UK government agencies and banks feature prominently on a ‘hitlist' of 385 million email addresses that has been used by Russian-based cyber-criminals to spread the Dridex banking Trojan.
News of the attack has just emerged, after Fujitsu first discovered the target list in April. Since then, it has been working behind-the-scenes with anti-virus companies and law enforcement agencies to trace and shut down the servers involved.
Rob Norris, Fujitsu's UK enterprise and cyber-security director, confirmed to SCMagazineUK.com this week that it found the 385 million email addresses on a server hosted in Russia as part of its activity tracking Dridex over the past few months. In that time, Fujitsu has seen as many as 12 different Dridex phishing campaigns in one day.
“The attack vector is huge for these cyber-criminals and they have a big user list to aim at,” Norris told us via email. “A high number of email addresses were recently found within Government agencies and we have worked with the Government to get those servers closed down.”
According to a 12 September ‘Telegraph' report, the campaign was so severe that UK intelligence agency GCHQ stepped in to help alert those named on the list. Fujitsu discovered the massive database after following a trail from major clients who had fallen victim to hackers. The campaign was global but targeted the UK in particular.
Fujitsu said the targets have been mainly people in accounts roles in UK-based banks, government agencies and other corporates.
And a YouTube video from the company warns that Dridex hackers are using socially-engineered phishing emails to spread the Trojan through infected spreadsheet attachments.
If the intended victim opens the spreadsheet and enables macros, Dridex will sit on their machine and capture any online banking details they reveal, either through keystroke monitoring or by taking a snapshot of their computer screen.
Commenting on Fujitsu's find, Independent cyber expert Brian Honan, head of Dublin-based BH Consulting, told SCMagazineUK.com: “The key message from this is that we hear about all these security breaches at companies and it's just the email address that has been taken. People say ‘Well what value does that have to criminals?'.
“This is a prime example of why all the information companies host and manage does have a value. Active email addresses are valuable to criminals because they know these are real-life people they could target for phishing schemes or malware attacks such as this.
“It's a message to even small companies that your customer email list, your newsletter list, is of high value to criminals and you need to protect it.”
Honan said the fact that the database servers are in Russia is a typical ‘modus operandi' for cyber-gangs. “They will host their servers in countries and areas which may not be fully co-operative with Western law enforcement,” he said.
“From a European point of view the majority of financial-based cyber-attacks does come from eastern Europe, Russian-based cyber-gangs.”
But he said that because the servers are in Russia, it doesn't necessarily mean the criminals are too.
Cyber expert Paul Ducklin, senior security advisor at Sophos, also saw Fujitsu's discovery as a warning.
He told SCMagazineUK.com via email: "385,000,000 email addresses is one heck of a 'hitlist'. Indeed, it's a powerful reminder to anyone at home or with a small business who thinks that 'no cyber-crook will be interested in little old me'. Think again, folks!
“If a crook can attack you automatically at a cost measured in tiny fractions of a penny, then even if they only stand to sting you for £20, they're going to try it. Unfortunately, many victims go down for much more than that."
Rob Norris told SC: “The Dridex banking Trojan represents the scale of the issue we are facing – and the manner in which cyber-criminals can gain access to accounts.
“Banks have traditionally had extremely good security posture with multiple layers of defence in depth. But they have a weak spot – users. Socially engineering users into opening an email is an easier attack vector for a cyber-criminal.”
Norris said that as the threat continues to get more advanced: “The financial sector must consider deploying behavioural-based security technologies. A good user education programme for staff on the dangers of email would go some way to reducing this risk.”
We asked GCHQ for confirmation of its involvement. A spokesperson said that it does do not comment on intelligence matters.