Bank customers in the UK appear to be the main target of new malware similar to Zeus. Dubbed Dyreza or Dyre, it was uncovered earlier this month by researchers from PhishMe and CSIS, IT security publication SC Magazine reported.
According to CSIS, the malware is a “totally new” method for attacking bank customers, in this case clients of NatWest, RBS, Ulster Bank, Citibank and Bank of America.
The Dyreza malware uses browser hooking to obtain users’ banking data before the details are encrypted. It then redirects the victims to the scammers’ website while tricking people into thinking that they remain on the genuine banking website. Browser hooking is aimed at Chrome, Firefox and Internet Explorer users.
With Dyreza, scammers are not exploiting a security vulnerability in the banking systems but bypassing the SSL mechanism by hooking into the browser, SC Magazine was told via e-mail by Ronnie Tokazowski, senior researcher at PhishMe. This is the mechanism designed to protect the confidential information of bank customers. The bypass could allow cyber criminals to easily redeploy and pounce on another bank or even target data that is slated for encryption.
So far, the Dyreza malware has been used to steal credentials from banking websites but it can be easily modified to steal credentials from any other website passing them via HTTPS, he said.
This malware strain has not been seen in the industry so far, Tokazowski added.
Neither PhishMe nor CSIS have yet been able confirm the number of infections or where the scammers are located. However, CSIS researchers have detected “money mule” accounts in Latvia, but those can also be systems hijacked by the cyber criminals to stash away the stolen money.
Users are urged not to open any attached .zip files within spam e-mails as this is the way the malware is delivered to the computer.