If you’re like me, you’re probably getting pretty sick of hackers, or as I like to call them criminals, using their technology skills to find new and dubious ways of making our lives exponentially more difficult. The banking malware Dridex is currently at the top of my list of malware that infuriates me. Why? Because they just won’t seem to go away!
Just when security experts started to believe they were getting a handle on how to safeguard people from Dridex, it has improved upon itself once again, by being able to direct you to fake banking websites that are ready, and able, to steal all of your vital banking data.
How are they doing it?
I almost have to give a hand to these criminals, (I’m not going to,) but I will give some credit to their craftiness on this one. It’s called DNS (Domain Name System) cache poisoning. They use this to trick you into visiting fake banking websites that have almost the same name, and look identical to your banking site!
This new technique appears to be inspired by a similar banking trojan called Dyre, which used a local proxy to accomplish the redirection. Dridex operators however, have stepped it up a bit by creating clones of the websites of 13 U.K. banks, which have already been used in several attacks.
DNS cache poisoning is a very powerful and difficult to recognize attack, as it doesn’t use common red flag tactics like add-ons. These websites will show up in your browser even if you type in the correct domain name of your bank- making it far more likely for you to click on the wrong site, and worse, enter your personal banking information once you get there. Here’s what happens once you land on one of these fake, and dangerous, sites:
- Dridex collects all of your authentication credentials and two-factor authentication codes.
- Your details are then sent to command-and-control servers, and verified.
- If more of your information is needed to hack into your personal banking, Dridex will inject new fields into the fake website to request this information.
- They then begin initiating the illicit transaction while you are being delayed by the social engineering injections on the fake site.
- Once the information harvesting is successful, they will move your money from your account, to a mule account.
Dridex has proven to be a resilient foe.
Despite law enforcement action by the U.S. and U.K., (who managed to take down part of its network last year), Dridex has been quick to recover. For a short time last month security experts even began to notice that the number of emails with attachments containing Dridex had dropped, but then quickly resumed again. For now, Dridex remains a very real and dangerous threat, so it is very important to be suspicious when your bank begins asking you for information that you do not normally need to provide.
Onserve specializes in comprehensive security solutions that will protect you from malware threats. Call us today at (877) 996-6622 or send us an email at firstname.lastname@example.org for a free security analysis of your systems and network.