If you read this blog regularly, you’ve seen a few posts which mention ‘software vulnerabilities’, especially on browsers. We all take browsers for granted and use them every day for social networking, to research our next purchases and do our online banking. Using an Internet browser is an integral part of our day. Being the heart of our daily computing regime, the humble browser is a favorite target for the cybercriminal. They know we use it regularly, and they know that sensitive details, like login credentials, are entered through it. Because of this, the Internet browser is a cybercriminal’s dream.
Banks, Internet Browsers, Cybercrime, and You
The financial world and especially the banking sector have seen a lot of activity in the cyber threat area. Banks now recognize that cybersecurity, or rather insecurity, is their greatest challenge to growth. In their report on “The Cyber Threat to Banking,” PWC and the BBA found that 70% of banking CEOs showed concern for the impact of growth from cyber security threats.
And the numbers involved in cyber-theft are astonishing. Homeland Security Research reported that between 2013-2015, 600 million customer financial details were stolen by cybercriminal activity.
Just how these thefts are carried out varies, but the general theme is to spread a Trojan, which is a type of computer virus, in an email. The emails are often created using social engineering tactics, making it difficult for the average person to recognize as being malicious. Once the Trojan is installed, it will make use of vulnerabilities in the user’s browser and steal login credentials, used when that person logs in to their online bank. You can see, with 600 million successful thefts, that this process is working and highly lucrative.
Banking Trojans are not new, but they are an example of modern cybersecurity threats. They use sophisticated techniques like social engineering and target banking customers, rather than banks themselves – after all, large banks spend countless millions on security, whereas we, the customer are a much easier target.
Banking Trojans first really took center stage around the mid-2000s with the ‘Zeus’ Trojan. Zeus was a double-edged sword. First, it stole customer-banking credentials via malware, grabbing the credentials as they were entered through a browser. Second, it would use infected machines as part of a botnet network to perpetrate DDOS attacks against banks. Other infamous Trojans, such as GOZI and SPYEYE, used key logging malware to steal a user’s banking credentials. More recent Trojans such as TINBA use exploit kits to infect users and steal login credentials.
What is most worrying is that these banking Trojans are easily available for purchase on the dark web. A hacker, known as ‘Lordfenix’ is known to have developed over 100 banking malware programs, selling them for around $320 each. All a cybercriminal has to do is setup a Cloud server to collect data and install the Trojan on an unsuspecting banking customer’s machine, for example using a phishing email; they can then sit back and pull in the $$$.
A Dyre Warning
In 2014, we saw the entry of the Dyre Trojan onto the cyber threat scene. Dyre is a Trojan, which uses social engineering to infect banking customers machines. It is setup so that it can be used to defraud over 1000 banks across the world, but it is particularly targeting UK and U.S. banks. One of the neat things about this type of Trojan, from a cybercriminal’s perspective, is that is can be ‘updated’ remotely. It achieves this because the malware is linked to a ‘command and control’ (C&C) remote server – this is where the malware is controlled and updated from. This is highly sophisticated software development; your average anti-virus software cannot hope to handle such a fluid and moving target.
Targeting You
The Dyre Trojan does not target banks directly - instead, it targets banking customers. Infection is usually via a phishing email. Phishing emails are a very successful form of infection vector. If they are a spear phishing email, i.e. they are tailored to an individual, then they are even more successful, with a reported 70% open rate. The Dyre Trojan doesn't come directly to your desktop, no; instead an attachment in the email, when clicked, will direct you to a malicious site which installs a special downloader, which manages the download and install of the Dyre Trojan.
Once infected, Dyre will perform a ‘Man-in-the-Middle’ or MitM attack. It is specifically designed to compromise the most popular browsers, i.e. Internet Explorer, Chrome, and Firefox. The Trojan monitors all of your web visits. Once it recognizes a URL, it auto-redirects to a spoof site. This site is setup to look just like the real one, a legitimate banking site. Dyre will then steal credentials used to login to the spoofed bank site. Variants of the Trojan will also display fake sites that request additional identity information saying ‘they can't recognize the user.' This can be identity attributes such as your social security number, date of birth and so on – all valuable information for cybercriminals that can be sold to commit further fraud such as identity theft.
If you become infected with a Dyre Trojan, you may not know about it until you find that funds have been removed from your bank account.
Taking Care of Business
The Dyre Trojan is a great example of how cybercrime is using our own human behavior against us. It also demonstrates, through the use of evolving software controlled by a C&C center, that we need a more modern and pro-active approach to dealing with this ever sophisticated cyber-threat. We have to beat the cybercriminal at their own game, using even more clever techniques against them. Security analysis and monitoring in the form of threat analytics are the good guy’s weapon against the tricks that Advanced Persistent Threats like Dyre play on us.
With WatchPoint's Security Solution you will:
Know someone is securing your business.
Have true visibility into your digital assets.
Have a support staff dedicated to safeguarding your network.