What moti­vates online crim­i­nals? Mon­ey, of course. Based on recent research by cyber intel­li­gence firm buguroo, you can make a lot of mon­ey spread­ing mali­cious code around the Inter­net. The crooks who dis­trib­ute the bank­ing Tro­jan Dridex make about US$800,000 for every 16,000 stolen cre­den­tials. Based on the num­ber of cam­paigns they are able to con­duct, they’re steal­ing over US$50 mil­lion per year.

Here’s how their illic­it busi­ness works:

Cred­it: buguroo

What exact­ly is Dridex? Webo­pe­dia explains:

Dridex is a strain of bank­ing mal­ware that lever­ages macros in Microsoft Office to infect sys­tems. Once a com­put­er has been infect­ed, Dridex attack­ers can steal bank­ing cre­den­tials and oth­er per­son­al infor­ma­tion on the sys­tem to gain access to the finan­cial records of a user.

Won­der­ing what it looks like to be a tar­get of a Dridex infes­ta­tion?

Dridex oper­ates by first arriv­ing on a user’s com­put­er as a mali­cious spam e‑mail with a Microsoft Word doc­u­ment attached to the mes­sage. If the user opens the doc­u­ment, a macro embed­ded in the doc­u­ment sur­rep­ti­tious­ly trig­gers a down­load of the Dridex bank­ing mal­ware, enabling it to first steal bank­ing cre­den­tials and then attempt to gen­er­ate fraud­u­lent finan­cial trans­ac­tions.

Here’s a screen shot of an infect­ed email:

Cred­it: buguroo

Would you open this attach­ment and enable the macros? Would your CFO? We know plen­ty of peo­ple are open­ing it, oth­er­wise the crim­i­nals would switch to anoth­er line of attack.

Your best defense is to train your peo­ple to be skep­ti­cal of unex­pect­ed emails. Pick up the phone and ver­i­fy or ask a co-work­er to give it a sec­ond look. You could also strip such attach­ments from inbound email, but that might cause too much trou­ble for your busi­ness.

What are you doing to pro­tect your­self? To detect Dridex infes­ta­tions?