The Game of Thrones-Inspired Malware That Will Massacre Your Bank Account

A cyber gang specializing in ripping off online banking accounts has been successfully executing a multistep campaign to pull off six- and seven-figure heists from the accounts of small- and mid-size businesses, as well as large enterprises.

This intel comes from IBM Security in a report disclosing details of a gang using the Dyre family of malware, which has been widely used for routine man-in-the-middle attacks, by which the attacker manipulates online transactions.

This particular campaign, dubbed Dyre Wolf by IBM, has been conducted at a modest scale compared to the Carbanak cyber gang that has pilfered an estimated $1 billion from more than 100 banks globally, according to Kaspersky Lab. The Carbanak gang infiltrated bank networks, reprogrammed servers, and remotely triggered ATM machines to spit out cash.

The Dyre Wolf gang, by comparison, has been taking aim at small and mid-size businesses, doing intel to figure out who they bank with and what kind of transactions they do online, and then using a combination of techniques to trigger wire transfers of $500,000 to $1 million.

IBM did not estimate a total take for the Dyre Wolf gang, nor how many were hit. But the damage to the businesses, especially small and mid-size companies, obviously has been material, if not crippling.

dyre wolf malware
Starting last year, these criminals began targeting people working in certain companies and sending them phishing emails crafted to get them to click on an attachment carrying a variant of the Dyre malware.

Dyre stays dormant until the victim navigates to a bank website. It then loads a spoofed page with a faked alert that the bank’s site is having problems. The victim is then instructed to call the displayed phone number.

An English-speaking operator—part of the criminal gang—is standing by with a script to talk the victim into divulging account details needed to quickly trigger a large wire transfer.

“One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as,” says IBM researcher John Kuhn. “This all results in successfully duping their victims into providing their organizations’ banking credentials.”