Dridex banking malware adds a new trick

Dridex is targeting at least 13 British banks

Dridex, the banking malware that won't go away, has been improved upon once again.

IBM's X-Force researchers have found that the latest version of Dridex uses a DNS (Domain Name System) trick to direct victims to fake banking websites.

The technique, known as DNS cache poisoning, involves changing DNS settings to direct someone asking for a legitimate banking website to a fake site.

DNS cache poisoning is a powerful attack. Even if a person types in the correct domain name for a bank, the fake website is still shown in the browser.

"By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised," wrote Limor Kessem, a cybersecurity expert with IBM's Trusteer division, in a blog post on Tuesday.

It appears Dridex's operators may have adopted the technique from a different banking trojan called Dyre, Kessem wrote. Dyre used a local proxy to accomplish the redirection, however.

Dridex's operators have created clones of the websites of 13 U.K. banks, which are used in the attacks.

After landing on one of the fake sites, Dridex collects the authentication credentials and two-factor authentication codes. The details are sent to a command-and-control servers and are verified.

If more information is needed from a victim, Dridex can inject new fields into the fake website to ask for more information, Kessem wrote.

"The fraudsters initiate the illicit transaction while the victim is being delayed by the social engineering injections on the fake site," she wrote. "In cases of successful information harvesting, the money is moved from the victim’s account to a mule account."

Dridex has proven to be a resilient foe despite law enforcement action last year by the U.S. and U.K. that took down part of its network.

The U.S. Department of Justice said on Oct. 13 it was seeking the extradition of a 30-year-old Moldovan man, Andrey Ghinkul. Prosecutors allege he used Dridex malware to steal US$10 million from U.S. companies and organizations, according to an indictment.

Security experts noticed that the number of emails with attachments containing Dridex dropped earlier that month, but the activity quickly resumed again. Victims are infected if they open a manipulated Microsoft Office document.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?