Chantilly, Va., June 25, 2014 — PhishMe® Inc., the leading provider of phishing mitigation and detection for organizations concerned about human susceptibility to sophisticated cyber attacks, announced today that it has been awarded the Skyhigh CloudTrust™ rating of enterprise-ready for its core PhishMe platform. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Beware of the Dyre banking Trojan! – A new malware threat that steals financial information such as login credentials. News of rhe Dyre banking Trojan has been circulating the web recently, following its discovery.
Dyre or Dyreza as it is also known exhibits classic banking Trojan behaviors such as using “man-in-the-middle” attacks to steal private information from victims. It is also being used on customers of certain banks in targeted attacks.
PhishMe identified this new malware on June 11, 2014. The Trojan is distributed via spam email messages that used similar email templates to other banking Trojan and malware distribution campaigns. Rather than infection occurring via a malicious attachment, the messages contained a link to a file hosted on Cubby.com: A free cloud storage provider. This campaign follows a recent trend in which cloud-hosting providers such as Cubby.com and Dropbox are used to host the malicious payloads.
As others within the blogosphere have noted, the Dyre banking Trojan is unique and represents a new type of malware being used by cybercriminals to steal banking credentials. Despite this novelty, its basic functionalities follow those that have long been employed by malware authors to exfiltrate private information from compromised systems. It’s a case of “the more things change, the more they stay the same.”
The Dyre banking Trojan works by ensuring that its hostile code is linked to the code of the victim’s web browser. As victim’s browse the Web, their web browser is effectively turned against them. This is part of the classic “man-in-the-middle” attack used by many malware types, including the prolific and notorious Zeus banking Trojan. As seen below, the binary data from this hostile code references browsers by name.
Part of the functionality is provided by “hooking” this malicious code into the browser’s runtime. Malicious actions then occur when the victim visits specific URLs or domains. This method has been seen before. Zeus Trojan variants and other banking Trojans such as Cridex use similar tactics. This can be seen in the malicious code itself as a list of URLs for popular banking websites, including the following:
- businessaccess .citibank .citigroup .com/assets/
- cashproonline .bankofamerica .com/assets/
- www .bankline .natwest .com/
- www .bankline .rbs .com/
- www .bankline .ulsterbank .ie/
The “hooking” and the focus on a set of banks are examples of ways in which this new banking Trojan reuses methods common to many other types of malware. These methods are expected of many modern banking Trojans and are not out of the ordinary.
How is this threat actor likely to attack your organization? The source code of the malware provides a clue—in fact, it is the source of the name “Dyre”.
The hostile code “hooked” to browser processes by the malware contains a reference to the location of a “.pdb” or program database file. Compilers store data for debugging using this file type. More important to those seeking threat intelligence, it provides some information about how the malware writer or writers created this malicious software.
In the fight against malware distributors, knowledge is a powerful weapon. Leveraging actionable threat intelligence gives you the opportunity to identify the source of the infection. Armed with that information it is easier to mitigate the threat. PhishMe analyses these and other threats and uses the information to deliver active threat reports to help organizations take fast action to prevent malware attacks.
Machine-readable threat intelligence (MRTI) is provided in multiple formats to ensure that organizations are better prepared for malware and phishing attacks, thus preventing them from disrupting business processes and causing financial harm. Of course, not all organizations require threat intelligence to be fed through other systems. We also provide human-readable reports on the latest threats, allowing deeper analysis of the latest, and most serious threats. After all, being forewarned is being forearmed.
When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.
What are the chances of becoming a cyber victim? In this post, we’ll explore the odds compared to the chances of other unrelated events.
Many of us take comfort in knowing that certain bad things are not likely to happen to us, so we don’t worry too much about those things. We think our chances are pretty good.
- Dying from a shark attack: 300,000,000 : 1
- Your opponent’s getting a Royal Flush in poker: 649,739 : 1
- Being struck by lightning in California: 7,538,382 : 1
- A meteor landing on your house: 182,138,880,000,000 : 1
- Dying from a mountain lion attack in California: 32,000,000 : 1
- Dying from parts falling off an airplane: 10,000,000 : 1
- Being attacked by an Orca: 0 (excluding Orcas in captivity)
On the other hand, we find lots of things good or bad for which the odds are not what we would like them to be. We don’t think our chances are as good for these things turning out our way.
Not Comforting Odds:
- Getting a Royal Flush in poker: 649,739 : 1
- A meteor landing on your worst boss’s house: 182,138,880,000,000 : 1
- Being struck by lightning in Montana 249,550 :1
- Having a stroke: 1 in 6
- Winning the Powerball Jackpot: 13,983,816 : 1
- An American man developing cancer in his lifetime: 1 in 2
- There is another category of bad things for which we just don’t know the odds, and It’s Downright Scary!
Odds that your antivirus product will protect you from a cyberattack: Unknown
Actually, you cannot accurately calculate the odds of your antivirus (AV) product protecting you because probabilities deal with the odds of specific events happening. Here, the cyberattack could be spam, malware, phishing, social engineering, or some other form of attack. Within each of those categories, there is a wide range of types of attacks. On average, there are 27 trillion malicious attacks per year, so there are going to be a lot of attack vectors crashing into your AV product. Calculating the odds is almost impossible. It’s Downright Scary!
McAfee’s The Economic Impact Of Cybercrime And Cyber Espionage, July 2013, estimates the cost of global cybercrime to be $300 billion to $1 trillion. Using an average annual cost per breach of $11.56 million, extrapolated from the 488 attacks used to measure the total cost in a study for The Ponemon Institute’s 2013 Cost of Cyber Crime Study: United States, the total number of attacks would be in the range of 26,000 to 87,000. Of course, as the number of attacks is spread out over all victims, the cost per attack would drop, meaning that the number of successful attacks would be much higher. We just don’t know. It’s Downright Scary!
What we do know is that for those 26,000, 86,000, or whatever higher, scarier number it is, their AV product did not stop whatever malicious threats caused the breaches. Of course, none of the other defenses these companies had in place stopped the criminals. In fact, 100% of the time, the combination of all of these products failed for these victim companies.
How about for you company? Would you be protected? Unfortunately, you don’t know. It’s Downright Scary! Also unfortunate is that fact that most companies don’t know they were not protected until about 210 days on average (Trustwave) after they have been compromised. Wonder what the bad guys could do inside your systems in 210 days? It’s Downright . . ., well, you get the point.
What can you do? It is apparent from these numbers and from the daily news reports, that there are at least two major things happening in the cyber world – the good guys are losing and the bad guys are winning. This is not just both sides of the same coin, there is much more to it than that. Sure, the bad guys are getting better at what they do. They have entire infrastructures to rely on, social networks for criminals, division of labor, secondary markets for their tools, and they learn quickly from what they learn. They are not all smart, but many are and there are many of them.
So, why are the good guys losing? There are lots of reasons to be sure, but a significant number of attacks are successful because the incoming threat was not detected at all or not detected until it was too late. The collective description of the problem in these cases is than the AV vendor of other provider is trying to fight today’s cyber war, and it is a war, using yesterday’s tactics and yesterday’s weapons. Many victims are surprised to learn that there is a better way. That better way it to use actionable intelligence and proactive intervention to identify the sources of the malicious threats, identify the bad actors and their tools and networks and to use this information to prevent their success and to take down their infrastructure.
Is this a 100% cure? No, a “cure” is not in sight. However, it is better medicine. Throughout our history, we have benefited from moving away from shamans and witch doctors and toward proven effective cures for many illnesses. To make ourselves safer in the cyber world, we must take similar action. We must move away from what might have worked, we really don’t know how well it did work, to what we know is better – an intelligence-based approach to cyber protection. Not only is the cyber world often very mysterious, It’s Downright Scary!
On Monday, I wrote about attackers using phishing attacks to deliver malware via links to Dropbox. Today, we received another wave of these emails with slightly different subject lines. Figures 1, 2, and 3 show the variants that were received by us in the latest campaign, and reported by our internal users. In this campaign, 10 of our users were targeted.
Several weeks ago, I wrote a blog entry about phishing emails using zip files with executable files attached to them. Using PhishMe Reporter, several of our users (yes, we use our own tools internally) successfully identified a new round of phishing, this time using Dropbox links in the body.