Crooks have stolen £20m from UK bank accounts with the Dridex banking trojan

The NCA has uncovered a series of cyber attacks based on a new strain of the Dridex banking trojan that allowed crooks to steal £20m in the UK alone.

The UK’s National Crime Agency is investigating on cyber attacks on British bank accounts that allowed the criminals to steal £20m from the victims. The attackers have used the notorious Dridex banking trojan to harvest victims’ online banking details and steal money from their accounts.

“Global financial institutions and a variety of different payment systems have been particularly targeted,” claims the NCA in its alert.” states an alert issued by the NCA.

The news doesn’t surprise the expert of the security industry, earlier October the experts at Palo Alto intelligence discovered a still ongoing large phishing campaign based on the Dridex Banking Malware.

The phishing campaign is targeting victims mainly in the UK, the malicious messages include a Microsoft Word document that entices users to enable macros. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

The phishing messages refer business or retail order and ask for payment, the malicious attachments pretend to be an invoice, but the victim is presented with a dialog box that asks them to enable macros in order to correctly view the document.

The NCA, with the support of the FBI and other law enforcement, is hunting the cyber criminals behind the hacking campaign.

One expert told the BBC the attackers had been particularly cunning to avoid being detected.

“This is very sneaky software that relied on people not being vigilant with their online banking,” said Prof Alan Woodward, a cybersecurity expert who advises Europol. “If you imagine thieves making lots of little transactions, rather than one big one, it is more likely to go unnoticed.”

Once the The Dridex banking Trojan has infected machines it eavesdrops on people entering their bank account credentials and send data back to the command and control server. As explained by the Prof Woodward, crooks are able to operate without raising suspicion avoiding to match classic fraud patterns detected by banking systems.

“Banks have software running constantly in the background looking for suspicious transactions, but criminals are adopting patterns that are not flagged up,” explained the Woodward. “With thousands of computers infected, they only need to take a small amount from each bank account and suddenly they’ve got millions.”

The British NCA is “sinkholing” the Trojan with the support of the internet service providers, basically the law has enforcement act to avoid that stolen data could reach the crooks, this is usually done by interfering with the communication between the Dridex banking trojan and the control server, or by seizing the C&C infrastructure in order to analyze the infection.

“The NCA is conducting activity to ‘sinkhole’ the malware, stopping infected computers – known as a botnet – from communicating with the cyber criminals controlling them. This activity is in conjunction with a US sinkhole, currently being undertaken by the FBI. The agency’s National Cyber Crime Unit (NCCU) have rendered a large portion of the botnet harmless and are now initiating remediation activity to safeguard victims,” claims the alert.

The authorities have already identified suspects, the US Department of Justice has already arrested in Cyprus this summer a Moldovan man, Andrey Ghinkul,  and it was seeking his extradition.

“This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to made.” said Mike Hulett, Head of Operations at the National Crime Agency’s National Cyber Crime Unit (NCCU).

As usual let me suggest to update your systems and software, install an antivirus solution, but most important is to assume a proper security posture. Be wary of unsolicited emails, especially from financial institutions, never open unexpected email attachments. Another good practice is to constantly check your bank account and report immediately any suspicious transactions.

Pierluigi Paganini

(Security Affairs –  Dridex banking Trojan, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Internet Explorer and Twilio Authy bugs…

3 hours ago

China-linked APT group uses new Macma macOS backdoor version

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an…

14 hours ago

FrostyGoop ICS malware targets Ukraine

In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems…

1 day ago

Hackers abused swap files in e-skimming attacks on Magento sites

Threat actors abused swap files in compromised Magento websites to hide credit card skimmer and…

1 day ago

US Gov sanctioned key members of the Cyber Army of Russia Reborn hacktivists group

The US government sanctioned two Russian hacktivists for their cyberattacks targeting critical infrastructure, including breaches…

2 days ago

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

2 days ago

This website uses cookies.