UK internet users are being asked to protect themselves against a significant strain of malicious software (malware) which has enabled criminals to steal millions of pounds from UK bank accounts.
Dridex malware, also known as Bugat and Cridex, has been developed by technically skilled cyber criminals in Eastern Europe to harvest online banking details, then exploited to steal money from individuals and businesses around the world. Global financial institutions and a variety of payment systems have been particularly targeted, with UK losses estimated at £20m.
Some members of the public may also have unwittingly become victims of the Dridex malware and the National Crime Agency is encouraging all internet users to ensure they have up to date operating systems and anti-virus software installed on their machines, to protect themselves from further cyber crime attacks.
Computers become infected with Dridex malware when users receive and open documents in seemingly legitimate emails. The NCA assesses there could be thousands of infected computers in the UK, the majority being Windows users.
Users are urged to visit the CyberStreetWise and GetSafeOnline websites where a number of anti-virus tools are available to download to help clean up infected machines and get advice and guidance on how to protect themselves in the future.
The National Crime Agency says that it’s conducting activity to ‘sinkhole’ the malware, stopping infected computers – known as a botnet – from communicating with the cyber criminals controlling them. This activity is in conjunction with a US sinkhole, currently being undertaken by the FBI. The agency’s National Cyber Crime Unit (NCCU) have rendered a large portion of the botnet harmless and are now initiating remediation activity to safeguard victims.
The FBI and the National Crime Agency, with support from EC3 and JCAT at Europol, the Metropolitan Police Service, GCHQ, CERT-UK, the BKA in Germany, the Moldovan authorities and key private sector security partners are developing and deploying techniques, to safeguard victims and frustrate criminal networks. This has resulted in a significant arrest, with more expected, and worldwide disruption of a sophisticated cyber criminal network.
Advice
Members of the public are reminded they should be vigilant and not open documents in emails, or click on links, if they are unexpected or if they are unclear about its origin. If any internet users think they have lost money through malware such as Dridex, they should report their concerns to Action Fraud and alert their respective banks.
Mike Hulett, Head of Operations at the National Crime Agency’s National Cyber Crime Unit (NCCU) said: “This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to made.”
Comments
Gavin Millard, Technical Director of Tenable Network Security said: “Unlike other malware or exploit kits that prey on vulnerabilities in browsers or plugins to automatically infect victims, Dridex requires user interaction to open files sent. The attack vector is usually a word document or Excel spreadsheet with a macro to download and install malicious code. To reduce the risk of being infected by Dridex, users should never open unexpected files sent via email and disable macros in Microsoft Office from automatically running.”
David Emm, Principle Security Researcher, Kaspersky Lab sw it as evidence that cybercrime is becoming increasingly sophisticated and prominent for financial gain.
He said: “As is typical for many banking Trojans, Dridex enters the PC through an infected email and attachment, or in some cases, an infected word document are rife in this type of attack. Essentially, this gives hackers a backdoor to conduct espionage, data exfiltration and remote control. Like a bug, once in the system, hackers can move around the system until they find their point of interest. Ultimately, this means they can extract any data useful to them.
“Although the FBI and National Crime Agency are conducting ongoing investigations, it is vital that we all take responsibility and remain extra vigilant of any suspect activity, reporting it immediately for the fight against cybercrime. We recommend home and business users ensure their systems are scanned for the malware and patched where necessary, immediately use internet security protection software for any future attacks, don’t click on any suspicious emails or links and ensure passwords remain as secure as possible. Exploiting vulnerabilities in our passwords is a top priority for hackers and they are therefore often our first line of defence when it comes to protecting online transactions. In light of this recent attack, we need to make sure any passwords are changed and that we never use the same username and password on several different sites, as this is key to giving cybercriminals easy access to bank and ecommerce accounts.”
Ronnie Tozakowski, senior researcher at PhishMe said: “The challenge for all of us is that attackers constantly tweak their malware to avoid detection. We’ve been monitoring Dridex, as well as numerous other banking malware and trojans, and the each new iteration is designed to evade anti-virus, sandboxing, and other detection technologies. One example is, back in March and even though Dridex was known malware at the time, we identified a variant that was not being flagged as malicious by any of the anti-virus programs. Another sandbox evasion technique they included needed user-input to ‘push the button’. Even once it had been downloaded, detection was grim as just five out of 57 AV vendors were picking up on it making it very difficult to detect.
“For Dridex and other banking trojans, bypassing security defences is child’s play. One of the best ways to stop these attacks is to catch them early in the delivery phase, as this will hinder the attackers operations. Trained users are instrumental in early detections, and a person who can correctly identify a majority of phishing attacks is an asset to security, particularly if your organization has a program in place to gather user reports of suspicious emails. These employee-sourced reports provide the incident response (IR) team and security operations analysts with the information needed to rapidly respond to potential phishing attacks and mitigate the risk from those that may fall prey to them. Organisations should capitalize on the users that can become active human sensors and act like informants for the IR teams.”
And Carl Leonard, Principal Security Analyst, Raytheon|Websense said: “Dridex is not new, in fact over the past year we have seen an increase in the malware to target individuals in order to gain access to personal data. We monitored that tens of thousands of lures during August were used to target individuals in the Czech Republic, whereby the Dridex hackers used malicious email lure themes related to invoicing to make the messages seem more authentic. Dridex has also been delivered by other bots such as Andromeda, one of the highly configurable malware tools available for sale in the underground community. Malware authors will likely replace that payload with another malware of their choosing and will not just stop at the UK but will aim to target internationally.”
Links
The NCA website offers some links to access anti-virus software:
F-Secure: https://www.f-secure.com/en/web/home_global/online-scanner
McAfee: http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx
Microsoft: http://www.microsoft.com/security/scanner/en-us/default.aspx
Sophos: https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
Trend Micro: http://housecall.trendmicro.com/
