A “hitlist” of 385 million email addresses used by the cyber-crooks behind the Dridex banking Trojan, released by CERT UK, has indicated that the Russia-based gang are targeting banks, companies and government agencies in the UK.
The email addresses were scraped by Fujitsu from a server hosted in Russia while it was tracking Dridex activity. The Trojan, which is used by the gang to collect banking login and other details, is spread via targeted phishing campaigns, with emails bearing the Trojan in an attachment and a message designed to persuade the recipient to open it.
According to Fujitsu, at one point, the gang was conducting as many as 12 different phishing campaigns every day in a bid to propagate the Trojan.
Fujitsu claims that it stumbled upon the cache of emails as a result of a security investigation conducted on behalf of an affected client. One of the campaigns conducted by the cyber-criminals targeted the UK in particular.
According to Fujitsu, the campaign focused on individuals working in accounts-based roles in UK government agencies, corporates and banks, and the Trojan was embedded within an infected spreadsheet.
“The key message from this is that we hear about all these security breaches at companies and it’s just the email address that has been taken. People say ‘Well what value does that have to criminals?’,” Brian Honan, head of Dublin-based BH Consulting, told SCMagazine.
He continued: “This is a prime example of why all the information companies host and manage does have a value. Active email addresses are valuable to criminals because they know these are real-life people they could target for phishing schemes or malware attacks such as this.
“It’s a message to even small companies that your customer email list, your newsletter list, is of high value to criminals and you need to protect it.”
Furthermore, while the gang may or may not be based in Russia, the vast majority of cyber-attacks certainly do come from non-EU Eastern Europe, and Russia has acquired a reputation for not cooperating in investigations into cyber-crimes committed outside of its borders.
Fujitsu’s UK enterprise and cyber-security director, Rob Norris, claims that the attackers are taking advantage of the weak link in many organisation’s security – users – and suggested that they need to improve their security training to alert staff to the threat.
According to the Daily Telegraph, GCHQ has contacted and alerted organisations with email addresses found on the list. Earlier this month, IBM warned about a similar Trojan that was being used on retail point-of-sale terminals, exploiting flaws in the PCI-DSS payment standards enabling them to scrape details held unencrypted in memory as payments were being processed.
Fujitsu has produced a video to warn organisations of the threat from banking Trojans, which they can use as part of their security training programmes.