDoS (Distributed Denial of Service) attacks, any related regulatory guidance or alerts issued by federal agencies and detailed white papers developed by the ABA or industry groups.

The Small Business Guide to Corporate Account Takeover provides banks with tips and messaging to help their corporate customers protect themselves.

The ABA Bank Risk Newsletter keeps ABA members abreast of current and new cyber and fraud threats. Available by subscription and distributed weekly, this e-newsletter provides a summary of key events, trends and issues, and reports released that relate to physical and cyber security issues.