The top online banking fraud cybergang, Dridex, has recently stepped up its attacks and added ransomware to its repertoire.
Dridex malware already accounts for half the financial cybercrime against financial institutions, according to the security firm
"We've had peak periods when it's more than that," said Kevin Haley, director of security response at Symantec, including some high peaks earlier this year.
-
There are a lot of things banks can and must do to guard against the oldest trick in the cybercriminal book: deceptive emails. Don't laugh: The crooks are getting smarter, but many executives, employees and customers aren't.
March 10 -
Gary McAlum, USAA's top security executive, discusses what he sees as a false choice between security and convenience, his company's progress in getting users to adopt biometric authentication, and the need for a holistic approach to security.
February 16 -
A cybercrime ring that reportedly stole $1 billion from banks around the world last year is back, using different tactics. For one thing, it's more often going after banks' corporate customers, making its activities harder for banks to detect.
February 11
This is a threat to banks' online banking security on multiple levels. Not only are hackers breaking into employee and customer computers to steal online banking credentials and commit fraud, they're also learning how to lock files and drives throughout a company's network, rendering it helpless until it pays a ransom, as Presbyterian Hospital in Hollywood found out in February.
How Dridex Works
"Dridex is the 800-pound gorilla in the banking Trojan space," said Stu Sjouwerman, founder of the security firm KnowBe4. "They are a large Russian cybergang that's been in that space for years, and they have a sizable infrastructure already in place with their highly sophisticated banking Trojans."
Dridex programmers offer their banking Trojan to other cybercriminals in an underground twist on the
Not just anyone can buy it, though. You have to know the right people.
"They make malware available through a service offered to a limited clientele," said John Miller, director of the ThreatScape Cyber Crime service at iSIGHT Partners, a security research and analysis company owned by FireEye. "Then those clients, once they've distributed copies of the malware they receive through the subscription, are able to exploit compromised machines in their fraud operations."
Like most malware, Dridex (which also goes by the names Cridex and Bugat) usually worms its way onto computers through phishing attacks. Fake emails containing malicious files are sent to unsuspecting victims, who click on them and allow malware to seep into their computers. The malware lurks on the user's computer, watching everything she does and waiting for her to do some online banking, at which point it uses keystroke logging or web
The Dridex Trojan is programmed to look for 300 financial institutions, mostly in the U.S. and U.K., including the largest American banks. "They add more and more financial institutions to the list all the time," Haley said. "They want to get the biggest bang for the buck."
In October, the FBI estimated at least $10 million in losses in the U.S. could be attributed to Dridex.
At the same time, the Department of Justice announced that it, the FBI and the U.K.'s National Crime Agency had disrupted the Dridex botnet. A Moldovan administrator of the botnet, Andrey Ghinkul, was arrested on August 28, 2015 in Cyprus.
"Through a technical disruption and criminal indictment we have struck a blow to one of the most pernicious malware threats in the world," a U.S. attorney declared at the time.
However, early this year, a wave of phishing emails unleashed more Dridex malware into the wild than ever before, according to Symantec.
Brian Krebs, author of the popular blog
"If the authorities want to go after these groups, what they need to do is compromise or backdoor the
The Dridex gang's recovery from the FBI sting also shows how well it's run, Haley observed.
"Like a real company, there's a lot of effort to be resilient, to be able to stay in business and do disaster planning," he said. "Clearly, having members of your gang arrested should be a disaster. But to pick off one or two people is not enough. The botnet that they control has a peer-to-peer quality. It's very difficult to take down and you could cut off one head but multiple other heads remain."
New Product Line: Ransomware
While the Dridex group's phishing and online banking fraud work hasn't abated, it's recently added ransomware as a sideline. Ransomware is malware that encrypts and locks the files on a user's computer and sends a message demanding payment in order for the files to be unlocked.
"We've seen the distribution operations that are used to support Dridex also spreading Locky, a type of ransomware," Miller said.
In January, the FBI warned of the rise of ransomware. "Ransomware has been around for several years, but there's been a definite uptick lately in its use by cyber criminals," the agency said in a press release.
"Everybody's getting more into ransomware, why wouldn't you?" Krebs said. "It's a no-brainer. Two percent of the people pay. You just have to be prolific, that's all."
Right now, such attacks are opportunistic, Krebs said. "The ransomware attacks will get a lot more expensive, and soon," he said.
Sjouwerman is certain banks are being targeted by the ransomware.
"You will never find a bank that's willing to admit it has been targeted, has been infected and paid a ransom," he said. "That would be an immediate loss of half their deposits. It ain't going to happen. However, I'm sure they're being targeted."
And ransomware has dangers beyond the initial computer it hits.
"They're not just trying to infect your workstation and lock your files on you workstation; they're trying to go for any network drive they can find," Sjouwerman said. "That's where the risk is. This is what happened at
Why People Fall for It
The Dridex perpetrators have gotten good at disguising malware as an invoice in their phishing attacks.
"If you got a bill in an email that looks like it came from someone you did business with, you're liable to click on it just to see what's going on," Haley said. "That's one of the things that make these guys so effective."
Krebs said in some cases, hackers will post fake resumes on job boards and collect the emails of people who respond to them — people in charge of HR and hiring.
"They target those people with phishing, so they can get access to their accounts and before you know it they've spammed the world with this stuff," including the people applying for the jobs, he said. "It's easy to say, 'Why do people click on this stuff?' But if you've been out of work for six months and you're looking at being able to make your rent payment, and someone offers you a work-from-home job to make two grand a month, a lot of people would say, 'Hey, that's exactly what I need.' They're not asking too many questions."
It's also easy for malware to exactly spoof an email address, Sjouwerman pointed out, as he sent me an email that appeared to be from my own account. An email directly from your boss's or CEO's email address is hard to ignore.
The Best Defenses
Attacks like Dridex are hard for banks to block because they have no control over their customers' computers. They can, of course, try to stop the malware from creeping into employees' desktops. Education and two-factor authentication are the two best ways to prevent employees from clicking on malicious email attachments.
"Defense in depth starts with the outer layer — the mushy, human layer of policy, procedure and awareness," Sjouwerman said. "If you get a request from your CEO, it's OK to say no to your CEO and double-check and text or call him. You need to have a policy in place." He also advises conducting phishing tests to see if employees will click on things they shouldn't.
To fight ransomware, Sjouwerman recommends blocking all emails with
Fraud detection software is the next line of defense, to spot the signs of unusual activity and block fraudulent money transfers.
But perhaps the best defense against ransomware is good backup. If a company knows its files and applications are well-replicated, it can say no to a ransom demand, shut down the infected machine and start fresh on a new computer.
There are and will continue to be other threats to online banking security. Mastering a defense against Dridex could go a long way toward deflecting others.
Editor at Large Penny Crosman welcomes feedback at