Researchers report that cyber criminals have used spam servers to send 19,000 malicious emails to UK customers of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander in an attempt to steal bank login details.

Containing the Dyreza banking Trojan – also known as Dyre – the phishing emails pose as a follow-up email from a tax consultant, asking the user to urgently download an attached file in order to complete a financial transaction. A second email asks the user to attach files to verify financial and personal details, while a third email is also sent. Attached to the emails is an archive containing a malicious .exe file.

Dyre shares many similarities with the infamous Zeus malware. This works by installing itself on the user’s computer and becoming active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service. Hackers inject malicious JavaScript code, allowing them to steal credentials and further manipulate accounts, all completely covertly.

If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page. The server will then respond with the compressed version of the web page with malicious code added to it. This altered web page is then displayed on the victim’s web browser. Its appearance remains exactly the same, but the added code harvests the victim’s login credentials.

Phishing threat to businesses

Phishing emails are a major problem for companies, as staff are often unaware of the risks clicking on links or opening attachments from unknown senders.