‘Dyre Wolf’ Bank Transfer Scam Nets Criminals $1bn To Date

Sophisticated bank transfer cyber scam uses ‘advanced social engineering’ to fleece US companies

American companies are being targeted by a sophisticated cyber fraud scheme operated by Eastern European criminals.

So says IBM, which uncovered the bank transfer scam, which has apparently netted the criminals more than $1 billion (£674m) from their victims so far.

Transfer Scam

The security researchers at IBM have called it “The Dyre Wolf” banking scam, and whilst it is relatively small in nature compared to other recent bank scams, it represents a new level of sophistication as it makes use of “advanced social engineering techniques”, with a live telephone operator actually speaking to the victim.

BankThe social engineering technique is coupled with a “brazen twist” from the once-simple Dyre malware, according to IBM researchers.

The previously undocumented Remote Access Tool (RAT) malware family, codenamed “Dyre”, was actually uncovered last June and was found to be targeting online banking customers in the UK. The trojan was used to steal login details, circumvent SSL encryption and two-factor authentication through a technique known as ‘browser hooking’.

But the “Dyre Wolf” scam works by targeting people working in large to medium companies in the United States.

“An experienced and resource-backed cybercrime gang operates Dyre,” said IBM. “It was used in wide-stroke attacks for the past year and has now moved into a more brazen stage of attacking corporate accounts via the incorporation of skilled social engineering schemes.”

Worryingly, IBM said that the majority of antivirus tools frequently used as an organisation’s first line of defence did not detect this malware.

The way it works is since last year, the criminals send out spam emails with unsafe attachments. The attachments contain the Dyre malware, which seeks to get access to as many corporate computers as possible.

“Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site,” said IBM. “The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.”

Telephone Operator

And now here is where the social engineering techniques kick in. The Eastern European criminals make use of an English-speaking telephone operator, who speaks to the victim if they call the number. The operator already knows the name of the bank the victim is trying to access, and will then try and obtain the corporate banking details. Once they gain that vital information, they begin making wire transfers out of the victim’s bank account.

“In recent incidents, organisations have lost between $500,000 and $1.5 million to attackers,” said IBM.

“One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as,” said IBM. “This all results in successfully duping their victims into providing their organisations’ banking credentials.”

And the criminals ‘bounce’ the money around different banks to throw off law enforcement chasing the money. Indeed, the criminals have actually used a DDoS attack against a victim, to distract them  from finding the wire transfer until it was too late.

To counter this threat, IBM recommends that staff are trained on how to spot and report suspicious activity. Staff should also be in spotting phishing attacks – where emails or attachments can infect a computer – and to never provide banking credentials to anyone.

Are you a security pro? Try our quiz!