Crooks have stolen £20m from UK bank accounts with the Dridex banking trojan

Pierluigi Paganini October 15, 2015

The NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.

The UK’s National Crime Agency is investigating on cyber attacks on British bank accounts that allowed the criminals to steal £20m from the victims. The attackers have used the notorious Dridex banking trojan to harvest victims’ online banking details and steal money from their accounts.

“Global financial institutions and a variety of different payment systems have been particularly targeted,” claims the NCA in its alert.” states an alert issued by the NCA.

The news doesn’t surprise the expert of the security industry, earlier October the experts at Palo Alto intelligence discovered a still ongoing large phishing campaign based on the Dridex Banking Malware.

The phishing campaign is targeting victims mainly in the UK, the malicious messages include a Microsoft Word document that entices users to enable macros. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

dridex map

The phishing messages refer business or retail order and ask for payment, the malicious attachments pretend to be an invoice, but the victim is presented with a dialog box that asks them to enable macros in order to correctly view the document.

The NCA, with the support of the FBI and other law enforcement, is hunting the cyber criminals behind the hacking campaign.

One expert told the BBC the attackers had been particularly cunning to avoid being detected.

“This is very sneaky software that relied on people not being vigilant with their online banking,” said Prof Alan Woodward, a cybersecurity expert who advises Europol. “If you imagine thieves making lots of little transactions, rather than one big one, it is more likely to go unnoticed.”

Once the The Dridex banking Trojan has infected machines it eavesdrops on people entering their bank account credentials and send data back to the command and control server. As explained by the Prof Woodward, crooks are able to operate without raising suspicion avoiding to match classic fraud patterns detected by banking systems.

“Banks have software running constantly in the background looking for suspicious transactions, but criminals are adopting patterns that are not flagged up,” explained the Woodward. “With thousands of computers infected, they only need to take a small amount from each bank account and suddenly they’ve got millions.”

The British NCA is “sinkholing” the Trojan with the support of the internet service providers, basically the law has enforcement act to avoid that stolen data could reach the crooks, this is usually done by interfering with the communication between the Dridex banking trojan and the control server, or by seizing the C&C infrastructure in order to analyze the infection.

“The NCA is conducting activity to ‘sinkhole’ the malware, stopping infected computers – known as a botnet – from communicating with the cyber criminals controlling them. This activity is in conjunction with a US sinkhole, currently being undertaken by the FBI. The agency’s National Cyber Crime Unit (NCCU) have rendered a large portion of the botnet harmless and are now initiating remediation activity to safeguard victims,” claims the alert.

The authorities have already identified suspects, the US Department of Justice has already arrested in Cyprus this summer a Moldovan man, Andrey Ghinkul,  and it was seeking his extradition.

“This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to made.” said Mike Hulett, Head of Operations at the National Crime Agency’s National Cyber Crime Unit (NCCU).

As usual let me suggest to update your systems and software, install an antivirus solution, but most important is to assume a proper security posture. Be wary of unsolicited emails, especially from financial institutions, never open unexpected email attachments. Another good practice is to constantly check your bank account and report immediately any suspicious transactions.

Pierluigi Paganini

(Security Affairs –  Dridex banking Trojan, malware)

you might also like

leave a comment