Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2017

Three Men Jailed for Taiwan ATM Heist

Three Men Jailed for Taiwan ATM Heist

Three Eastern European men have been sent to prison for their part in a $2.5 million raid on ATMs in Taiwan back in July.

Latvian Andrejs Peregudovs, Mihail Colibaba from Romania and Niklae Penkov from Moldova were convicted by a Taipei court of causing damage to the public by breaching computer security, according to the BBC.

They were arrested in the capital Taipei and north-east Taiwan in July for their part in what was a major operation apparently targeting 41 First Commercial Bank in three cities on the island.

It’s unclear how long they’ll be spending behind bars, although prosecutors are said to be calling for 12 years.

A total of 19 other suspects, including a French and an Australian national, managed to flee before police could get to them.

CCTV at the time apparently showed the suspects making off with sacks full of cash – although most of the money is said to have been recovered soon after the raids.

The gang is also sought in connection with a similar campaign in July last year to steal 12 million baht ($340,000) from ATMs in Thailand.

Security vendor FireEye believes that gang used Ripper malware to interact with the machines via a specially crafted bank card.

Also last year, criminals managed to steal 1.4 billion yen ($12.7m) from Japanese ATMs in a highly co-ordinated raid on over 1000 convenience store ATMs in May – apparently using fake cards cloned from data stolen from a South African bank.

Alex Mathews, lead security evangelist at Positive Technologies, claimed vulnerable ATM software, often running on outdated operating systems like XP, is increasingly being targeted by criminal gangs around the world.“Such attacks rely on having physical access to the ATM, using anything which can upload a small amount of code,” he explained.

“There are also remote attacks that don’t rely on physical access, and travel via infection of a bank’s core network … In previous successful attacks, the ‘bank robbers’ begin their heist by sending a simple phishing letter, laden with a trojan and eventually work their way across the network until they find the computer system responsible for controlling ATMs. From here, it is possible to ‘jackpot’ many machines at once, causing them to spit out cash.”

Banks need to improve employee awareness training to spot phishing attacks, and identify and patch vulnerable systems to close down exploitable holes, Mathews advised.

A Kaspersky Lab report from April warned that virtually every cash machine in the world can be illegally accessed – either because of physical security shortcomings or software issues.

Source: Information Security Magazine

Top Kaspersky Worker Arrested In Russia For Alleged Treason

Top Kaspersky Worker Arrested In Russia For Alleged Treason

A member of Kaspersky Lab’s cybercrime investigations team has been arrested in Russia on charges related to treason, according to reports.

According to Russian newspaper Kommersant, Ruslan Stoyanov was arrested in December 2016 along with Sergei Mikhailov, a senior Russian FSB intelligence officer. Both face charges of treason, the report said. Mikhailov was the deputy head of the Information Security Centre (CDC) of the FSB.

Kaspersky, Russia’s biggest cyber security firm, confirmed the arrest of Stoyanov but said that it related to events that took place before he joined the company and does not affect operations at Kaspersky.

“The case against the employee does not involve Kaspersky Lab,” the statement said. “The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab.”

The statement added that Kaspersky does not possess any details about the investigation.

Before joining Kaspersky, Stoyanov worked for the Russian Ministry of Interior's cybercrime unit, his LinkedIn profile said. He then held roles in the private sector before joining Kaspersky. According to Forbes, his job at Kaspersky involved assisting companies in recovering from a cyber attack.

The Forbes article also claims that he assisted Russian authorities with investigations into hacking groups, including the infamous Lurk gang.

Kommersant adds that Russian investigators are looking into possible violations of Article 275 of the Criminal Code, which covers espionage and the disclosure of state secrets, potentially to a foreign state.

According to AP, the arrest could represent a shift in relations between cybersecurity firms and intelligence agencies. “It destroys a system that has been 20 years in the making, the system of relations between intelligence agencies and companies like Kaspersky," investigative journalist Andrei Soldatov told The Associated Press.

"Intelligence agencies used to ask for Kaspersky's advice, and this is how informal ties were built. This romance is clearly over."

US intelligence agencies have accused Russia of hacking the Democratic National Committee as well as other attempts to influence the outcome of the recent presidential election.

Both Barack Obama and Donald Trump were briefed on the report, which stated that Russia handed its hacked information to WikiLeaks with the aim of swinging the election in Trump’s favor. Donald Trump subsequently beat Hillary Clinton to become President of the United States.

Source: Information Security Magazine

Ransomware App Found on Google Play

Ransomware App Found on Google Play

A ransomware app found its way into Google Play and managed to make at least one victim, according to revelations from Check Point. The app has since been removed by the Android team.

In a blog post on the company’s website mobile cybersecurity analysts Oren Koriat and Andrey Polkovnichenko explained how, several weeks ago, Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a zero-day mobile ransomware from Google Play dubbed “Charger”, which was found embedded in an app called EnergyRescue.

“This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks,” they added.

Apparently, the infected app steals contacts and SMS messages from the user’s device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment of 0.2 Bitcoins (roughly $180).

The malware uses several advanced techniques to hide its real intentions and makes it harder to detect:

•    It encodes strings into binary arrays, making it hard to inspect them.
•    It loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.
•    It checks whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid.

Tim Erlin, Sr director, product management at Tripwire, said:

“Both Google and Apple put in quite a lot of effort to keep malicious apps out of their respective repositories, but no system is perfect. Criminals are constantly testing the defenses in place with new techniques to sneak malicious apps past.”

Craig Young, security researcher at Tripwire, added that with 2.2 million apps in Google's Play Store, it is inevitable that some bad apples will get through, and whilst users can still trust the Play Store, they need to keep in mind a few tips to stay safe.

“First of all, you should never ever grant administrator permission to any application without absolute trust for why it is needed. Also starting with the 2015 release of Android 6, applications started requesting permission at run time rather than install so it is very apparent when an app tries to steal contacts or other personal data.

Unfortunately, he continued, only a little over 30% of Android devices are running this version or newer due to many low-end phones being neglected by vendors with respect to providing updates.

“This is why it's important to buy Android devices from vendors with made commitments to keeping the product up to date for a specified amount of time. In today's market, the best choice for that would be Google's own Pixel phone which has essentially replaced their Nexus line.

“It's also interesting to note that while this user was apparently running antivirus software, they were still infected. While many people perceive antivirus as a critical security control, many security professionals have been questioning its value for many years,” Young said.

Source: Information Security Magazine

Researcher Finds Hidden Twitter ‘Star Wars’ Bot

Researcher Finds Hidden Twitter ‘Star Wars’ Bot

A London-based researcher has uncovered a huge network of fake Twitter accounts that may have been used to send spam, propagate malware and manipulate public opinion.

UCL student, Juan Echeverria, found the 350,000-strong ‘botnet’ when analyzing a random 1% sample of English-speaking Twitter users for a project.

On closer inspection he discovered patterns which linked the massive network of automated accounts to a single user or group.

He named it the “Star Wars botnet” because many of the accounts tweeted random quotes from the famous movie franchise.

Most worryingly, the botnet in question had lain hidden since 2013, because its accounts were deliberately designed to bypass common filters used to detect automation on the site.

These included the addition of profile pics and “regular” user profiles; eschewing URLs in tweets; only following a small number of users; tweeting not too frequently or infrequently; and tweeting those random Star Wars quotes, which appear to Twitter’s bot filters like real human language.

Echeverria argued it would be irresponsible to assume the bot was created with malicious intent, but added that the prospect could not be ruled out.

“It is highly possible that the master still has the ability to reactivate all of the 350k Star Wars bots at any time of their choice,” he wrote.

“When that happens, the bots can pose all the threats discussed in Section 1.2, including spam, fake trending topics, opinion manipulation, astroturfing attack, fake followers and sample contamination. The fact that the Star Wars botnet has so many bots makes its potential threats serious, perhaps more serious than we have ever seen before.”

The revelations come in the same week Imperva Incapsula research revealed that one in three visitors to websites is likely to be an attack bot.

“While these are different types of bots that exist only inside the Twitter ecosystem, this is all a part of the same trend – just another example of how automation influences our online experience,” argued the firm’s senior security evangelist, Igal Zeifman.

“On Twitter, as on other websites, massive amounts of activity is generated by bots trying to impersonate human users. And in both cases, these bots are up to no good.”

Source: Information Security Magazine

New ‘Ripper’ Site Names and Shames Dark Web Fraudsters

New ‘Ripper’ Site Names and Shames Dark Web Fraudsters

Security experts have discovered a new online service designed to alert cyber-criminals to rivals, or "rippers", who commit fraud on underground forums.

The flashy new site, Ripper.cc, is effectively the front-end of a database of known ‘bad’ cyber-criminals. Visitors can also add ripper profiles and details of individual scams, known as “blacks".

The site even has Chrome and Firefox extensions and a Jabber plug-in, extending the functionality outside the website so users can easily identify flagged rippers, according to Digital Shadows.

Interestingly, the site’s development mirrored that of a legitimate start-up, the firm claimed.

“The founders plainly acknowledge their intention to displace the previous main player – kidala.info – and try to win customers over by promising better features. They also have to prove their credentials – in this case by saying that a number of well-known forums support this project and their existing reputation on these forums,” Digital Shadows explained.

“Just like real startups, monetization is brought up as a key consideration, with suggestions such as an advertising or a subscription-based payment model … Without understanding how Ripper[.]cc makes money, the customers can’t trust it. Perhaps the plugins could be malicious or rippers could be added or removed for money.”

The site is another example of the growing professionalism and commercialism of the cybercrime underground, and that’s bad news for the white hats, because rippers actually perform a valuable service by slowing the underground market down and eating into their fellow cyber-criminals’ profits.

Kyle Wilhoit, senior security researcher at DomainTools, claimed there are several similar sites in existence, but not in English.

“One thing that matters in these types of marketplaces is the age of your account,” he explained.

“Some fallout will occur when shamed users are forced to delete their account, therefore losing any vouching power (for new members) and also losing the account age.”

Source: Information Security Magazine

KPMG: Online Fraud in 2016 Topped £120 Million

KPMG: Online Fraud in 2016 Topped £120 Million

Online fraud in the UK hit £124 million in 2016 with some scammers making up to £2m per week, according to new stats from KPMG.

The global services giant’s bi-annual Fraud Barometer claimed total fraudulent activity in the UK last year burst through the £1 billion barrier for the first time since 2011.

Cyber comprised just over 11% of that figure – jumping a massive 1266% from 2015 figures.

However, there were caveats.

First, the report is comprised only of cases which have reached court – meaning the stats are likely to represent just the tip of the iceberg when it comes to fraud. Indeed, cyber fraudsters are harder to track and prosecute, which could explain the relatively low percentage ascribed to this category.

Also, around 90% of the losses to online fraud described in the barometer were down to a single case of £113m – the largest fraud since 2008.

In this case, scammers cold-called their victims pretending to be bank anti-fraud staff. Once they obtained key security questions they were able to log-in to their victims’ accounts and siphon off funds.

During this time, the victims were apparently unable to make or receive calls.

This 9-to-5 operation is said to have netted the scammers – who used info from corrupt insiders – between £1m and £2m per week at its height.

“Both public and private organizations openly acknowledge that cyber-attacks are one of the most prevalent and high-impact risks they face, and yet many operate on the basis 'it won’t happen to me',” argued KPMG partner, Hitesh Patel.

“Organizations must keep abreast of the cyber-threats, both physical and digital, to ensure the protection mechanisms don’t become obsolete given the pace of technology and business change. You can have variety of IT protections in place to defend yourself, but it’s all for nothing if you are tricked into giving away the keys to the electronic vault.”

Last week, the Office of National Statistics estimated around 1.9 million online fraud incidents in the UK last year.

“Businesses are often well informed of external cyber-fraud, such as the direct hacking of system, as high-profile breaches often hit news headlines,” argued James Richardson, cyber fraud specialist at Bottomline Technologies.

“Consequently, some companies have invested disproportionate amounts into protecting their systems against cyber-fraud at the cost of internal vulnerabilities. Businesses must adopt a balanced approach when protecting against internal and external payment fraud.”

Source: Information Security Magazine

Fake Netflix App Relentlessly Spies on All Mobile Activity

Fake Netflix App Relentlessly Spies on All Mobile Activity

An espionage trojan called SpyNote RAT has been found masquerading as the popular Netflix app, to trick Android users into downloading it. It then sets about constantly eavesdropping on user activity.

Zscaler’s ThreatlabZ said that once installed, the malware is capable of activating the device’s microphone and listening to live conversations; uninstalling antivirus software; copying files from the device to the hacker’s server; recording screen captures; viewing contacts; reading SMS messages; and gaining remote control of the device.

To the latter point, command execution can create havoc for victim if the malware developer decides to execute commands in the victim’s device. Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day.

“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” researchers explained, in an analysis. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”

SpyNote RAT also uses an unusual trick to make sure that it remains up and running and that the spying does not stop. It uses something called BootComplete, which is a broadcast receiver—an Android component that can register itself for a particular event. In this case, whenever the device is booted, BootComplete gets triggered. BootComplete then starts the AutoStartup service, which can perform long-running operations in the background and does not need a user interface. And then the AutoStartup service makes sure that the RAT’s core functionality is always running.

The team also found several other fake apps developed using the SpyNote builder, including faux versions of Whatsapp, YouTube Video Downloader, Google Update, Instagram, AirDroid, Faceboo, Photoshop, SkyTV, Hotstar, Trump Dash and PokemonGo.

Overall, in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild, the researchers noted.

“The days when one needed in-depth coding knowledge to develop malware are long gone,” they said. “Nowadays, script kiddies can build a piece of malware that can create real havoc. Moreover, there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks. Because mobile devices are everywhere, malware is everywhere, too. That’s why Zscaler advises all mobile users to take precautions when downloading anything to their devices, including apps.”

In particular, users should avoid side-loading apps from third-party app stores and avoid the temptation to download and play games that are not yet officially available on Android

Source: Information Security Magazine

Clash of Clans Maker Hacked

Clash of Clans Maker Hacked

A breach of the Clash of Clans creator has exposed credentials for forum users.

Supercell, the force behind that popular mobile game and others, said that a vulnerability in the software it uses to run its forums allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.

To provide its forum service, it uses software from vbulletin.com. The company said that its preliminary investigation suggests that the breach happened in September 2016—and that it has since been fixed.

“We take any such breaches very seriously and we follow very strict policies when it comes to security,” Supercell said in a statement. “Please note that this breach only affects our Forum service. Game accounts have not been affected.”

Avast Threat Labs senior malware analyst Jan Sirmer commented via email on the danger of attacks like these.

“The forum administrators in this case do bear some responsibility—the vBulletin software being used to host the Supercell forum was out-of-date, and it’s up to the administrators to keep software like that up-to-date,” he said. “Online gamers are vulnerable to these kind of hacks because they provide their data to third parties—but the same is true for everyone who uses any online service.”

Users should change the password they’re using on the forum as soon as possible, along with the password in any other systems they’re using with the same login.

“The information the hackers obtained can either be used by the hackers themselves or sold on the darknet for other hackers to abuse,” Sirmir said. “As many people use the same login credentials to log in to online services, hackers try to use login credentials they get to gain access into other accounts.”

Source: Information Security Magazine

Data Fragmentation Foments Big Security Gaps

Data Fragmentation Foments Big Security Gaps

About three-quarters (76%) of data security professionals believe in the maturity of their data security strategy, according to a new study. Yet, 93% report persistent technical challenges in protecting data.

The study, from Varonis Systems, noted that a fragmented approach to data security exacerbates vulnerabilities and challenges. Organizations are “focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data.” 

For instance, 62% of respondents have no idea where their most sensitive unstructured data resides; and 66% don’t classify this data properly. More than half, 59%, don’t enforce a least-privilege model for access to this data; and 63% don’t audit use of this data and alert on abuses.

 “Many point products are designed to mitigate specific threats,” said David Gibson, vice president of strategy and market development with Varonis. “If they’re used tactically, instead of supporting a strategy that improves the overall security of data, they can not only cost a lot of money, but also provide a false sense of security. Ransomware, for example, exploits the same internal deficiencies that a rogue or compromised insider might—insufficient detective capabilities and over-subscribed access. Too many organizations look for tools that specifically address ransomware, but neglect to buttress core defenses that would mitigate more than just this specific threat.”

About 96% of these respondents believe a unified approach would benefit them, including preventing and more quickly responding to attempted attacks, limiting exposure and reducing complexity and cost. Within such a solution, 68% see the value of data classification, analytics and reporting to help reduce risk. Additional criteria also include meeting regulatory compliance (76%), aggregating key management capabilities (70%) and improving response to anomalous activity (66%).

In order to provide data visibility and controls organizations desire, the study noted, “It’s time to put a stop to expense in depth and wrestling with cobbling together core capabilities via disparate solutions.”

Gary Hayslip, CISO for the City of San Diego, said in the report: “One of the greatest challenges a CISO faces involves data. It is incumbent upon our team to understand not only how our stakeholders work, conduct business and use data, but also what applications the stakeholders require; what data is important to them; and which data if compromised would critically impact the ability of the organization to conduct business.”

Source: Information Security Magazine

UK Firms Warned of Fake Ransomware Scams

UK Firms Warned of Fake Ransomware Scams

UK businesses appear to be over-hastily paying up when confronted with what appears to be crypto-ransomware, according to new data released from Citrix.

The firm polled 500 IT decision makers in firms with 250 or more employees and revealed that nearly 40% had experienced a “bluff” ransomware attack – that is a scam in which the black hat claims to have encrypted the victim’s data but in reality is simply using social engineering to force payment.

What’s more, 60% claimed to have paid up on demand, with the average sum a little over £13,400.

However, survey company OnePoll was unable to confirm to Infosecurity exactly how those duped by the “bluff” ransomware attacks were subsequently able to identify that they’d been scammed “because that isn’t a question that we asked them.”

It’s possible that third party experts were able to confirm this after the event: over half (57%) of affected UK businesses shared that information with the police, 59% with organiZations like the National Cyber Security Centre, and 45% with cybersecurity initiatives like No More Ransom

Just 24% of affected firms shared this information with customers, partners and suppliers.

“This research leaves a worrying impression that organizations may be treating ransomware as a cost of doing business – just like shrinkage and fraud in some sectors. Yet this mentality may be resulting in British businesses paying out when it is not necessary, while simultaneously supporting cyber-criminal activity,” argued Citrix chief security architect, Chris Mayers.

“Whether they pay the ransom or not, sharing information on the ‘bluff’ attack is key to ensuring that other organiZations do not fall victim to the same scam.”

He added that telling the real from the bluff can be technically challenging, especially as cyber-criminals will often try to scare the victim so they don’t try to bypass the warning screen, for example by saying their files will be deleted if they try to reboot.

Source: Information Security Magazine