SMEs using UK online bank accounts have been warned to be on the lookout for a new wave of attacks by the aggressive Dyre (or Dyreza) bank Trojan which along with the CryptoWall ransom Trojan has turned into the malware story of 2015.
According to security firm Bitdefender, UK institutions being targeted by Dyre included Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander, as part of a campaign that launches a main-in-the-middle assault on the login pages of these brands if it detects a visit by an infected user.
The company had detected 19,000 examples of a single campaign posing as a follow-up communication from a tax consultant in only three days, asking the user to verify an attached document. Other tactics include threats to business owners over imaginary penalties.
It can be hard to put malware warnings into context - 19,000 emails is a drop in the ocean by malware campaign standards - although it is possible that it has been targeted to some extent.
Victims who fall for a threat that might not be picked up by anti-virus will be infected by a strain of malware that will immediately put at risk their online bank logins.
Dyre’s activity confirms recent reports from others including Trend Micro that Dyre has successfully stepped into the vacuum left by exiting threats such as Gameover Zeus and Ramnit, disrupted over the last year by official action.
“First seen in 2014, Dyre is very similar to the infamous Zeus,” noted Bitdefender’s chief security strategist, Catalin Cosoi.
Bank customers all over the world were being targeted by overlapping campaigns, he said, including in France, Germany, the US, Australia and Romania. It might be easier to say which countries and institutions that were not being targeted in fact, with researchers reporting that 1,000 institutions around the globe on its his-list.
“If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page.
“The server will then respond with the compressed version of the web page with malicious code added to it. This altered web page is then displayed on the victim’s web browser. Its appearance remains exactly the same, but the added code harvests the victim’s login credentials,” said Cosoi.
Separately, the firm has warned of a similar surge in Android ransomware affecting UK users without offering any hard numbers for background. However, there is no doubt that mobile ransomware (which typically locks the smartphone to make it difficult to use and doesn’t encrypt files) is on the rise - it accounted for a third of all malware in May alone, a huge increase in the phenomenon.