Treasury Today Country Profiles in association with Citi

Ryanair the latest victim of Dyre Wolf malware?

Wolf watching out in the snow

With a new form of malware out there successfully targeting corporate bank accounts, cyber security issues are unsurprisingly a growing anxiety for the treasury community. But what is ‘Dyre Wolf’ and what can the treasurer do to help stop it?

It must be every treasurer’s worst nightmare. The back-office team is performing routine checks of bank statements when an unauthorised transaction shows up on a particular account. Soon it becomes apparent to everyone what has happened. Cyber crooks have somehow managed, undetected, to insert fraudulent requests in the company’s payments system, and successfully made off with a six figure sum.

This is the dreaded scenario which seems to have befallen the finance team at Ryanair. Although a full and detailed account of the incident has not yet surfaced (as is often the case with such incidents), the Irish Times reported last week that Dublin-based budget airline had recently fallen victim to hackers who had managed to siphon off $5m from one of its Chinese bank accounts using electronic funds transfer. The fraud apparently came to light last Friday after the Criminal Assets Bureau in Dublin was asked to assist in recovery of the funds (now said to be frozen) via its Asian counterpart.

It is rare when incidents such as these occur for the names of companies that have been defrauded, or specific sums, to be revealed. That does not mean that such incidents occur only infrequently, however; indeed, independent research has come to our attention in recent weeks which indicates that attacks targeting corporate bank accounts are a growing problem and that one particular campaign – known as Dyre Wolf – is exhibiting a very formidable success rate.

What treasurers need to know

According to a report by IBM, Dyre Wolf is a sophisticated malware campaign that is directly targeting corporate bank accounts where it is thought to have already stolen upwards of a million dollars (not including the possible Ryanair heist). Dyre Wolf may not be the first type of malware campaign to target corporate accounts, nor the last. The thing that makes this particular one noteworthy, however, is the nefarious group behind it. With what IBM describes as highly sophisticated infrastructure, manpower and knowledge of banking systems this group would seem to be particularly adept at stealing large sums of money. They are even known to use additional tricks, like social engineering via phone calls or denial of service (DDOS) attacks, to further the deception.

The fraud often begins in the inboxes of treasury staff. An email is opened containing some form of malicious email attachment which, once it runs, calls in the Dyre malware and deletes itself. Malware then inserts itself into a number of places in the user’s desktop, the most common and damaging place being the web browser. Then whenever the user innocuously attempts to log on to a banking site, it collects account details and other credentials.

That may not be enough to get past the increasingly sophisticated authentication procedures most large companies today use, however. So the fraudsters will then attempt, through various means, to prompt calls to malicious call centres so that they can socially engineer any remaining credentials they need to transfer funds from treasury staff directly. And should the company at any point get wind that a scam might be afoot, the criminals behind Dyre Wolf may well opt to launch a DDOS attack to try to buy them more time to transfer and hide the funds.

Phil Huggins, Vice President of cyber security experts Stroz Friedberg says it is the thought that has gone into each respective stage that has made Dyre Wolf a particularly difficult threat to defend against. “It’s been fairly high value transactions and pretty sophisticated cleaning of the money,” he says. “Once the money is gone it can be extremely difficult to call it back again. Clearly it has been very carefully thought through: somebody is taking it start to finish and it has actually become quite a sophisticated attack. And one which there is no silver bullet to protect against.”

Even so, there are steps treasurers and other finance staff can take to at least make life that little bit harder for the cyber crooks. An elementary first step is introducing two-factor authentication for all treasury transactions. That won’t offer absolute protection from a scam like Dyre Wolf which uses social engineering deceptions, but by having it in place treasury can at least be assured they are not handing over their accounts on a plate.

Educational programmes might also be advisable. This could entail experienced cyber professionals sitting down with every member of the treasury team, talking to them about the different types of malware campaigns – like Dyre Wolf – to look out for and explaining, for example, what they should do if a banking website they are using looks slightly different.

Unfortunately, Dyre Wolf’s ongoing evolution might mean the benefits of this course of action are somewhat limited, however. The problem, says Huggins, is that you can’t show someone exactly what to look for in advance because by the time you do, it will have changed. What you can say, however, is that if a website looks a bit different then stop and go and ask someone if you should continue. If you are asked to call a number, call the number in your records not the number appearing on your screen. Ultimately though there should be expert support – either internal or external – that the treasurer can call upon.

A final step, namely, the introduction of some form of monitoring system for high value transactions, is less a preventative measure, rather one that provides treasuries with the best chance of a redressing any frauds that occur. “When you move a million from a bank you will get a message from the bank saying that you’ve moved a million. When you get message back saying that you have moved a million twice, but you are only aware of one transaction then you quickly get back to the bank,” says Huggins. Given that the Dyre Wolf campaign is known to use DDOS attacks to paralyse IT infrastructures, preventing companies from taking steps to recover lost funds, any time gained between a breach and the company learning about it could be crucial.

Kyriba’s Tim Wheatcroft, who refers to Dyre Wolf in a recent blog post as “evil genius”, has also shared some pointers. Similar to Huggins, he says that the key is to have well-established processes, effective security processes (multi-factor authentication, digital signatures etc), cyber-aware staff and regular drills to highlight any weaknesses in the above.

This is all useful advice. However, as all cyber experts are keen to emphasise, the threat from malware attacks on corporate bank accounts like Ryanair’s – be it by Dyre Wolf or some other malicious Trojan – is one which is constantly evolving. The unfortunate reality is that no matter what steps are taken by treasuries and corporate security, the hackers are always likely to remain one step ahead, adjusting their strategies to counteract or get around any obstacle that is put in their way.

The very best thing a treasurer or any other finance professional can do, therefore, is to be cognisant of the threat, constantly vigilant, and consult with the company’s security team on a more regular basis. As Huggins explains, “the key thing to get across here is that treasurers are high value targets, and they are people who the security team within an organisation should be investing time and money in protecting.”