Last week, IBM Security reported on an active phishing campaign, named Dyre Wolf, that has successfully stolen more than $1 million at a time from targeted enterprise organizations. The heist uses advanced social engineering tactics geared to circumvent two-factor authentication to quickly penetrate targeted organizations and spread Trojans using their victims’ email contacts lists.
Most banking Trojans target individuals, but Dyre has always been used to target organizations. The spear phishing campaigns were used to initially infect employee workstations with the Upatre downloader. According to IBM, once infected, this pulls down the Dyre Trojan which starts monitoring the machine and records which bank sites are accessed. As part of the installation, the Dyre malware establishes persistence by creating a service innocuously named “Google Update Service”. This service is set to run automatically each time the system restarts.
This is not the only damaging spear phishing attack that has had serious consequences for businesses. The very aggressive “Pacman” ransomeware uses a highly-targeted spear phishing attack using Dropbox as a delivery mechanism. It only takes one click to infect a workstation and a victim has just 24 hours to pay the ransom in Bitcoin.
What can your business do to combat these phishing attacks?
Organizations will remain only as strong as their weakest link. Proactive end-user education and security awareness training continue to be critical in helping prevent incidents like those described above:
- Train employees on security best practices and how to report suspicious activity.
- Consider conducting periodic mock-phishing exercises where employees receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack. Use these findings as a way to discuss the growing security threats with employees.
- Offer security training to employees to help understand threats and measures they can take to protect the organization.
- Provide regular reminders to employees on phishing and spam campaigns and that they shouldn’t open suspicious attachments or links from both work and personal emails.
- Train employees in charge of corporate banking to never provide banking credentials to anyone. The banks will never ask for this information.
Teaching employees to be aware of an organization’s security requirements can be one of the most effective ways to enhance the company’s overall security posture. Contact ACE IT Solutions at 646.558.5575 or firstname.lastname@example.org to set up security awareness training for your employees. We can also set up mock phishing exercises to help your organization see which employees are most likely to fall for phishing attempts.