The financial sector is one of the industries most targeted by malware and related malicious actors. The reason is easy to understand: Malware is used to infect computer systems in this field for the express purpose of stealing money from unsuspecting bankers and individuals. It's therefore crucial for companies in the financial sector to invest in the best cyber security tools available in order to protect the money and important confidential information their servers store.
One of the latest malware attacks comes in the form of a malicious program called Dridex. The Guardian's Alex Hern stated in October 2015 that the malware can upload, download and run programs, not to mention take screenshots of the websites being visited. CNBC contributor Arjun Kharpal reported around the same time that hackers had used the program to steal $30.7 million from banks across Europe, specifically in the U.K.
Despite the fact that this event occurred in late 2015, the malware's work isn't done, it seems. According to The Register contributor Darren Pauli, a hacker group called Evil Corp has revamped the malicious program and started pitting it against financial institutions in the U.K. once again. The malware is clearly becoming a serious problem within the industry, and actions taken by the FBI and the U.K.'s National Crime Agency have only been able to slow the spread of the infection instead of getting rid of it entirely.
How does Dridex work?
Hern noted that the malware comes in the form of false emails that have an infected Microsoft Office file attached. These deleterious files are usually either a Microsoft Word or Microsoft Excel document, and they contain a macro program that triggers the install of Dridex when downloaded. Dridex relies on its ability to install and run on infected computers based on legitimate vectors. The program has so far only affected users of Windows machines, instead of ones that run Mac OS X or Chrome OS. It can't load on mobile devices, either.
The most recent version of Dridex reported on by Pauli is placed over a botnet called Andromeda and used to send emails that look like business invoices. However, when these links are clicked, the malware is downloaded to the system and used to redirect customers to false sites that look just like the banks', where Dridex steals their money.
"By keeping the victim away from the bank's site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer's session has been compromised," said IBM threat analyst Limor Kessem.
Other malware to take note of
Dridex isn't the only malicious program stealing banking credentials from customers around the world. According to Security Intelligence contributor Douglas Bonderud, the malware Tinybanker (Tinba) that first surfaced in 2012 made a comeback in November 2015. This is the fifth version of the Tinba trojan, called Tinbapore, and it targets banks in Singapore and other Asia-Pacific countries. This malicious program only takes up 20 kilobytes of space on the hard drives of unsuspecting banking customers, but it's able to hook into the root files of programs like Windows Explorer and Web browsers.
Bonderud points out that financial institutions are falling victim to these kinds of attacks for a lot of reasons, but one of the biggest concerns is that they aren't following best practices when it comes to making sure the requests they're receiving are coming from legitimate customers.
"[T]hey're only asking for the account number and date of birth to confirm identity and aren't using secure URLs," Bonderud wrote. "While some leverage two-factor authentication, many send one-time codes via text message, which can be intercepted and used by malicious actors. And in some cases, banks redirect to third-party confirmation sites that seem more like phishing grounds than legitimate fact-checking tools."
What can be done to combat this issue?
Dridex is turning out to be a resilient form of malware that keeps coming back. In November, Trend Micro researchers documented a resurgence in the program despite the mid-October takedown organized by the FBI. The takeaway from this particular version of Dridex was that no matter what actions are taken, if the malware exists in some form, the threat won't be completely eliminated.
"Taking down servers is a significant step in crippling botnets, but unless all infrastructure are destroyed and all threat actors are caught, threats like Dridex are bound to resurface," threat research manager Ryan Flores wrote in November. "As such, it is the responsibility of security researchers to continually monitor threats after takedowns and collaborate to eventually destroy them."