£20million Malware Attacks on UK Banks – How ThreatMetrix Helped
Posted October 15, 2015
Banks across the globe are urged to implement more sophisticated authentication for online banking malware attacks in the aftermath of huge losses in the UK.
Reports emerged this week from the National Crime Agency that fraudsters have pocketed £20 million by stealing online banking customers’ credentials through a virulent piece of malware called Dridex. By infecting end-user machines with malware attacks – often via emails containing malicious links – the cybercriminals then have access to the users’ computer. Once infected, the malware will typically lie in wait until the PC is connected to online banking sites and then links the PC to botnets, allowing the hackers to communicate with it.
How does Dridex work and how can ThreatMetrix help?
Dridex is an evolution of a Trojan called Cridex and is similar to malware families such as Feodo or Bugat. Dridex infects the computer and makes it part of the Dridex botnet which can do many things, but the following three are particularly relevant to banks protecting online customer login and transactions.
1) Dridex has the ability to install a VNC server
The VNC server is injected into the explorer process, in a very similar method as to that of the infamous banking malware Dyre, which is technically comparable to Dridex. This VNC server allows criminals to perform fraudulent transaction from victims’ computers.
The large amount of losses reported in this case, shows that banks are falling foul to Dridex, but ThreatMetrix works with some of the largest UK banks to help protect against these types of scenarios. There are multiple ways to detect VNC servers, including device anomalies, raw TCP fingerprint and timings. VNC doesn’t run as its own process, rather is injected into the explorer.exe process.
2) Man in the Browser Injections
Dridex is able to perform MITB injections where they control what is shown on the users web browser- even when they are on legitimate websites. MITB is used to bring up bogus forms, which capture user credentials and these are then used to steal these vast amounts of money.
ThreatMetrix protects every customer from Trojans- whether its Dridex, Cridex, Zeus, Dyre or whatever turns up tomorrow – by page fingerprinting. Webpage fingerprinting identifies whether your webpage elements have been altered by cybercriminals, and highlights any devices connecting to your Web applications that have malware actively targeting your site.
3) Credential theft
Dridex steals online banking credentials through keylogging and html sniffing. Banks which trust user logins without any context-based analysis could then accept at face value that this is the real user, however in order to protect against attacks like these, banks need to employ context-based authentication as well.
Once fraudsters have stolen credentials using Dridex they must use these credentials in a separate session – which is exactly what ThreatMetrix is built for.
It is imperative that banks rely on more than login credentials to verify their online banking customers, because as Dridex demonstrates, the stakes are high when things goes wrong. ThreatMetrix helps banks recognise their customers’ true digital identities by context-based authentication of a range of factors such as device ID, location and behaviour analytics- versus malicious logins where fraudsters mask their true identities, access multiple accounts from one machine, hide behind proxies and falsify their locations.
The consequences of £20 million stolen?
Whilst users are urged to invest in decent anti-virus, unless banks can prove that a customer has acted fraudulently themselves, any losses incurred by attacks on end-users via malware such as Dridex, will ultimately be absorbed by the banks themselves.
In addition to the direct cost of dealing with stolen funds, it is imperative for banks to protect their customers in order to both avoid breaches but also protect their reputation.
For more information on how banks can protect themselves from attacks which involve malware on their customers’ machines please read our brand new case study:
Leading European Bank Tackles Remote Access Fraud with ThreatMetrix.