News Stories (May-13-2016)
--Call center fraud spikes 45 percent as payment card security improves, study (May-12-2016)
Global call center fraud has increased more than 45 percent in the last three years as attackers use social engineering to steal data and turn profits, according to a recent Pindrop study.
The "2016 Call Center Fraud Report," which defines call center fraud as any interaction between a criminal and a call center agent, noted that recent data breaches, the rollout of chip cards in the U.S. and increased security in other channels have all contributed to the boost in fraud, according to the report.
As a result, phone fraud losses have risen 14 percent since 2013, and in 2015 enterprises lost an average of 65 cents per fraudulent call.
“This means a call center that receives 40 million calls per year should expect to see somewhere between $17 million to $27 million in fraudulent transaction losses annually,” researchers said in the report.
To make matters worse, 72 percent of contact center executives expected the fraud loss trend will only continue upward, as already evidenced in the U.K. where the use of chip card technology has thwarted efforts gain information and produce phony payment cards. As a result, miscreants have switched gears, plying their social engineering skills at call centers, where fraud rates have consequently doubled.
Director of Pindrop Labs David Dewey told SCMagazine.com that a subset of fraudsters who - when they obtain stolen data - print phony payment cards using the stolen information but improvements in security have forced them to “pivot” their strategies.
“Chip-and-PIN makes it harder” for them to reproduce phony cards using the stolen data so the bad guys are crafting social engineering attacks that target call centers of banks, retailers, credit unions, and other firms in order to make malicious transactions, he said.
Data stolen from breaches and phishing attacks may be used to carry out social engineering attacks used to commit call center fraud.
The report found that criminals might make up to five calls to a center, pretending to be the victim, before completing a fraudulent transaction. During the calls, the thief may attempt to identify accounts, trick agents into revealing more of the victim's information, change contact information and conduct other malicious deeds.
Call centers are easy targets because, Dewey said, most of the “call center agents are trained to provide a delightful experience” and not to spot suspicious behavior.
In addition, agents are also measured on the amount of time the calls take, which conflicts with taking the time needed to assess security risks.
Dewey said he has documented cases in which agents allowed criminals to guess birth dates, maiden names and other information that should have raised red flags.
--New PayPal phishing scam hooking victims (May-12-2016)
The research firm AppRiver is reporting a new PayPal phishing scam is making the rounds with this version using a phony security message to obtain personal identifiable information.
While spearphishing attacks have been grabbing most of the headlines lately, AppRiver researcher Troy Gill said the PayPal scam is instead casting a wide net to obtain sensitive data from as many people as possible. The supposed PayPal email informs the victim their account has been placed on a “limited” status with no activity allowed until certain information is confirmed.
The email has an HTML attachment that launches the recipient to a page where the personal data can be input, to include name, address, mother's maiden name, payment card information, Social Security number and phone number.
Gill said the HTML page is a dead giveaway that this is a scam, but an unknowledgeable person might not realize PayPal would simply direct someone to their account page.
--Spearphishers using a Windows zero day to attack companies (May-12-2016)
Updated FireEye believes a mature and sophisticated criminal operation has been responsible for conducting spearphishing attacks that resulted in more 100 organizations in North America being victimized.
Starting in March the attackers utilized a Microsoft zero-day vulnerability (CVE-2016-0167) along with a previously unknown elevation of privilege exploit and what had been an unnamed point of sale memory scraping exploit, now named Punchtrack, to gain access to systems after performing a successful spearphishing campaign. The emails contained a malicious download called Punchbuggy, which is a dynamic-link library downloader for 32- and 64-bit computer systems.
The vulnerability was patched in April.
The FireEye threat research team of Dhanesh Kizhakkinan, Yu Wang, Dan Caselden and Erica Eng noted in their report that likely only one group is responsible for these attacks.
“In the past year, not only have we observed this group using similar infrastructure and techniques, tactics, and procedures (TTPs), but they are also the only group we have observed to date who uses the downloader PUNCHBUGGY and POS malware PUNCHTRACK. Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk,” the report stated.
The attacks tracked by FireEye have come frequently and are large in scale with the researchers said shows a level of operational awareness paired with the ability to make changes on the fly to the malware.
Patches issued by Microsoft on May 10 along with other mitigating efforts has stopped this specific group from continuing its attack using a Windows vulnerability.
"The underlying vulnerability (CVE-2016-0167) was indeed patched, and the vulnerable subsystem was further hardened against similar issues on this Tuesday. We are not aware of any ongoing attacks by this group that exploit other Windows vulnerabilities," Caselden told SCMagazine.com in an email.
--World Password Day: resources to help you on this special occasion (May-04-2016)
The 5th of May is World Password Day, the ideal opportunity to raise awareness of passwords with your organisation's staff and senior management.
This is the fourth year passwords have been honoured in this way. The event recurs annually on the first Thursday of May.
To help, we have compiled a few quick resources to help you make the most of this auspicious occasion.
The World Password Day website: here you can test the security of passwords, read advice and even watch videos about the importance of password security (1075 views on Youtube!) https://passwordday.org/
And Billy Austin, VP of security at LOGICnow, has shared a few tips on password safety:
Consider a Password Manager to store and generate passwords. Password Managers help employees generate sophisticated & unique passwords for each login.
Change all default passwords on vendor provided devices and applications. The most obvious example we can all relate to is the home wireless router where Admin is the login and ‘Password' is the password.
Remove all account IDs and Passwords from terminated employees, avoiding unauthorized access. Today's plentitude of logins present a challenge to IT while attackers see this as a potential backdoor into the crown jewels - your data.
Intel has written a blog about the day: https://iq.intel.com/celebrate-world-password-day-2016/
It even has it's own hashtag on Twitter: https://twitter.com/hashtag/PasswordDay #PasswordDay
--Gmail, Yahoo email credentials among millions found on the dark web (May-04-2016)
Hold Security is reporting that one of its researchers discovered, and then acquired, a mega-size load of 272 million stolen email credentials from a hacker.
The security research firm said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17 billion stolen credentials, from Google, AOL, Yahoo and Mail.ru, from various places on the dark web. When Hold's team boiled this list down, comparing the newly acquired data to data already in its possession, it found 272 million of the email credentials were unique with 42.5 million having never been disclosed. The remainder were already known to be compromised.
In spite of the huge volume of records that were found, the price paid to the hacker by Hold Security is even more amazing.
The original asking price was 50 Rubles, less than $1, but Hold bargained the hacker down.
“In all reality, 50 rubles is next to nothing, but we refuse to contribute even insignificant amounts to his cause. It is rather funny to negotiate over this, but finally the hacker just asks us to add likes/votes to his social media page (so much for anonymity). That we can do, and once he is satisfied with the results we get a link to an incredible 10 gigabytes in a compressed database, which takes us more than hour to download,” Hold wrote.
Industry experts put forth several reasons for the hacker giving away the data, ranging from it being a supply and demand issue to the fact that they were unverified and thus possibly worthless to a buyer.
“My guess is the credentials were either unverified or specifically stale (abandoned accounts, for instance). He probably gathered it from dumps of previous breaches of other vendors, so it's likely that he didn't do the work of stealing the data so much as he probably just garbage-collected it from around the web,” Lysa Myers, Security Researcher at ESET told SCMagazine.com in an email.
Jonathan Cran at Bugcrowd said in an email to SCMagazine.com the emails could still prove useful, but “the half life of stolen credentials is decreasing as SaaS providers such as mail.ru or Gmail get faster at invalidating them.”
“These kind of mail credentials are useful for spammers and scammers who utilize accounts to spread malware and further their own access,” Myers pointed out.
--Mobile devices still vulnerable to attack, report (May-02-2016)
New mobile attacks can workaround two-factor authentication on Android phones and inject malware onto iOS phones, according to a blog post from Check Point reporting on demonstrations at BlackHat Asia.
Attackers, the post said, can push rogue apps to Android devices of any Google services user. These allow the miscreants to steal incoming text messages. This despite a security feature put in place to block this scheme, namely deactivating the app's broadcast receivers – an Android API – until the user first opens the app.
Hackers get around this defense by replacing a bookmark in the user's devices with a URL redirecting to malicious activity, so attackers bypass two-factor authentication (2FA) and have no need to activate the malware. And, because the attack is launched from a compromised PC browser, access to the device itself is not needed.
In the case of iOS devices, by creating their own spoofed hotspots, attackers can brick devices loaded with versions before 9.3 as these tools are programmed to connect automatically to known Wi-Fi hotspots. Once a iOS device is connected, it continually checks time and date settings via the Network Time Protocol servers. Attackers can brick the device by resetting the time to the 1.1.1970 (epoch zero), an old bug in iOS.
Another iOS vulnerability was demonstrated on non-jailbroken devices running uncertified code signed with a developer certificate. Using readily available open source tools, miscreants can install what appears to be a legitimate app, but in actuality has malware loaded in. When installed, the "bad" app will hide the icon of the legitimate app and so evade standard security protocols as well as dupe the user into accepting it.
The point, the Check Point researchers said, is to use advanced security solutions.
--New ransomware demands payment in iTunes, targets older Android software (Apr-26-2016)
A new malware type has been spotted in the wild that features a couple of original moves not seen yet by researchers; it is self installing and the cybercriminals require that the ransom be paid in iTunes gift cards.
Researchers at Blue Coat said the cybercriminals are using ELF, aka Towelroot, exploits along with some tools from the leaked Hacking Team exploit-kit inventory to spread Dogspectus ransomware. The download is achieved through malicious ads that are served onto the device through a series of redirections that usually start with a malvertising ad call, said Blue Coat researcher Andrew Brandt to SCMagazine.com in an email Tuesday.
What happens next caught Brandt by surprise. Instead of showing the usual “application permissions” dialog box that spurs the victim to act and thus download the malware, this malware simply installs itself.
“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim,” Brandt wrote
Brandt noted that devices running newer versions of Chrome, downloaded properly from the Play market, do not appear vulnerable, while those running out of date 4.x variants are susceptible. Blue Coat is continuing its research to see if the malware successfully infects newer versions of Android.
The attacks are believed to have begun in February.
Once installed and ready to act the ransomware displays an iTunes graphic claiming the device has been locked by a supposed law enforcement group such as the “America national security agency” or “Nation security agency” with the demand for $200 to be paid using iTunes gift cards.
The device is not encrypted, just locked, and if connected to a computer photos, music and other files can be removed.
“Use of iTunes gift card codes is extremely unusual. Early ransomware asked for money transfers via Western Union moneygram, then they all switched over to Bitcoin. This is the first ransomware I've seen that asks for this specific type of gift card to be used for payment,” Brandt said.
--Info on 1.2M BeautifulPeople.com users sold on dark web after breach (Apr-26-2016)
The personal information of 1.2 million members of the “exclusive” dating site BeautifulPeople.com has surfaced for sale on the dark web following a breach that occurred last year.
Haveibeenpwned creator Troy Hunt spotted the information, including names, passwords, sexual orientations, beauty ratings, dates of birth, drinking habits, education levels, email addresses, income levels, job titles, and other data, according to haveibeenpwned.
BeautifulPeople.com told SCMagazine.com in an emailed statement that the information for sale is from the initial breach and only involves data that was provided by members prior to mid-July 2015.
“All impacted members are, of course, being notified once again,” the statement said.
MacKeeper Security Researcher Chris Vickery, who initially discovered the data on an exposed company server in December 2015, told SCMagazine.com via email comments that the information was unprotected and accessible by an IP address when he found it.
He said the dating website simply published an open database into the world that was accessible to anyone with the IP address.
“The malicious people that have been selling it probably found the very same server and downloaded it directly from BeautifulPeople,” he said.
The dating website said that they are only aware of two security researchers, presumably Hunt and Vickery, accessing the data when the breach was reported to them last year.
BeautifulPeople.com initially said only “test servers” were compromised, according to Wired, but Vickery suggested this was done only to make the breach sound “less severe.”
“The server may have indeed been a ‘test,' BUT they put real data into this ‘test' server,” Vickery said.
Threat actors are sending the malicious downloaders using malicious .zip and .rar files disguised as invoices, corporate documents, tax information, and other seemingly benign files in order to spread the new downloader.
The new downloader is written in "more compact" script coding that allows attackers to encrypt the malicious code into .zip or .rar files multiple times, InfoArmor's chief intelligence officer, Andrew Komarov, told SCMagazine.com
The malicious code bypasses anti-spam filters and anti-virus software through obfuscation, Komarov said.
Those behind the Locky malware didn't design the malicious downloaders but obtained them from a third party, he said, noting that 50 unique malicious downloaders can be purchased for between $1 to $25, making them an inexpensive way to spread the ransomware.
FireEye researchers observed the new downloader using a custom network communication protocol which in their, in their tests, only downloaded the Locky ransomware as its payload, according to an April 22 blog post.
The researchers went on to say that the downloader could be a new platform for installing other malware or for “pay-per-install” malware distribution.
--Report: Ransomware feeds off poor endpoint security (Apr-26-2016)
Poor endpoint security practices are only helping to propel the great ransomware epidemic of 2016—and if allowed to fester, this threat will spread to new vulnerable endpoints including IoT devices, cars and ICS and SCADA systems, according to a new report from the Institute for Critical Infrastructure Technology (ICIT).
The report, released last week, recommends adopting holistic endpoint security solutions—including signature-based and behavior-based anti-malware software, firewalls and intrusion detection and protection systems—as part of a multi-layered approach toward IT security. “Of the lines of network defense available to an organization, endpoint security is uniquely capable of stemming the growing ransomware menace,” the report reads.
ICIT warned that organizations become too easily disillusioned with endpoint solutions whenever they fail to thwart a systems breach within their industry. When this happens, security execs tend to look to bolster defenses elsewhere in the network.
In truth, however, endpoint security solutions remain a critical component of good IT fortification, just not by themselves, the report explains. “The biggest misconception of endpoint security is that it is the only solution needed. EPS is but one of the many pieces needed to reduce the potential of a system compromise,” Kevin Chalker, CEO of GRA Quantum, said in the report.
“The endpoint aspect is just a part of a layered security strategy; there's no silver bullet, although every time there's a big breach, charlatans come out of the woodwork selling a silver-bullet solution,” said James Scott, co-founder of and senior fellow at ICIT, in an interview with SCMagazine.com
Some organizations also eschew endpoint solutions because they falsely believe they don't have data worth stealing on their network, the report continues. But the beauty of ransomware is that the affected data doesn't have to hold value to the cybercriminal—it need only hold value to the impacted company that desperately needs access to it.
Ryan Brichant, CTO of ICS at FireEye, an ICIT fellow, posited in an interview with SCMagazine.com that endpoint security technology has been around for so long that “it's not the sexy security sell,” while Malcolm Harkins, global CISO at Cylance and also an ICIT fellow, told SCMagazine.com he thinks that IT execs view older, traditional endpoint solutions as products that “deteriorate the user experience.”
ICIT predicted that ransomware, if left unchecked, will continue to propagate in new ways. For instance, the report says it “seems likely” that by the beginning of the second half of 2016, there will be a notable public case of bad actors using ransomware as a decoy, distracting the victim's IT resources while secretly exfiltrating sensitive data from affected machines. In such a scenario, the valuable data is the true end game, while the ransom—if ever paid—is essentially a bonus. “A lot of times we're seeing chatter on dark web forums that the most sophisticated [cybercriminals] don't care about getting the ransom paid” in a case such as this, said Scott.
The report also foresees ransomware locking up industrial control and SCADA systems in the near future. (SCADA—or Supervisory Control and Data Acquisition—systems enable the remote monitoring and control of industrial processes.) These operations technology (OT) systems are particularly vulnerable, as they are generally antiquated, and thus not equipped to thwart the latest cutting-edge threats. The difference between IT systems and OT systems, said Brichant, is that while IT systems are vulnerable to zero-day threats, OT systems are susceptible to “zero-decade threats.”
“The chances of us already having had a [ransomware] attack on these infrastructures are high,” Brichant added. It's just a matter of whether or not the affected industrial organization is willing to divulge the attack.
“I'm surprised that hasn't happened yet, frankly,” added Harkins, also referring to a ransomware attack on an ICS or SCADA system.
The report also predicted future ransomware attacks on IoT devices and Internet-connected cars. “Let's say I've got an electric ignition and… now I can't start my car until I've paid in bitcoin,” he said, envisioning one possible ransomware scenario. “Or let's say I've got traditional keys, but the car uses a passcode or fob or my fingerprint to unlock the door.” A cybercriminal could theoretically take control of the locking mechanism and forbid entry until the ransom was paid, Harkins added.
--Microsoft vulnerability lets hackers bypass app whitelisting protections (Apr-25-2016)
A researcher has discovered a way for attackers to sneak remotely hosted, unauthorized applications—more specifically, COM (Component Object Model) objects—past Microsoft Windows' whitelisting security feature Applocker, by abusing the command-line utility Regsvr32.
Normally, Regsvr32 allows users to register Dynamic Link Library (DLL) files and ActiveX controls, but on his blog, Colorado-based researcher Casey Smith recently explained that hackers can place a malicious script block inside the registration tag, and then have Regsvr32 successfully execute the code. The trick works on the business editions of Windows 7 on up.
No administrator access is required to perform this workaround, and the process does not alter the system registry, making this vulnerability-based hack a difficult one to detect.
--Researcher find backdoor that accessed Facebook employee passwords (Apr-23-2016)
A Taiwan-based security researcher, known as "Orange Tsai," who was awarded a $10,000 bug bounty in February published a report detailing the exploits that led to his discovery of illicit code on a Facebook server.
A consultant at the security firm Devcore, Orange Tsai said he discovered malware that provided access to Facebook employee's passwords, which had been used by a remote attacker to gain access to employee emails and shared files.
The accessed information appears not to have compromised Facebook users. The researcher wrote that he noticed that Facebook's server used Accellion's web-based Secure File Transfer service, a web application that, while popular among large companies like Facebook, has previously been found to contain serious security issues.
This caught the researcher's attention, and led him to look for potential vulnerabilities in the file transfer application. He ultimately discovered several vulnerabilities, including a SQL injection flaw that enabled remote code execution. Accellion patched the vulnerability in February.
A member of Facebook's security group wrote on Hacker News that Facebook did not have full control of the software, so it was run isolated from systems that host the company's user data. “We do this precisely to have better security, wrote Reginaldo, the Facebook employee. “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program.”
Once Orange Tsai gained access to Facebook's server, he explored the web server log files and noticed an unusual traffic pattern, which led to his discovery of the illicit code.
Reginaldo at Facebook continued, “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.”
The situation is reminiscent of another incident Facebook faced last year, in which the company claimed that security researcher Wesley Wineberg unethically exploited a flaw to escalate another vulnerability.
In speaking with SCMagazine.com, Wineberg, a security consultant at Synack, said, “This researcher did exactly what I did.” However, the company has since updated its policy to explicitly prohibit researchers from escalating exploits in this way.
Wineberg said he finds it encouraging to see that “they are changing how they deal with researchers.”
--Cytegic finds ties between terror and cyberattacks (Apr-20-2016)
The terror attacks that struck Belgium and France also kicked off a period of increased cyber attack activity in both countries, according to a report by Cytegic.
The research firm's March intelligence report confirmed the company's prediction that cyber attacks would rise in these nations. Cytegic found political activist groups, like Anonymous, were the most active, followed by nation-states and cyber-terrorists or those affiliated with ISIS.
The most targeted industries after the attacks were government, media, banking, finance, critical infrastructure and defense. Cytegic noted that after the Brussels' incident the primary actors were financial hackers, political activists, political cyber warriors and cyber terrorists. This was very similar to what happened after the November 2015 Paris incident.
“Our analysis not only confirmed our thesis regarding the effect the Brussels attacks had on the cyber-activity within Belgium, but it also revealed it resonated throughout the world, especially in North America,” Cytegic wrote.
--Report: Canada police decrypted a million BlackBerry messages (Apr-18-2016)
As part of its investigation into a 2011 murder, the Royal Canadian Mounted Police (RCMP) intercepted and decrypted around one million PIN-to-PIN BlackBerry messages, according to Vice News.
Court documents in the case revealed the extent of cooperation between BlackBerry Limited, formerly known as Research In Motion Limited, as well as telecommunications giant Rogers. The RCMP set up a server to intercept messages. BlackBerry's master key was then applied to decrypt the messages.
While the exact details of where the piece of code to decrypt messages originated, Crown prosecutors revealed the RCMP had access to the key since 2010. Lawyers for the government attempted in court for two years to prevent the information from becoming public.
While privacy advocates question the legal authority compelling service providers to cooperate with police in carrying out court orders, such as wiretaps and search warrants, it's unknown whether the RCMP maintains its surveillance capabilities.
--Report: Cybersecurity new atom bomb, says Apple co-founder Steve Wozniak (Apr-18-2016)
Cybersecurity is the greatest threat since the atom bomb, Apple co-founder Steve Wozniak said in an interview on the Australian TV news show Lateline.
And, he said, the threat is "getting worse and worse year by year."
In a wide-ranging interview, the man who in the early 1970s developed the first Apple computers with Steve Jobs, said, "Could they really take out our electrical system, turn off our internet?"
He also lamented the loss of privacy, saying the U.S. government's attempt to force Apple to decrypt the cell phone used by one of the San Bernardino killers was wrong.
"What if the FBI was able to go to any company any time they felt like it and said you have to build a product our way?" he said on Lateline.
Wozniak left his R&D role at Apple in the 1980s. He is now an adjunct professor at the University of Technology Sydney.
--Report: Feds staying mum on possible Firefox vulnerability (Apr-15-2016)
Experts are speculating that the FBI may be closely guarding a secret vulnerability in the Firefox browser that it can exploit for future law enforcement purposes, according to a Motherboard report yesterday.
The article refers to a network investigative technique that the FBI used to hack visitors of the Playpen child pornography website. That site runs on the encrypted Tor network, but an exploit that works on the Tor browser would also work just as effectively on Firefox, upon which Tor was built.
So far the U.S. Department of Justice has resisted a U.S. district court order to disclose the technique. In an interview with Motherboard, Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), said that by not disclosing the alleged vulnerability in such a popular global browser, “The government is essentially choosing to keep hundreds of millions of people vulnerable in case a few of them turn out to be criminals later.”
--The anatomy of a spearphishing scam, or how to steal $100M with a fake email (Apr-15-2016)
A lawsuit filed on April 14 by U.S. Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost $100 million.
The civil forfeiture lawsuit was filed in federal court in New York City and is being brought on behalf of an unidentified American company that was suckered out of $98.9 million over a four-week period late last summer. Luckily, the majority of the money has already been recovered and this suit is specifically going after the remaining $25 million that is being held in at least 20 overseas banks, according to court documents.
“This is more than twice as large as any reported loss that we have seen,” Ryan Kalember, Proofpoint's vice president of Cybersecurity Strategy, told SCMagazine.com in an email Friday.
What this case perfectly illustrates is the step-by-step process a criminal can take implementing such a scam and all of the warnings that were ignored by the victim.
Considering the massive pile of money involved, the scheme itself was extremely simple and used by cybercriminals every day, albeit to normally steal smaller amounts of plain old data. It was a classic spearphishing attack.
According to Bharra's suit, the scam was initiated around Aug. 10, 2015, when the victimized company received an email purportedly from an Asian-based vendor with which it has frequently done business in the past. The email in question contained the name D Talan, AR and was not picked up not by the victim company itself. Instead it came to an email address set up and monitored by an outside firm hired by the victim to deal with its vendors and other payees.
The initial email from Talan simply asked for some background information regarding its billing history with the victim. This information was supplied on August 11 and then that same day a follow up email was received by the vendor's partner from Talan informing the company that the “vendor's” banking information would be changing and they wished to know who to contact at the victim company to make the change so any payments would go to the correct account. On August 17 Talan gave the victim's payment partner the new account information and it was placed into the victim's system.
Starting around August 21 the payment partner began sending a series of 16 payments to the new, fraudulent account, as part of its usual business. All appeared to be going well when on September 14 both the victim and its payment company received word from the real vendor that it had not received any payments starting August 22, or the day after Talan's account information was input into the system.
A quick investigation ensued and when Talan's email was studied it was quickly discovered to have several irregularities, including a @mail.md domain instead of the vendor's corporate domain name. In addition, it indicated that the domain was hosted in Moldova, far from the vendor's true location in Asia.
The final indicator that something was amiss was that the funds were deposited into a Eurobank facility in Cyprus, and not at a bank in the vendor's home nation.
If any of these indicators had been flagged from the start the entire scam would have been stopped in its tracks.
“Employees should be suspicious if they receive a request for unusual information or a wire transfer via email, even if it appears to come from a high-level executive. Check the reply-to email address and always call to confirm. If a vendor changes their wiring instructions over email, call them to confirm. If the CEO requests a significant transfer that is unusual, call him or her to confirm it. If the email header has a warning from your email security system, such as a subject like [BULK] or [SUSPICIOUS], then contact the vendor directly on the phone, do not enter the invoice for payment,” Kalember said.
A U.S. magistrate working with Eurobank quickly froze the Cypriot account stopping about $74 million of the stolen money from moving out.
This was an extremely lucky and somewhat rare occurrence as most wire transfers one completed are tough to reverse.
“Recovering money can be difficult if sent by wire. As the transaction may be irreversible within a short time window. There have been many variations of these scams in the past and they have been going on for some time. Luckily, international law enforcement has been taking note of these scams to better monitor, mitigate the financial losses and arrest the criminals responsible,” Terrence Gareau, chief scientist of Nexusguard, told SCMagazine.com in an email.
The victim was not so lucky with its remaining funds because the bad guys had almost immediately moved them from Eurobank and spread them around to 19 other banks to help duck authorities.
The court document did indicate that U.S. authorities know where those accounts are located with one being in Estonia.
--Facebook scam promises friend's video, delivers malware instead (Apr-14-2016)
A new spam campaign tries to fool Facebook users into downloading malware by luring them to a fake YouTube page supposedly featuring a friend's video.
According to a scam alert from research firm ESET, victims receive either a false notification that they were tagged in a friend's timeline post, or a message purportedly sent by a friend via Messenger.
Typically titled “My first video,” “My video,” or “Private video,” the fake message compels users to click on a link that sends them to the phony YouTube website. There, the user is instructed to install a plug-in to view the content—but it's actually malware that fills the victim's wall with fake videos and sends the same “My first video” messages to that person's friends, further propagating the threat.
To eliminate the threat, ESET advises victims to remove the plug-in, disguised as a “Make a GIF” app, from their browsers. Currently, the threat only impacts users of Google Chrome.
--New GozNym banking malware steals millions in just days (Apr-14-2016)
A new banking trojan named GozNym is actively hitting U.S. and Canadian banks and has already taken about $4 million from two dozen North American banks.
IBM's X-Force Research team reported that 24 banks in the two countries, 22 in the U.S., have so far lost about $4 million to attacks using GozNym since the malware was discovered earlier this month. Who conducted the attacks is not known.
Limor Kessem, executive security advisor for IBM, wrote in a blog that GozNym was created by combining some of the source code from the older Nymaim and Gozi IFSB banking malware to create an even more dangerous piece of software.
“From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected Internet browsers," said Kessem. "The end result is a new banking Trojan in the wild.”
Attacks are so far pretty evenly split with business banks absorbing 28 percent of the attacks; credit unions, 27 percent; e-commerce 22 percent; retail banking, 17 percent; and the remaining six percent were in other types of institutions.
GozNym uses its native Nymaim ability to infiltrate its targets through an exploit kit which drops a payload into the system that uses two executables for the infection routine, IBM said.
Giovanni Vigna, co-founder and chief technology officer of Lastline, told SCMagazine.com in an email Thursday that malware like GozNym is to be expected now.
“While it is interesting to see two strands of malware becoming closely intertwined, it is not surprising. As for any software that has to be flexible and reliable, malware has been modularized for a while, so that functionality can be reused or loaded as-needed.
One industry executive said it was disappointing that GozNym has been successful because, while this malware is new, the type of attack has been seen before and the banking industry was told to beware.
“When you see an attack like GozNym picking up pieces of past malware to swipe another $4 million, it stings if you're a security professional. You know you told both IT and the business how they needed to react to attacks of this type when the original threats emerged. This just shows you that they didn't really listen then,” Jonathan Sander, vice president at Lieberman Software, told SCMagazine.com in an email Thursday.
Sanders described this lack of concern as similar to that of a home that constantly broken into through an open window because the owner refuses to remember to lock it.