The popular malware Dridex, which is currently targeting at least 13 British banks, has been improved upon once again. According to the X-Force researchers of IBM, the latest version of Dridex uses a new DNS trick to direct users to corrupted banking websites.
The Domain Name System technique is known as DNS cache poisoning, involves changing DNS settings to direct someone asking for a legitimate banking website to a fake site.
What is certain is that DNS cache poisoning is a powerful attack. Even if a pc user types in the correct domain name for a bank, the fake website is still shown in the web browser.
On Tuesday, IBM’s cyber security expert Limor Kessem wrote:
“By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised.”
Despite the fact that Dyre used a local proxy to accomplish the redirection, apprently Dridex’s operators may have adopted the technique from a different banking trojan called Dyre, Kessem stated.
By now, Dridex’s operators have created clones of the websites of 13 U.K. banks, which are used in the attacks.
According to Kessem, once a user opens one of the fake websites, Dridex collects the authentication credentials and two-factor authentication codes. The details are sent to a command-and-control servers and are verified. In case more information is needed from a victim, Dridex can inject new fields into the fake website to ask for more information.
“The fraudsters initiate the illicit transaction while the victim is being delayed by the social engineering injections on the fake site,” she said. “In cases of successful information harvesting, the money is moved from the victim’s account to a mule account.”
Dridex has proven to be a resilient foe despite law enforcement action last year by the U.S. and U.K. that took down part of its network.
In October, the U.S. Department of Justice said that it was seeking the extradition of a 30-year-old Moldovan man, Andrey Ghinkul. According to prosecutors, he used Dridex malware to steal US$10 million from U.S. companies and organizations.
Earlier that month, the security experts noticed that the number of emails with attachments containing Dridex dropped, but the activity quickly resumed again. Users get infected when they open a corrupted Microsoft Office document on their computers.