FBI issues bulletins on Dyre and Carbanak malware

Reposted by permission from the American Bankers Association 

Please note: Your bank/company must be a member of the American Bankers Association (ABA) and have login access to aba.com in order to view the asterisked (*) links for the FBI Private Industry alerts. 

According to an article on AmericanBanker.com (not affiliated with the ABA), the Dyre malware is being used with social engineering in order to get around two-factor authentication typically required by banks for large wire transfers. As a result, $500,000 to over a $1 million at a time has been stolen and moved into offshore accounts.Click to read full article on americanbanker.com

Bulletin from the ABA: 
The FBI released several updates and bulletins to the banking industry regarding two different malware: Dyre and Carbanak/Anunak. 

The FBI Cyber Division’s Private Industry Notification provides an overview of a new banking Trojan, Dyre, which combines web injects and bank impersonation to initiate fraudulent international ACH and wire transfers, primarily to businesses located in China, Hong Kong, Latvia, and Turkey. According to the PIN, Dyre (also known as Dyreza, Dyranges, Dyzap, and Battdil) has become one of the most prominent banking Trojans in the cyber underground, and as of mid-December 2014, security researchers estimated Dyre has targeted more than 242 financial institutions worldwide. Read more

In a related FBI Liaison Alert System (FLASH) Message bulletin, the FBI outlines technical details and indicators associated with the Dyre malware that were involved in past intrusion activity and may be used in future attacks. Read more

Another FLASH Message outlines information they and the U.S. Secret Service received through private sector partners pertaining to the Carbanak/Anunak malware, which may be used to target American financial institutions, payment systems, ATMs and/or the retail sector. Carbanak/Anunak is a banking Trojan that steals user information and access credentials. Open source reporting indicates Carbanak/Anunak has targeted mainly foreign financial institutions in Eastern Europe and Russia. Read more

ABA Insurance Services wants to remind you that as a general best practice, it is critical that all bank employees follow security and verification procedures in every instance. Implementing standard procedures is a best practice, and they should be followed for all transfer activity or requests in an effort to prevent or mitigate fraud. Required verification procedures should correspond to the associated risk of the request. An email or phone request should be reviewed in more detail than an in-person request. It's possible that a criminal has gained access to a compromised email account, using it to impersonate your customer.

Many well-documented stories of large losses involved out-of-pattern requests. Encourage front line employees, especially those in call centers, to put transaction requests through a common sense test before executing:  

  • Is the caller hesitating in answering identity confirmation questions? 
  • Does the request include a demand for funds be sent immediately due to an "emergency event"?
  • Is pressure being put on the employee to react quickly?
  • Does the request seem out-of-pattern with the customer’s account behavior? For example, has the customer ever requested a wire transfer or is this the first time? 
  • Has there been a time lapse between the current request and the most recent activity? 
  • Is the dollar amount in question unusually high compared to prior activities? Is it an international transfer or check request? 

If the answer is “yes” to any of the above, the request should be elevated for higher-level review, especially one involving an international transfer. Once an international transfer is made, it is nearly impossible to recall those funds once the fraud is discovered.

Any discussion relating to policy language and/or coverage requirements is non-exhaustive and provided for informational purposes only. For details on coverage provided by your specific policy, please refer to your policy.