While banks and financial firms work to modernize their infrastructures to remain competitive, the high demand nature of their business calls for increased cybersecurity. As a proof point of the severity of cybercrime we can point to recent news from the National Crime Agency (NCA) in the the UK who reported that the Trojan horse known as Dridex may be responsible for one of the most costly cyber attacks it has ever seen in the financial market. An NCA spokesperson described public estimates of these losses as conservative, adding that the global cost of Dridex attacks could exceed $100 million worldwide losses.
Andrey Ghinkul, aka Andrei Ghincul, was the administrator of the Dridex botnet and was arrested in Cyprus on Aug. 28, 2015. He has been indicted in the Western District of Pennsylvania on nine counts that include bank fraud, wire fraud, criminal conspiracy, unauthorized computer access with intent to defraud and damaging a computer. The US is seeking his extradition from Cyprus.
The U.S. Department of Justice issued a release stating, "The indictment alleges that Ghinkul and his co-conspirators used the malware to steal banking credentials and then, using the stolen credentials, to initiate fraudulent electronic funds transfers of millions of dollars from the victims' bank accounts into the accounts of money mules, who further transferred the stolen funds to other members of the conspiracy."
Dridex uses a botnet known by several names such as Dridex, Cridex and Bugat and is able to harvest bank details in order to steal money from its customers. This botnet is partitioned into 13 affiliates, each of which has access to its own subset of bots. The recent takedown of the malware involved infecting the computers on the sub-botnets’ P2P network with a virus that redirected those computers to a sinkhole, thus preventing the attackers from accessing those computers. However, Dridex must still be removed from the infected computers and more importantly it hasn’t gone away.
4 Ways to Mitigate the Risk of Dridex and Similar Malware:
Attackers often attempt to infect a computer with Dridex by placing it in an email attachment. This attachment is an executable file disguised to look like some other file. For example, the file could be named “letter.doc.exe,” which is an executable. However, the file name will often display as just “letter.doc,” leading the user to believe the attachment is a Microsoft Word document. When the user clicks on the file name, it executes the program to install Dridex rather than opening the file in Word.
Malware experts strongly recommend that users not open email attachments from an unknown source. Educate employees not to open emails unless they can validate the sender and the filename. Users should take particular caution when opening MS Office attachments such as Word and Excel, since these files could execute macros.
An infected Word or Excel file starts a macro when you open it, which downloads the actual Dridex Trojan and installs it on the host computer. The user must therefore be able to run macros in Office applications. MS Office 2007 and newer versions disable macros by default, and should only enable macros if the file is legitimate. As a best practice, Office applications should be configured to request permission before executing macros.
Malware authors use social engineering to trick a user into compromising their computer’s security. Again, educate your employees not to follow instructions on disabling your macros or other actions that change your computer’s settings.
Antivirus software relies on signature lists to identify and remove viruses. Update this software regularly to apply patches and keep your signature list current.
Learn from Experts
Even if the authorities are able to rid us of Dridex, another Trojan will always be ready to take its place. Information stealing Trojans are the most detrimental for financial firms because the risk of losing customer data and funds is very high. Preventing malware and threats through the enforcement of security policies, analyzing suspicious activity through sandboxing technology and implementing unified threat management (UTM), including a next-generation firewall (NGFW), are steps you can take to ensure your network is fully protected. It is important to work with experts to choose the right technology that best fits your organization’s needs. Patriot Technologies is a security-focused systems integrator that partners with best-in-class technologies, like Fortinet, who can develop a solution that fits the unique needs of your organization and provides the highest level of protection against advanced threats.