Dyre Wolf is no 2FA killer, say security professionals

News by Davey Winder

Just before the UK closed down for the extended Easter Bank Holiday weekend, IBM security researchers published a report warning about a malware campaign attacking online bank users.

The so-called 'Dyre Wolf' campaign uses a multi-layered approach to evade detection and gain account access. These include injecting new fillable data fields into online forms on target legitimate web pages, redirects to proxy clone pages and pop-ups to lure targets in the first place. What was arguably most alarming, however, was that apparently Dyre Wolf could also defeat two factor authentication (2FA) mechanisms. Reading the news stories that emerged it appeared that the malware was technically sophisticated enough to bypass 2FA, which would be very worrying indeed.

Further investigation revealed that 2FA is, in fact, far from dead in the water and actually Dyre Wolf is not as clever as you might think. The IBM threat report itself states that "in most cases of attacks on consumer accounts, Dyre uses its elusive technical means to serve the victim with fake messages on screen to lure them into providing personally identifying information (PII) and two-factor authentication(2FA) codes." Reading through the mechanisms it employs to accomplish this, the third injection scenario of 'on-the-fly server-side injection' provides the clues as to what is really happening with 2FA as it "allows the attacker to communicate with victims in real time, presenting them with carefully selected social engineering designed to complete a fraudulent transaction."

In other words, Dyre Wolf launches a quite literal man-in-the-middle (MiTM) attack with a real human being employing social engineering tactics on the phone to con the victim out of their random and time-limited 2FA codes.

“The Dyre malware uses a technique called browser hooking in order to perform a man-in-the-browser attack" Guillermo Lafuente, security consultant at MWR InfoSecurity, told SCMagazineUK.com "this is a well-known technique allowing an attacker to circumvent common protections that would otherwise be highly effective."

And there's no doubting that Dyre Wolf has been effective, with more than US$1 million (£600,000) reportedly stolen from bank accounts, but it's not really a new threat.

"None of the elements in this attack are new or sophisticated in their own rights" FireEye CTO Greg Day told SC, adding "what is interesting about the Dyre Wolf campaign was its use of techniques between telephone and online."

Mark James, a security specialist with ESET, agrees that this would fool some victims and so get around 2FA "but then it will get around most types of protection held by the individual" he insists. Or, as Rolf von Roessing, president of Forfa AG and past international vice president of ISACA, succinctly puts it "where end users voluntarily disclose sensitive information to another part, any authentication mechanism is defeated by definition."

So is Dyre Wolf, or any man-in-the-browser malware, a 2FA killer? We put that question to Gavin Millard, technical director at Tenable Network Security, who admits that "duping someone out of personal information and login credentials is unfortunately a well-known and well-trodden approach by attackers" adding "why target a system protected by a multitude of security controls that can be difficult to circumvent when you can target a human who can be easy to manipulate?"

Catalin Cosoi, chief security strategist at Bitdefender, puts part of the Dyre Wolf success down to the fact that it installs itself onto the target computer and becomes active only after the user enters credentials into a specific banking site, which helps with the con. "Users can add an extra layer of security" Cosoi advises "by using an SMS confirmation service to receive the real details of their transaction and thus help identify any suspicions payments."

Ultimately though, security professionals appear to agree with Ian Trump, security lead at LogicNow, who concludes that 2FA is not defeated or rendered useless because of this malware. "Despite declarations of this being a sophisticated attack" he told SC. "I view it as back to the basics cyber-crime. The malware activates and presents the victim with a message that there is a problem with the account and they're to call a toll-free number." All that Dyre Wolf really does is remind us that the weakest link in the security chain is the user, and their susceptibility to being conned.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews