British Banks Lose £20 Million to Dridex Malware

By   ISBuzz Team
Writer , Information Security Buzz | Oct 18, 2015 10:00 pm PST

Following the warning from The National Crime Agency that internet users are being targeted by a new version of the Dridex malware, and that some £20m has already been stolen by the gang in the UK alone. Security experts from Tripwire and Raytheon|Websense, commented on the news and discussed how it’s not just a UK threat but a worldwide one.

[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Senior Security Analyst at Tripwire :

“The sophistication and scale of the infection of Dridex, not to mention the amount of money made by the cyber criminals involved, shows that cybercrime is a big business. This should also serve as a warning to banks and consumers, as this is only the tip of the iceberg.

Law enforcement and private industry are ramping up their defensive capabilities but at the same time new tools and techniques are being developed that will build on Dridex and include more sophisticated methods of evasion and infiltration of our systems.

When criminal syndicates see how much money can be made from these intricate and complex cyber heists, many more will implement similar techniques and tools. We should also expect these attackers to pay close attention to how the others were caught to ensure their next attack does not suffer the same fate.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Carl Leonard, Principal Security Analyst, Raytheon|Websense :

Dridex is not new, in fact over the past year we have seen an increase in the malware to target individuals in order to gain access to personal data. We monitored that tens of thousands of lures during August were used to target individuals in the Czech Republic, whereby the Dridex hackers used malicious email lure themes related to invoicing to make the messages seem more authentic.

Dridex has also been delivered by other bots such as Andromeda, one of the highly configurable malware tools available for sale in the underground community. Malware authors will likely replace that payload with another malware of their choosing and will not just stop at the UK but will aim to target internationally.

Recipients should be extra cautious of email messages that include any source information they are not already familiar with, including:

  • Email sender
  • Company sender domains
  • Email bodies with little to no contextual information

Since Dridex is known to not only leverage but also harvest additional SMTP accounts as part of its malicious activities, email recipients should also be careful with suspicious messages sent from familiar names or aliases. Recipients should use caution by following up in a separate email thread or via a phone call (or some other out-of-band process) for validation of a submitted invoice.

We advise organisations to invest in a technology that disrupts the threat lifecycle early on, and furthermore all security best practices and defense-in-depth strategies should be followed as part of a risk mitigation strategy.[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Epstein, VP of Threat Operations at Proofpoint :

“Dridex has been the dominant document attachment-based malware over the last year–it accounted for more than 90% of such malware, and impacted organizations of all sizes. It was not unusual to see multiple campaigns per day, many consisting of millions of emails at a time. Mainly designed to steal banking credentials, Dridex was distributed by multiple botnets. Proofpoint observed a complete cessation of Dridex distribution for 30 days following the recent arrest of a reported botnet administrator. Campaigns have resumed in the past weeks and it’s clear that Dridex isn’t over. We are back to seeing daily campaigns that distribute millions of emails.”[/su_note]