New Dyre Banking Threat Detected In Dropbox Phishing Attacks


A new banking Trojan capable of bypassing encryption to steal account credentials has been uncovered in a wave of phishing attacks using Dropbox links. According to two firms analyzing the threat, it appears to be a completely new malware family.

The Dyre Trojan was uncovered by Chantilly, Va.-based PhishMe, which has been analyzing a phishing campaign that uses Dropbox links in its spam messages since April. The attacks have used a variety of malware that lures users into clicking on a Dropbox link to download a document, which ultimately infects the system with malware.

The Dyre remote access Trojan (RAT) has been targeting account holders of Bank of America, Citibank, NatWest, RBS and Ulsterbank, according to the CSIS Security Group, a security consultancy based in Copenhagen, Denmark. The attacks use similar techniques as the Zeus malware family, the firm said in its analysis of the threat it calls Dyreza.

[Related: Banking Malware: Sophistication Rises In Longtime Botnet Families]

The new threat is dangerous despite using standard tactics and techniques, security experts told CRN. In addition to its ability to view SSL encrypted browsing sessions, Dyre also has the ability to bypass two-factor authentication. It's also using code that attempts to evade antivirus and other traditional security detection technologies.

Dyre works by injecting code into the victim's browser that can steal information when the victim visits one of the targeted banking websites, said Peter Kreuse, the head of the CSIS e-crime unit and the company's chief technology officer. Attacks can work against users of Internet Explorer, Chrome and Firefox. Kreuse warns that the phishing campaign may include a new round using a long-standing trick of baiting users by masquerading as a Flash Player update.

"They use a MiTM [man-in-the-middle] approach and, thus, are able to read anything, even SSL traffic in clear text," Kreuse said. "We believe this is a new banker Trojan family and not yet another offspring from the Zeus source code."

File sharing service Dropbox is a victim of its own success, said solution providers, because cybercriminals consistently target popular services in order to benefit from a potentially wide number of victims. The company recently completed updating its infrastructure to address a security weakness that enabled criminals to manipulate shared links. The vulnerability is not connected to the campaign spreading Dyre. Dropbox also has been bolstering its encryption, adding account monitoring and other security measures. It added support for two-factor authentication in 2012 following a spam campaign that used email addresses stolen from a Dropbox user.

A phishing email with a malicious link can quickly turn into the biggest dangers on highly used platforms, said Eldon Sprickerhoff, founder and chief security strategist at Cambridge, Ontario-based managed security services provider eSentire. Criminals have gotten better at socially engineering an attack to take advantage of human errors in judgment, he said. 

"There's a realization that security needs to do a better job at addressing the human element," Sprickerhoff said in a recent interview. "Part of a good defense strategy is to try to defend against people who don't realize they are doing things that are bad and that their actions are putting the company at risk."

Law enforcement has been cracking down on criminals behind financially motivated attacks. The financial industry has been taking measures in an attempt to identify customer behavior that could signal banking malware on a victim's system.

Investments in antifraud and transaction verification technology increased following the emergence of the Zeus banking Trojan in 2009. The industry also has been taking action against spam botnets and most recently disrupted the Gameover Zeus botnet, which was one of the largest botnets behind Zeus Trojan infections and believed to be ultimately responsible for spreading CryptoLocker ransomware. A Russian national pled guilty in a Georgia court in January for writing SpyEye, a malware family that rivaled Zeus and infected more than a million PCs. 

PUBLISHED JUNE 16, 2014