Info Security

Subscribe to Info Security  feed
Updated: 35 min 9 sec ago

Virtualized Calls a Top Threat for ATO Attacks

Fri, 03/22/2019 - 17:47
Virtualized Calls a Top Threat for ATO Attacks

According to the 2019 State of the Call Center Authentication report from TRUSTID, a Neustar company, one of the most exploited areas in a company’s security chain is the call center.

Companies may be investing more in their cybersecurity defenses, but fraudsters are evolving in their tactics. As such, they’ve discovered that by targeting call centers, they can easily obtain personally identifying information (PII), which is likely one reason the report found that call center professionals are increasingly the target of fraudsters employing social engineering in an attempt to takeover (ATO) customer accounts.

In fact, 51% of respondents that work in the financial services industry identified the phone channel as the top threat for ATOs. At 32%, spoofed calls lagged behind criminal activity reportedly coming through virtualized calls, which 40% of respondents said they saw more of this year.

“Virtualization (e.g., web-based calling services (Skype), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX) is the biggest threat vector to call centers today. The calls are authentic, unique and legitimate. Their signaling data and call certificates are correct and will pass by technology designed to detect spoofing attempts,” the report said.

“Virtualization frees criminals from the need to imitate specific callers’ numbers. They just have to reach an agent from a number that is legitimate but unrelated to a customer’s record.”

An overwhelming majority (72%) of call center representatives believe that if calls were authenticated before answered, the number of ATO attacks could be diminished without impacting the customer’s experience.

“Our data also suggest that they are eager for change. 46% of call center leaders were ‘very’ or ‘somewhat’ dissatisfied with their current caller authentication method(s), a 50% increase since 2018.”

When comparing survey results year-over-year, the number of companies planning to implement multifactor authentication has doubled. “As more breached personal information enables more account takeover through the phone channel in the year ahead, we expect more call center leaders to advocate for a completely new multi-factor authentication strategy.”

Categories: Cyber Risk News

New Variant of AZORult Trojan Written in C++

Fri, 03/22/2019 - 17:18
New Variant of AZORult Trojan Written in C++

After analyzing several previously unknown malicious files that were detected earlier this month, Kaspersky Lab determined the files were a new version of a data stealer known as the AZORult Trojan. Because the files are written in C++, and not Delphi, researchers have dubbed the variant AZORult++.

According to researchers, this latest version is potentially more dangerous than earlier variants. In addition to amassing data – including credentials, browser history and cookies – and distributing it to command-and-control (C&C) servers, AZORult++ can also establish a remote desktop connection by creating a new user account and discreetly adding it to the administrators’ group.

The data stealer is reportedly used most often to target victims in Russia and India, according to analysis. “AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing,” wrote Alexander Eremin.

AZORult++ does not have loader functionality or support for stealing saved passwords. Though the C++ version has been deemed deficient when compared to its predecessors, it does have some of the same signatures recognized in the Delphi-based version.

“Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3,” Eremin wrote.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” Eremin said.

Because the variant has undergone several changes to functionality, researchers believe that this data stealer is still in development, and that we can expect to see an expansion of its functionality and attempts to widen its distribution.

Categories: Cyber Risk News

Zero-Day WordPress Plugin Exploited in the Wild

Fri, 03/22/2019 - 16:43
Zero-Day WordPress Plugin Exploited in the Wild

A WordPress zero-day in the Easy WP SMTP plugin is actively being exploited in the wild, according to NinTechNet.

The plug-in allows site owners using WordPress to both configure and send outgoing emails through an SMTP server, preventing messages from landing in the recipient’s junk folder. By exploiting what is categorized as a critical vulnerability, hackers reportedly gained administrative access and were able to alter content on WordPress websites.

In the proof-of-concept (PoC), NinTechNet researcher Jerome Bruandet said he used “swpsmtp_import_settings to upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to 'administrator' in the database.”

With the largest market share among all content management systems (CMSs), WordPress is used by one-third of all websites, according to Web Technology Surveys (w3techs).

“Because of its sheer dominance in the CMS space along with the presence of many WordPress plugins, WordPress sites are a ripe target for cyber-criminals. In this case, the Easy WP SMTP plugin has over 300,000 active installations and despite the availability of a patch for it, there are reports that attackers continue to target sites running the vulnerable plugin,” said Satnam Narang, senior research engineer at Tenable.

“The vulnerability exists in version 1.3.9 of the plugin, so users running older versions of the plugin are not vulnerable. However, all users, especially those using 1.3.9, should update to the latest version of the plugin,, as soon as possible."

This latest exploit also evidences the importance of vetting plugins to ensure they are up to date and executing only authorized tasks, according to Brandon Chen, digital security and operations manager of The Media Trust.

“Removing them when they’re no longer needed [is] part of protecting users from identity and financial theft. Each plugin represents at least a few attack surfaces, because the code that enables the plugin to function is coming from at least one vendor, who is likely bringing in outsourced code. Every plugin you introduce into your digital environment introduces third parties you may or may not know – and chances are, you don’t know most of them.”

Categories: Cyber Risk News

UK E-commerce Fraud Soars 27% in 2018

Fri, 03/22/2019 - 12:05
UK E-commerce Fraud Soars 27% in 2018

UK e-commerce fraud hit nearly £400m in 2018, accounting for the vast majority (78%) of all card not present (CNP) fraud and fueled by an ongoing epidemic in data breaches and social engineering, according to UK Finance.

The banking industry group’s annual roundup, Fraud the Facts 2019, claimed that £393 million of e-commerce fraud amounted to 59% of total card fraud and represented a 27% increase on 2017 figures.

“Data compromise, including through data hacks at third parties such as retailers, is a major driver of these fraud losses, with criminals using the stolen card details to make purchases online,” the report noted.

“There were several high-profile data breaches occurring in 2018, with significant brands affected, alongside a number of lower-level incidents. The data stolen from a breach can be used for months or even years after the incident. Criminals also use the publicity around data breaches as an opportunity to trick people into revealing financial information.”

UK Finance also claimed the increase came as a result of phishing emails and scam text messages as well as social media scams advertising the sale of discounted ‘goods.’

“When a customer goes to buy the product, the criminal uses their card details to purchase the item from a legitimate source and then keeps the payment from the customer,” it claimed.

CNP fraud — which includes phone and mail order as well as internet-based scams — accounted for 76% of the total losses last year, versus 61% in 2009. It rose 24% from 2017-18 to top £506m, with over two million cases recorded — a 47% increase from 2017.

Authorized push payment (APP) scams are also growing fast. They soared 90% in volume and 50% in value to reach £354m in losses last year, although this could be down in part to more UK Finance members reporting APP fraud.

“Criminals’ use of social engineering tactics through deception and impersonation scams is a key driver of authorized push payment scams,” the report claimed.

“Typically, this involves the criminal posing as a genuine individual or organization and contacting the victim using a range of methods including via the telephone, email and text message. Criminals also use social media to approach victims, using adverts for goods and investments which never materialize once the payment has been made.”

APP fraud also hit businesses, which accounted for nearly 36% of total losses.

Categories: Cyber Risk News

Researchers Raise Privacy Alarm Over Medicine Apps

Fri, 03/22/2019 - 11:09
Researchers Raise Privacy Alarm Over Medicine Apps

Researchers have raised serious privacy concerns over the use of medical apps in the Google Play store after noting that the majority share user data with third parties.

Published in The BMJ this week, the study led by University of Toronto researchers identified 24 top-rated “medicines related” apps on the Android marketplace in the UK, US, Canada and Australia.

They simulated real-world use of the apps in the lab via four dummy scripts.

“To identify privacy leaks, one source of user data was modified and deviations in the resulting traffic observed,” the research explained.

The paper found that 79% of those apps studied shared user data with 55 unique entities. Nearly two-thirds of these (67%) “related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.”

A further third (33%) of these unique entities provided cloud and other related IT infrastructure services.

The paper warned that the functionality gained from these apps may not be enough to compensate the privacy lost by users.

“Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” it concluded.

“Privacy regulation should emphasize the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.”

Tripwire director of security research and development, Lamar Bailey, argued that data collected by health apps could also be at risk of theft by cyber-criminals.

“Although it is well known and documented that apps use customers’ data as a currency, it is particularly troubling when that data includes sensitive information such as medical records and health metrics,” he added.

“It is paramount that these apps clearly state in their registration process if they plan to divulge their customers’ information to third parties, so that subscribers are able to opt out. All too often these terms on usage are buried in the user agreement and the only way to opt out is to not use the app."

Categories: Cyber Risk News

Man Pleads Guilty to $3m Tech Support Scam

Fri, 03/22/2019 - 10:16
Man Pleads Guilty to $3m Tech Support Scam

A North Carolina man has pleaded guilty to his part in a global tech support scam conspiracy which netted over $3 million in profits from unsuspected computer users.

Bishap Mittal, 24, from Charlotte, worked with an unnamed individual who owns Capstone Technologies, a firm which appears to have been set up with the scam in mind.

They purchased and distributed adware to users’ machines, according to the Department of Justice. These caused fake pop-ups to appear, warning the victim that their PC was suffering serious technical issues that they must call a number for Capstone Technologies immediately to resolve.

The number routed to a call center in India operated by Mittal and his partner and set up specifically to handle tech support scams.

Once on the phone, the victim would be persuaded to download a remote access tool (RAT).

“Once in control of the computers, the scammers identified various fictitious causes for the victims’ purported computer malfunction, including the presence of malware or computer viruses, and induced victims to pay for virus clean-up or other tech support services,” the DoJ notice explained.

“The co-conspirators then charged victims between $200 and $2400 to make computers operable again.”

The number of tech support scam victims has actually fallen in recent years, but not by much, according to Microsoft.

A report from the computing giant last year revealed that 63% of consumers globally experienced a tech support scam, down from 68% in 2016, while those who lost money fell from 6% to 3%.

The report said that fewer pop-up ads and windows have reduced consumer exposure to the scams. However, in the UK, 62% said they’d experienced a scam, with 6% losing money — an increase from 2% in 2016.

Categories: Cyber Risk News

UK Police Federation Hit by Ransomware

Thu, 03/21/2019 - 19:22
UK Police Federation Hit by Ransomware

The UK’s Police Federation of England and Whales (PFEW) was the victim of a malware attack, according to two different tweets posted by the National Cyber Security Center (NCSC) UK and the PFEW.

According to the Police Federation, the attack on the PFEW, which represents 119,000 police officers across the 43 forces in England and Wales, was first noticed on March 9. Upon learning of the ransomware attack through a system alert, PFEW responded quickly and was able to isolate the malware before it spread to additional branches, the announcement said.

Though the full extent of the damage remains undisclosed, the FAQs section of the announcement noted that “a number of databases and systems were affected. Back up data has been deleted and has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.”

The investigation remains ongoing, but the PFEW tweeted, “All indications are that the malware did not spread any further than they systems based at our Surrey headquarters, with none of the 43 branches being directly affected.”

The initial announcement suggests that the attack was not targeted, though ransomware generally is not a targeted campaign, according to Matt Walmsley, EMEA director at Vectra. Walmsley added that ransomware is more opportunistic in nature, and its actions create a lot of noise, making it comparatively easier to spot than more stealthy targeted or advance attacks.  

“Whether they had a regulatory or legal need to inform the ICO isn’t clear – particularly if there has been no data breach. The launch of a criminal investigation may help salve anger and frustration but is unlikely to result in accurate attribution, never mind a conviction, even if they’ve called in their friends from the National Computer Crime Unit. However, their transparent reporting, even if it’s a number of days after the instance, should be commended for its candor. Defenses are imperfect, always,” Walmsley said.

The PFEW reported that it is continuing to work with experts to restore systems and minimize damage, which is the goal in the aftermath of a successful ransomware attack, according to Tim Erlin, VP of product management and strategy at Tripwire.

“Every organization should have a plan in place for a successful ransomware attack. While prevention is preferred, the reality is that no security control is perfect. The key to responding to a ransomware attack is to detect quickly, limit the spread and restore systems back to a trusted state. Functional backups are key to recovery, but so is a clear understanding of how systems are configured. Finally, restoring from backups is only useful if you can close the attack vector that allowed the ransomware to gain a foothold in the first place.”

Categories: Cyber Risk News

Cyber Expert Hosts 'Savvy Cyber Kids' Talk in MA

Thu, 03/21/2019 - 18:40
Cyber Expert Hosts 'Savvy Cyber Kids' Talk in MA

Middle schoolers in Massachusetts welcomed the opportunity to learn about cybersecurity with a visit from Ben Halpert, founder of the Atlanta, Georgia–based nonprofit Savvy Cyber Kids Inc.

According to the Center for Digital Education, Halpert visited with more than 1,000 seventh graders at different schools, including the Consentino School in Haverhill, Massachusetts, earlier this week. During his presentation students learned what really happens when they take a picture on their phones.

“Those images are, and mostly without their knowledge, uploaded to 'the cloud,' which he explained are centers that store massive amounts of digital data,” wrote Mike LaBella of The Eagle-Tribune.

Halpert, who currently serves as VP of risk and corporate security for Ionic Security, founded Savvy Cyber Kids in 2007 and has been touring schools around the country for more than a decade.

“My positions over the years in cybersecurity and risk management have exposed me to the threats that not only organizations face but also those that impact the world's children,” Halbert said.

“I decided to take my expertise and founded the nonprofit Savvy Cyber Kids in 2007 to create and deliver cybersecurity and cyber-ethics materials and content to students of all ages (3–18) to make sure students today have a better understanding of the impact of their actions when using technology. I have had the pleasure of conducting workshops with students from preschool to elementary and middle school and through high school since 2002 (before I started the nonprofit).”

Commenting on his recent experience with the students in the Haverhill School District sessions, where he talked about online privacy and images, as well as appropriate online behaviors and bullying, Halpert said, “I had great student participation that showed their thoughtfulness, inquisitiveness and desire to learn more about what is really happening with all the technology they use in their daily lives.”

Categories: Cyber Risk News

Facebook Left Millions of Passwords Unhashed

Thu, 03/21/2019 - 18:06
Facebook Left Millions of Passwords Unhashed

During a routine security review in January 2019, Facebook discovered that some user passwords had been stored in plain text on its internal data storage systems, an issue that raised concerns given that the company’s login system is supposed to mask passwords, according to the Facebook newsroom.

The security flaw has reportedly been fixed, and Facebook said it will be notifying everyone whose passwords were unencrypted, which it said could be hundreds of millions of Facebook users in addition to tens of thousands of Instagram users.

The social media platform did emphasize in its news release that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

According to Facebook's security policy, user passwords are supposed to be hashed and salted at the time an account is created, which makes them unreadable. However, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” an unidentified Facebook source told KrebsonSecurity.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told Krebs. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

Unfortunately for Facebook, each new headline seems to chip away at what is left of public trust, according to Terence Jackson, chief information security officer (CISO) at Thycotic.

“Another day, another Facebook breach of trust,” Jackson said. “As a CISO, the first question that comes to mind is, was this a flaw in the system or an accepted risk? Assuming they are following an SSDLC, this should have definitely been a core protection built into the system.  

"Because there is no evidence that anyone external to Facebook had access to the unencrypted passwords is not reassuring. As a Facebook user, I question why would an internal employee need access to my unencrypted password. Ultimately it’s still up to the consumer to govern data shared with services like these. This won’t likely be the last of Facebook’s trust failures.”

Categories: Cyber Risk News

Russian State Hackers Phish Euro Governments Ahead of Elections

Thu, 03/21/2019 - 11:15
Russian State Hackers Phish Euro Governments Ahead of Elections

State-sponsored Russian hackers are targeting NATO members and European governments ahead of the upcoming European Parliament elections, according to new FireEye intelligence.

The security vendor claimed to have detected spear-phishing activity from the prolific Kremlin-linked APT28 and Sandworm Team groups.

The idea is to harvest passwords by sending the victim to a fake log-in page. To increase their chances of success, the groups are spoofing real government website portals, registering domains similar to trusted destinations and displaying the sender of these phishing emails as a trusted entity.

“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions, or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, senior manager of cyber espionage analysis at FireEye.

“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers.”

Although FireEye claimed the two groups’ activity appears to be coordinated, they use different tools and tactics. The Sandworm Team tends to use publicly available tools, while APT28 uses expensive customized tools, and has deployed zero-day exploits in the past, it said.

This is not the first alert to be issued about Russian hacking activity ahead of the upcoming European elections.

In February, Microsoft claimed to have spotted APT28 targeting NGOs, think tanks and other government-linked organizations. It said 104 accounts across Belgium, France, Germany, Poland, Romania and Serbia had come under attack.

The infamous APT28 group (aka Fancy Bear) has been blamed for the 2016 phishing attacks on the Democratic National Committee (DNC) which many believe helped Donald Trump to power.

Categories: Cyber Risk News

Tech Duo Stung for $122m by BEC Attacker

Thu, 03/21/2019 - 10:12
Tech Duo Stung for $122m by BEC Attacker

A Lithuanian man has pleaded guilty to an audacious Business Email Compromise (BEC) scam which tricked Google and Facebook employees into wiring him $122m.

Evaldas Rimasauskas, 50, of Vilnius, pleaded guilty to one count of wire fraud, which carries a maximum sentence of 30 years in prison, it was announced yesterday.

His whaling scheme involved the registration of a company in Latvia with the same name as a data centre hardware manufacturer both Google and Facebook did business with, named Quanta Computer. He also opened bank accounts in the firm’s name in Latvia and Cyprus, according to court documents.

Rimasauskas then sent emails to both tech giants spoofed to appear as if sent from Quanta and demanding payment for non-existent goods and services rendered.

Once he received the funds, reportedly $99m from Facebook and $23m from Google, he quickly transferred them to a variety of different accounts across the globe, in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

Rimasauskas even forged invoices, contracts, and letters including fake corporate stamps on behalf of Facebook and Google to deceive the banks the fraudulently obtained funds were initially wired to.

He was arrested in Lithuania in March 2017 and subsequently extradited to the US in March 2017, according to the DoJ.

Google and Facebook aren’t the first firms to have been caught out by BEC tactics. The CEO of an Austrian aerospace manufacturer was sacked after such a scam cost the firm €50 million ($55.8m).

The FBI reported total estimated worldwide losses from BEC to have exceeded $12.5bn between October 2013 and May 2018.

Categories: Cyber Risk News

NCSC Backs New Group to Help Boards’ Cyber Risk Efforts

Thu, 03/21/2019 - 10:09
NCSC Backs New Group to Help Boards’ Cyber Risk Efforts

A group of academics, government experts, charities and others has come together to help UK boards better assess cyber risk.

The Cyber Readiness for Boards initiative is being funded by the National Cyber Security Centre (NCSC) and charity the Lloyd’s Register Foundation, but will also benefit from input from University College London (UCL), the University of ReadingCoventry University, the Research Institute in Science of Cyber Security (RISCS), and training provider RESILIA.

It will look at the factors that shape board approaches to cyber risk and provide guidance to help them do so more effectively in the future.

The project will work first with six multinationals who are at an elevated risk of attack, before expanding to cover more firms including both large enterprises and SMBs early next year.

It will specifically focus on investigating four areas: board-level training; how boards evaluate cyber risk; the significance of board accountability, responsibility and composition; and the impact of investor pressure on decision-making.

According to government figures from last year, 43% of UK businesses had experienced a security breach or cyber-attack in the previous 12 months.

“We believe that cybersecurity is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks,” argued NCSC deputy director, Sarah Lyons.

"We have taken an evidence-based approach to developing our own board toolkit, and welcome new research into how UK boards make decisions around cyber risk. This research will help us refine and develop targeted guidance for business leaders, helping to make the UK the safest place to live and work online."

The new initiative was broadly welcomed by industry experts.

“Never before has there been such an urgent need for boards and executive teams to be ready for cyber-attacks,” said Osborne Clarke partner, Ashley Hurst. “The NCSC has a bird’s eye view on the most serious attacks taking place across the country and so it’s great to see it feeding back this knowledge and experience.”

Categories: Cyber Risk News

Nation-States Have Right to Hack Back, Survey Says

Wed, 03/20/2019 - 18:14
Nation-States Have Right to Hack Back, Survey Says

Security professionals who attended RSA 2019 believe that the world is in the midst of cyber-war, according to a survey conducted by Venafi.

While 87% of the 517 IT security professionals surveyed believe that cyber-war is a current reality rather than a future threat, 72% of respondents said that nation-states should be able to "hack back" when their infrastructure are targeted by cyber-criminals.

The Venafi survey sought feedback from IT professionals on the Active Cyber Defense Certainty (ACDC) Act, which was introduced in October 2018, while keeping in mind the current prohibition on retaliatory cyber-defense methods established in the Computer Fraud and Abuse Act.

““We’re always interested in the intersection of regulation (often by politicians that don’t appear to have a basic understanding of security) and security imperatives (as perceived by the people in the trenches)," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"We’ve been seeing more stories on hacking back and thought it would be interesting to understand if most security pros really think their organization should be able to do this. We felt this was particularly interesting in light of the controversy surrounding ACDC, and the mixed results that are likely to result for offensive hacking.” 

"Cyber-war" as a term, though, is often used too loosely, according to Alex Hamerstone, GRC practice lead at TrustedSec. “War has a specific definition that involves a declaration. People often conflate offensive operations with war when they don’t really cross that line. However, infrastructure is different. Infrastructure is 100% a red line that you cannot cross without expectations of a significant response.

“I’m a bit surprised that only 72% say nations should be able to hack back. I think it’s a given that a country has the right to defend itself when it’s under attack. An attack on infrastructure can easily cross the line from digital to kinetic, putting human lives at risk both directly and indirectly."

Because the potential impact on critical services like power, transportation and healthcare are so enormous, security needs to plan for both robust deterrence and response. "The capacity of the response is the primary deterrence. There is a lot of gray area and complexity here which a nation has to consider when deciding how robustly to respond. It’s easy for a situation to escalate beyond what is necessary. That said, nations should have the ability to 'hack back' to the fullest extent needed in order to defend their infrastructure and assets,” Hamerstone said.

Private entities, though, are not the same as nation-states, a point on which Hamerstone and Jeff Bardin, chief intelligence officer of Treadstone 71, agreed. “I have been in favor of active defense since at least 2010. There should be some sort of capability to strike back at attackers with a viable and capable force,” said Bardin.

“Many organizations are not capable of doing so, nor do they wish to take the risk. I see third-party mercenary-type organizations that would take this onto their 'paid' plates to accept the risk and execute a proportional attack. You cannot win at cybersecurity if all you do is defensive. You can never win a football game if all you do is play defense. Never win a basketball game if the other team is always on offense. You lose by definition.”

Categories: Cyber Risk News

FIN7 Still Active Despite Arrests

Wed, 03/20/2019 - 17:53
FIN7 Still Active Despite Arrests

Researchers have discovered the advanced persistent threat group (APT) FIN7 is using a new attack panel in campaigns that Flashpoint analysts have called Astra.

Despite alleged members of the group being charged with 26 felony counts in August 2018, analysts have found previously unseen malware samples, which are reportedly written in PHP and function as a script-management system. In addition, the new administrative panel, believed to be linked to the group, also has ties to Carbanak.

The group's activity dates back to at least 2015, when FIN7 targeted over 100 companies across the US, Europe and Australia, predominantly those within the hospitality, restaurant, and gaming industries. According to the US Department of Justice (DoJ), suspected members of FIN7 were arrested between January and August 2018.

According to today’s blog post, attackers access targeted machines using phishing emails with malicious attachments. “The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document,” wrote Joshua Platt and Jason Reaves.

The previously unseen malware that drops files and executes SQL scripts on the host system has been called an SQLRat, which unlike traditional malware leaves no evidence behind, analysts said. The SQLRat campaign is, however, similar to traditional phishing campaigns in that it typically involves a lure document. In the cases analyzed, the documents requested the user “Unlock Protected Content.”

“Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with Fin7. The second new malware sample discovered is a multi-protocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines.

“The campaigns maintain persistence on machines by creating two daily scheduled task entries. The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.”

In addition to sharing the indicators of compromise (IoCs) and recommending the security teams look for newly added Windows tasks, Flashpoint also advised monitoring for attempts to delete the Microsoft update service.

Categories: Cyber Risk News

Attacks Target AmEx, NetFlix Users with Phishing

Wed, 03/20/2019 - 17:13
Attacks Target AmEx, NetFlix Users with Phishing

Windows Defender Security Intel has reported two major phishing attacks targeting American Express and NetFlix.

The Office 365 research teams discovered the attacks, which reportedly emerged over the weekend, hitting unsuspecting customers with well-crafted phishing campaigns that attempt to steal credit card information. According to a tweet from Windows Defender Security, “Machine learning and detonation-based protections in Office 365 ATP protect customers in both campaigns.”

Additional tweets warned, "The Netflix campaign lures recipients into giving away credit card and SSN info using a 'Your account is on hold' email and a well-crafted payment form attached to the email."

Phishing emails such as these are not only easy to craft but also easy to deploy. When aimed at unsuspecting users, they are highly successful. “They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen,” said Colin Little, senior threat analyst, Centripetal Networks.

Cyber-criminals continue to employ the social engineering tactics of brevity and urgency, understanding that threatening user accounts or suggesting something may be amiss will evoke action.

In addition to the many places in the phishing kill chain that can keep these malicious emails away from users, Little said, “a security awareness program that trains users on how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.”

When in doubt about whether an email is legitimate or not, an additional safety precaution is to address the potential issue in a separate dialogue. “Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site,” Little said.

“Address the inquiry in a different media, such as calling their vendor support line. Or the recipient can open the applicable app (if one's available) on their smartphones and check their credit or account status.”

Categories: Cyber Risk News

Attacks Target AmEx, NetFlix Users with Phishing

Wed, 03/20/2019 - 17:13
Attacks Target AmEx, NetFlix Users with Phishing

Windows Defender Security Intel has reported two major phishing attacks targeting American Express and NetFlix.

The Office 365 research teams discovered the attacks, which reportedly emerged over the weekend, hitting unsuspecting customers with well-crafted phishing campaigns that attempt to steal credit card information. According to a tweet from Windows Defender Security, “Machine learning and detonation-based protections in Office 365 ATP protect customers in both campaigns.”

Additional tweets warned, "The Netflix campaign lures recipients into giving away credit card and SSN info using with a 'Your account is on hold' email and a well-crafted payment form attached to the email."

Phishing emails such as these are not only easy to craft but also easy to deploy. When aimed at unsuspecting users, they are highly successful. “They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen,” said Colin Little, senior threat analyst, Centripetal Networks.

Cyber-criminals continue to employ the social engineering tactics of brevity and urgency, understanding that threatening user accounts or suggesting something may be amiss will evoke action.

In addition to the many places in the phishing kill chain that can keep these malicious emails away from users, Little said, “a security awareness program that trains users on how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.”

When in doubt about whether an email is legitimate or not, an additional safety precaution is to address the potential issue in a separate dialogue. “Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site,” Little said.

“Address the inquiry in a different media, such as calling their vendor support line. Or the recipient can open the applicable app (if one's available) on their smartphones and check their credit or account status.”

Categories: Cyber Risk News

BEC Gift Card Scams Go Mobile

Wed, 03/20/2019 - 11:07
BEC Gift Card Scams Go Mobile

Cyber-criminals are evolving their tactics with Business Email Compromise (BEC) attacks by transferring victims from email over to mobile communications channels early on in a scam, according to Agari.

Researcher James Linton described how such an attack typically takes place, with the initial spoofed CEO email containing a request for the recipient’s mobile phone number.

“By moving them over to their cell phone, the scammer is equipping their victim with all the functionality needed to complete the task that is to be given to them,” he explained.

“A mobile device offers instant and direct messaging, the ability (in most cases) to still access email, the ability to take pictures with the phone’s camera, and far greater portability than a laptop, which all increases the chances that the scammer will be successful in achieving their desired outcome once a victim is on the hook.”

If the victim hands over their number, the BEC scammer knows they have a great chance of success. In fact, the extra complexity of moving across two different comms channels may even add extra credibility to the scam, Linton claimed.

The instantaneous communication of mobile-based SMS or IM also makes it less likely that the victim will stop and think about what’s happening.

Temporary numbers can be relatively easily set up for the purpose, and can even be managed from a single desktop environment, making things easier for the scammer.

Linton explained how BEC scammers could use this tactic to trick workers into buying a set of gift cards on their behalf, scratching off the back and taking a photo of the redemption codes with the phone’s camera.

These are then swiftly laundered through online platforms, he added.

The best way of mitigating this new tactic is to check the domain on an incoming email for any red flags.

“If the email address checks out and a number is supplied, insist on a brief call before making purchases on behalf of someone else,” Linton concluded.

“As a final safety net, share concerns with a colleague or friend, especially if pressure is increased in unusual ways. As always, it’s better to be safe than sorry when dealing with these types of emails.”

Categories: Cyber Risk News

Kaspersky Lab Files Antitrust Case Against Apple

Wed, 03/20/2019 - 11:01
Kaspersky Lab Files Antitrust Case Against Apple

Kaspersky Lab has filed an antitrust complaint against Apple in Russia, arguing that the tech giant forced it to remove two key features from one of its apps just as Apple’s released similar functionality.

The issue boils down to Kaspersky Lab’s use of configuration profiles in its Kaspersky Safe Kids app.

Removing this according to Apple’s demands would have meant disabling two “essential” features, app control and Safari browser blocking, the AV vendor claimed.

“The change in Apple’s policy toward our app (as well as toward every other developer of parental control software), notably came on the heels of the Cupertino-based company announcing its own Screen Time feature as part of iOS 12,” it continued.

“This feature allows users to monitor the amount of time they spend using certain apps or on certain websites, and set time restrictions. It is essentially Apple’s own app for parental control.”

This effectively means Apple is abusing its position as platform owner and supervisor for the only official iOS store, Kaspersky Lab argued.

“By setting its own rules for that channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player,” the firm concluded.

“It is precisely in this extension of its leverage through possession of so-called ‘key capacity’ over other segments, leading to restriction and elimination of competition, that we see the essential elements of antitrust law violation, which consist of erecting barriers and discriminating against our software.”

Kaspersky Lab claimed to have repeatedly tried to open dialog with the Cupertino giant, but “no meaningful negotiations have ensued.”

The move comes after Spotify filed a similar complaint against Apple in the EU, which the US firm replied to here.

Categories: Cyber Risk News

Ad Trackers Found on 89% of EU Gov Sites

Wed, 03/20/2019 - 09:57
Ad Trackers Found on 89% of EU Gov Sites

Ad tech companies are extensively tracking EU citizens on government websites, potentially exposing highly sensitive user data to third parties in breach of the GDPR, according to a new report.

Privacy compliance firm Cookiebot scanned 184,683 pages on all EU main government websites to compile its report, Ad Tech Surveillance on the Public Sector Web.

It found a shocking 25 out of 28 official government sites (89%) harbored ad tech trackers, despite these sites being non-ad funded. The largest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments. The UK was one of eight countries with just one tracking company present, although only Spanish, German and Dutch sites had no commercial trackers.

Health information can be particularly sensitive and there are strict requirements in the GDPR to keep it safe. However, over half (52%) of landing pages with health information were found to harbor ad trackers.

The worst offender was the Irish health service, with 73% of landing pages containing trackers. Information on HIV, abortions, alcoholism and mental illness was being tracked, according to the report.

In total, 112 companies were identified using trackers that send data to a total of 131 third-party tracking domains. Worryingly, 10 of these companies actively mask their identity.

Cookiebot claimed that third-party JavaScript technologies are often used on government sites to power functionality like video players and social sharing widgets. However, it warned that these can also act as a trojan horse “opening backdoors to the website code through which ad tech companies can silently insert their trackers.

“More than nine months into the GDPR, a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” said Cookiebot founder, Daniel Johannsen.

“Public sector bodies now have the opportunity to lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites.”

Categories: Cyber Risk News

US Orgs Not Ready to Comply with CCPA

Tue, 03/19/2019 - 16:19
US Orgs Not Ready to Comply with CCPA

Protecting consumer privacy has become a top priority for legislators as candidates launch their 2020 campaigns and try to win over voters. According to research findings revealed in the new CCPA and GDPR Compliance Report, however, US companies haven't made privacy regulations a top priority.

The online survey, conducted by TrustArc, reflects responses from 250 IT professionals who represent a wide spectrum of industries and company sizes. Of all the participating organizations, half were impacted by both General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA), while half were impacted only by CCPA. The report found that 88% of companies need help complying with California’s new privacy regulations.

According to the findings, only 14% of companies are currently compliant with CCPA, despite its deadline being less than 10 months away. Additionally, survey results revealed that 84% of respondents have started the CCPA compliance process, though only 56% have moved forward to the implementation stage.

Even though fewer than half (44%) have not yet started the implementation process, 64% of companies said they need help developing their CCPA privacy plan. However, compliance readiness varied depending on whether companies have already worked on GDPR compliance.

Responses from those companies that were not impacted by GDPR showed that 79% will need to spend more than six figures to comply with CCPA, while only 61% of companies that have worked on GDPR compliance will need to spend as much.

“At TrustArc, we’ve seen a significant increase in the number of customers coming to us for support to comply with CCPA,” said CEO Chris Babel. “Companies that took the steps to comply with GDPR are already ahead of the game and will have an easier path to meet the requirements of CCPA. The companies that did not work on GDPR compliance will be under the gun to implement scalable compliance processes by the January 1, 2020, deadline.”

Categories: Cyber Risk News