Anti-Malware , Fraud , Phishing

Is Dridex the Most Dangerous Banking Trojan? Symantec's Haley on What Makes This Malware so Effective
Is Dridex the Most Dangerous Banking Trojan?
Kevin Haley, director, Symantec Security Response

Think spam is an ineffective way of spreading malware? Think again. Researchers at security firm Symantec say the moneymakers behind the banking Trojan Dridex are successfully infecting thousands of users worldwide on a monthly basis, purely through spam.

In a new report on Dridex, these researchers point out how stealthy spam campaigns have pushed Dridex to the top of the list among the world's most dangerous banking Trojans.

"We think Dridex is the most dangerous, mainly because of its prevalence," says Kevin Haley, director of Symantec Security Response, where he oversees security content gathered from Symantec's Global Intelligence Network.

In the new report, released Feb. 16, Symantec notes that while overall spam rates have declined globally, Dridex attacks continue to be waged exclusively through spam, and they're primarily targeting victims in English-speaking countries.

"Overall, the spam rates globally have been going down consistently every year," says Haley in this interview with Information Security Media Group. "In fact, we hit a point where less than half of all email in 2015 was actually spam."

That's good news, he says.

"But this group, clearly, is very successful at spam, and we think a lot of that has to do with the effectiveness of their social engineering," Haley adds. "They continue to tinker and tinker and tinker to find out what works. And they've come up with a formula, and they're really being successful with it."

What's more, the number of Dridex attacks being waged through spam has increased, in spite of the overall decrease in spam, he says.

"We can see one to three different campaigns being run every single day," Haley says. "And each one of those campaigns can send out 200,000-300,000 emails."

Even though all of those emails are typical spam emails - meaning they are indiscriminate and not targeted at a specific user - they're proving effective, he says.

And because the brands being spoofed during these campaigns are being spoofed very well, unsuspecting users are falling for the spammed requests, even though the messages are not targeted.

"We are seeing about 300 different financial organizations being targeted," he says. "You have to remember that in a global economy, there is a global underground economy. So we see emails that come in that don't have typos or bad grammar. The other thing is they are very good on the subject. Most of these emails have something to do with an invoice. And the domains these emails appear to come from look dead-on correct."

During this interview (link below image above), Haley also discusses:

  • Steps businesses and consumers should be taking to ensure their spam filters catch more of these spoofed emails;
  • Why researchers and law enforcement are confident that the threat actors waging Dridex attacks are very skilled;
  • Where law enforcement believes the group or groups behind Dridex are most likely based.

At Symantec, Haley educates customers about security issues and incorporating security content into Symantec's enterprise and consumer product lines. Haley also serves as the technical advisor for the Internet Security Threat Report (ISTR).

Around the Network