Like a coach turning to an old playbook, fraudsters have resurrected an e-mail spam method to attempt to steal personal and card data from bank customers in the U.K.
Researchers at Chicago-based security firm Trustwave discovered a massive attack targeting victims in the U.K. in which fraudsters sent nearly 15,000 e-mails during a peak period in November 2014.
Trustwave researchers plan to post their findings in a Jan. 8 blog outlining how the criminals try to trick e-mail recipients into opening attachments and enabling a macro that downloads Dridex, a malicious program used to generate fraudulent transactions or steal banking credentials.
Once Dridex is in a computer, fraudsters can update it to conceal it from the victim, while monitoring and accessing all types of data to find financial information and payment card credentials.
The malware and macro codes were written only for the Windows operating system, said Rodel Mendrez, security researcher at Trustwave.
"The bad guys can definitely target any regions or country or brand," Mendrez said, explaining why only the U.K. is targeted at this time. However, the fraudsters sent spam themes not specific to the U.K. prior to this recent attack, he added.
Researchers said they have not seen the Dridex malware downloaded from a remote webserver for a few years, but these fraudsters are using it again while hiding the macros to avoid detection.
The spam e-mails generally pretend to alert the recipient to fake invoices (such as for a utility bill or an Amazon.co.uk order) or other documents embedded with malicious macros, Trustwave said.
Victims must enable macros in order for the malicious documents to work, and the documents may contain instructions on how to enable macros.
Part of the blog provides information to IT professionals about how to reveal the macros and thwart Dridex from being on a customer's network undetected.
In addition to monitoring malware attacks through e-mail spam, Trustwave researchers and "ethical hackers" monitor hardware common at banks to determine how attackers may attempt to exploit those devices.