eLearnSecurity Blog

$1 Million Stolen Using Dyre Wolf Malware + Social Engineering Tactics

Hackers have stolen millions from various enterprises in an attack using a variation of the Dyre Wolf Malware plus some Social Engineering tactics. These attackers have  come up with a sophisticated method that consists of spear phishing, malware and DDOS attacks during this crime. The identities of these hackers are still unknown.

IBM Researcher John Kuhn wrote in a blog post that the hackers are targeting companies that transact large amounts of money. “In this campaign, the attackers are several steps ahead of everyone. Even while casting a wide net to reel in victims via spear-phishing campaigns, these attackers are targeting organizations that frequently conduct wire transfers with large sums of money. It’s also important to note that the majority of antivirus tools frequently used as an organization’s first line of defense did not detect this malware.”


Dyre Wolf Attack

IT Security Researcher, Davide “GiRa” Girardi, shares his thoughts about the incident. “This kind of attack is very well thought under both technical and sociological point of view. Attackers are using some Dyre variants. Dyre is a banking Trojan which not only releases a variant every few days but also uses an updating system to stay out of anti-virus radars. This approach is quite common among advanced malware developers. Moreover they bounce the stolen money among various banks and cover their activity by means of DDoS attacks.

The second key aspect is the use of social engineering. There are two social engineering stages: the first is quite traditional and involves a phishing campaign while the second is much more complex. Attackers trick a victim into calling a fake bank contact center and impersonate support personnel to perform a wire transfer from the victim account to one of the attacker’s accounts.”

Social Engineering

IBM has published an infograph simplifying the attack process. You can check it out here. GiRa mentions that the key steps during the attack are the social engineering stages.

“If the victim did not open the malicious email attachment that downloaded Dyre, the entire attack would fail. Security awareness is very important to protect an organization from losing millions of dollars! Detecting a phishing campaign is not very hard if an employee has been trained to do so.

The second social engineering phase is what enabled the attacker to actually steal money: black hat hackers trick a victim into calling a phone number. A phone number given by the attacker!!!

Every Step Counts

The attack is very well-crafted that there’s an opportunity to prevent the hack in every step. If a machine has been infected by Dyre, users are not able to tell what is happening, but they surely can understand that they should verify what phone number they have to call.

This is a common scheme among con-men: they trick you into thinking that you are in control of the situation while you are actually talking to an untrusted person. The cornerstone of the attack is tricking a user into handing out information. If users are able to detect a phishing campaign and understand when they are targeted by a social engineering attack, they can prevent even advanced malware attacks such as this one.

Penetration Testing Professional Training Course

PTP product boxBecome an IT Security expert and learn to conduct penetration tests. With over 3,000 students in 140 countries, Penetration Testing Professional is the most comprehensive and practical online course on Penetration Testing. Get started with a FREE trial here: PTP Free Trial


Davide Girardi gira

Davide “Gira” Girardi is a security researcher and instructor. He has 8+ years of experience in system hardening and security consultancy on Linux, Windows, OSX and mixed environments.

LinkedIn: https://www.linkedin.com/pub/davide-girardi/76/652/744


Tags: , , , , ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page