GCHQ has alerted banks and major companies targeted by “Dridex” virus which mines sensitive financial data
British cyber-security experts have uncovered a trove of hundreds of millions of email addresses being used as a hitlist by criminals stealing financial data from banks, government bodies and other corporates.
Specialists at GCHQ have been alerting companies named in the files, as an international investigation seeks to track down those using it.
The vast database of 385 million addresses was uncovered by the IT services giant Fujitsu, after following a trail from major clients who had fallen victim to hackers.
The email addresses were being used to distribute a “Trojan” virus that allows criminals to take remote control of computers to harvest passwords, and sensitive financial data.
The attack was global but particularly targeted the UK.
Michael Keegan, chief executive of Fujitsu’s British arm, said the compay’s investigation had found that the Trojan virus, known as Dridex, was particularly prevalent on the computers of “staff who are typically churning through accounts”, making it an unusually serious threat to corporates.
In collaboration with anti-virus companies, Fujitsu’s specialists tracedDridex to a series of servers in Russia that were being used to direct it.
There, in April, they found the list of email addresses and have since been working with intelligence and law-enforcement agencies to shut down the servers and therefore the attack.
The disclosure comes after reports that a Russian and a Moldovan have been arrested in connection with the virus, and are now awaiting extradition to the United States.
The 30-year-old Moldovan man was detained in Paphos on Cypus last week. His alleged co-conspirator, a 27-year-old Russian, was arrested in Norway.
According to Brian Krebs, a leading US cyber-security commentator, the men are believed to have links to an organised crime gang known as “the Business Club” that is accused of stealing more than $100m (£65m) from businesses around the world, using earlier versions of Dridex.
Mr Keegan said: “When you look at the data, you probably can’t name a company that wasn’t hit. The Dridex emails were being crafted to target finance departments, but we have to assume the list is for sale on the dark web.”