Crooks have stolen £20m from UK bank accounts with the Dridex banking trojan

The NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.

The UK’s National Crime Agency is investigating on cyber attacks on British bank accounts that allowed the criminals to steal £20m from the victims. The attackers have used the notorious Dridex banking trojan to harvest victims’ online banking details and steal money from their accounts.

“Global financial institutions and a variety of different payment systems have been particularly targeted,” claims the NCA in its alert.” states an alert issued by the NCA.

The news doesn’t surprise the expert of the security industry, earlier October the experts at Palo Alto intelligence discovered a still ongoing large phishing campaign based on the Dridex Banking Malware.

The phishing campaign is targeting victims mainly in the UK, the malicious messages include a Microsoft Word document that entices users to enable macros. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

The phishing messages refer business or retail order and ask for payment, the malicious attachments pretend to be an invoice, but the victim is presented with a dialog box that asks them to enable macros in order to correctly view the document.

The NCA, with the support of the FBI and other law enforcement, is hunting the cyber criminals behind the hacking campaign.

One expert told the BBC the attackers had been particularly cunning to avoid being detected.

“This is very sneaky software that relied on people not being vigilant with their online banking,” said Prof Alan Woodward, a cybersecurity expert who advises Europol. “If you imagine thieves making lots of little transactions, rather than one big one, it is more likely to go unnoticed.”

Once the The Dridex banking Trojan has infected machines it eavesdrops on people entering their bank account credentials and send data back to the command and control server. As explained by the Prof Woodward, crooks are able to operate without raising suspicion avoiding to match classic fraud patterns detected by banking systems.

“Banks have software running constantly in the background looking for suspicious transactions, but criminals are adopting patterns that are not flagged up,” explained the Woodward. “With thousands of computers infected, they only need to take a small amount from each bank account and suddenly they’ve got millions.”

The British NCA is “sinkholing” the Trojan with the support of the internet service providers, basically the law has enforcement act to avoid that stolen data could reach the crooks, this is usually done by interfering with the communication between the Dridex banking trojan and the control server, or by seizing the C&C infrastructure in order to analyze the infection.

“The NCA is conducting activity to ‘sinkhole’ the malware, stopping infected computers – known as a botnet – from communicating with the cyber criminals controlling them. This activity is in conjunction with a US sinkhole, currently being undertaken by the FBI. The agency’s National Cyber Crime Unit (NCCU) have rendered a large portion of the botnet harmless and are now initiating remediation activity to safeguard victims,” claims the alert.

The authorities have already identified suspects, the US Department of Justice has already arrested in Cyprus this summer a Moldovan man, Andrey Ghinkul,  and it was seeking his extradition.

“This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to made.” said Mike Hulett, Head of Operations at the National Crime Agency’s National Cyber Crime Unit (NCCU).

As usual let me suggest to update your systems and software, install an antivirus solution, but most important is to assume a proper security posture. Be wary of unsolicited emails, especially from financial institutions, never open unexpected email attachments. Another good practice is to constantly check your bank account and report immediately any suspicious transactions.

Pierluigi Paganini

(Security Affairs –  Dridex banking Trojan, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FIN7 targeted a large U.S. carmaker with phishing attacks

BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…

8 hours ago

Law enforcement operation dismantled phishing-as-a-service platform LabHost

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…

13 hours ago

Previously unknown Kapeka backdoor linked to Russian Sandworm APT

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…

18 hours ago

Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…

21 hours ago

Linux variant of Cerber ransomware targets Atlassian servers

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…

1 day ago

Ivanti fixed two critical flaws in its Avalanche MDM

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…

2 days ago

This website uses cookies.