Fraudsters are using a clever piece of malicious software called Dyre to steal from corporate bank accounts, security experts say.

The so-called Dyre Wolf gang is using the malware, a banking Trojan, in combination with social engineering (i.e. tricking people into divulging information), to defeat the two-factor authentication banks typically require for large wire transfers, researchers say. As a result, the attackers are siphoning large sums of money — $500,000 to more than $1 million at a time — into offshore accounts.

Dyre surfaced around mid-2014, but the gang behind it, believed to be based in Eastern Europe, has recently stepped up its attacks, experts say. IBM says it observed more than 4,000 infections worldwide in February, of which more than half were in North America. All told, the thieves have stolen more than $1 million.

"At some point in the first quarter, they got aggressive, they added this whole social engineering aspect to it," said John Kuhn, a senior cyber threat researcher at IBM. "They're going after North American corporate banking. They're going after the big money."

The thieves' tactics illustrate how cybercriminals are getting more adept at understanding banks' processes and security mechanisms and circumventing them.

"As banks put more controls and fraud detection capabilities into online banking, the criminals are moving their attacks to exploit the weakest link — the people involved in authorizing or executing money transfers and payments," said Avivah Litan, a vice president at Gartner.

"Now the banks have to worry more about training their customers to be vigilant and aware of such scams," she said. "This is not an easy thing to do because the banks have no easy way to ensure their customers get the appropriate security awareness and education."

How It Works

Dyre, like many other types of cybercrime, starts with a phishing attempt.

Someone in a company's finance department opens an email that looks legitimate and clicks on an attachment that appears to be a PDF but is really an executable file, a piece of malware called Upatre. (The malware is typically compressed in a zip file, which helps it escape email filters.) Upatre is designed to pass through anti-malware software unnoticed. It establishes communication with the attackers and downloads the Dyre malware, then deletes itself, letting Dyre take over from there.

Why do people still fall for phishing attacks, especially finance people in charge of wire transfers at corporations?

"Many organizations do not realize that phishing attacks are a serious threat that can compromise the security of the entire organization even if a small fraction of the employees are lured into the attack," said Angelos Stavrou, a professor in the Computer Science Department at George Mason University. "For example, in an organization with 10,000 employees, even if one out of a thousand employees opens the phishing document, there are still 10 employees that will be compromised, leading to loss of information."

To make matters worse, the criminals can send thousands of phishing emails, raising the odds that employees will make a mistake and open the documents attached to the emails.

And, Kuhn said, the emails sent in Dyre attacks are very deceptive.

"They include financial terms like 'invoice' that give a base level of trust," he said. "They're just constantly banking on that level of trust everybody is used to seeing."

Once downloaded onto a computer, Dyre sits and waits for the user to log into a banking website account. Once he's logged in, Dyre instantly sends a message back to the attacker to share the victim's online banking credentials.

Many banks require two sets of credentials before they let a customer wire large sums of money. To get around that, the Dyre perpetrators have a call center set up. When they receive the message with the user's credentials, they send a message back to the user's browser, perhaps through code injection, telling him there's an issue with his account and that he needs to call a certain number.

"That number obviously doesn't belong to the bank but it appears to be on the banking website and looks legit to the user," Kuhn said. The customer, eager to complete the transaction, calls the number and speaks with an agent who answers as if she works at the bank and persuades the user to cough up a lot of information including his user name and password.

"This should raise red flags right away," Kuhn said. "No legitimate bank is ever going to ask you your login and password over the phone. But some people just fall for it. They haven't been trained. They don't have enough knowledge to make that leap to say they shouldn't be doing this." And people tend to trust that a phone number that appears on a bank website is a number for that bank.

Then the cybercriminals log in to the online banking account within 60 seconds with the user name and password they've just obtained and instantly transfer money to offshore accounts. In some cases, more than $1 million has been sent in one shot.

Sometimes denial of service attacks are launched as part of Dyre attacks, to overwhelm the bank's website or network and to distract the security team while the transfer is going on.

Artful Dodgers

The sophistication and organization of the Dyre attack, involving social engineering by employing human operators in addition to software, suggest the work of a well-organized and experienced cybercrime gang, Stavrou said.

Anti-malware software intended to detect and destroy software like the Dyre Trojan has been partially effective. Many anti-malware products have been able to detect some Dyre malware variants (other names for Dyre include Dyreza, Battdil, or Dyranges), Stavrou said. However, Dyre changes constantly, faster than antivirus and anti-malware software can keep up with, he said.

"They must have a very good engineering team on their side, because they're constantly changing the code of Upatre, just manipulating the entire code base of it," Kuhn said. "Then I assume they're running this through all the antivirus vendors to make sure the change can successfully get through. If it does, they push the new version out instantly."

Fighting Back

Protecting corporate accounts from Dyre involves several steps.

Companies can open email attachments in a secure container or virtual machine, to avoid infection of the target computer, Stavrou pointed out.

They can keep their anti-malware software current and maintain an updated malware definitions file, Stavrou said. "Another solution is to employ multiple anti-malware techniques that inspect emails for phishing before the email reaches the end-user," he said.

Training users to avoid opening spam emails is also very important, Stavrou said, as is getting employees to report incidents to reduce risk for the organization.

Banks need to apply two-factor authentication for wire transfers more judiciously and broadly, he said. And they need to educate users about the limits of two-factor authentication, especially when criminals use social engineering.

"For example, if the users had the phone numbers of the bank ahead of time and did not rely on the information presented on the screen, the fraud would have been discovered and no information or financial loss would have occurred," he said. Another potential mitigation is to never disclose any credentials to a bank phone operator, including two-factor tokens.

Behavior analytics software that can detect, say, that an organization is sending $500,000 to an account the bank has never seen before and hold it for the customer's approval would help, Kuhn said.