24 replies to this topic

[AplusWebMaster]

FYI...

Online banking and Java threats ...
- https://www.trusteer...-have-in-common
Jan 23, 2013 - "... analysis of a top-tier bank client identified approximately 300 exploits attempting to take advantage of this Java vulnerability during the week before the vulnerability was publicly disclosed. The week following the disclosure, over 500 exploits were attempted*, a 74% increase from the previous week. This sudden increase tracks closely with prior studies showing a marked jump in infection attempts immediately following the public disclosure of a newly discovered vulnerability... We have reached a tipping point where financial institutions must now recognize, as they have with username/password security, that a majority of customer devices could very well be infected with advanced financial malware. We are talking about the type of malware that can inject fraudulent transactions, steal credentials and additional authentication factors as the user is inputting them, and take control of a legitimate, authenticated online banking sessions. Traditional authentication, fraud detection, and anti-virus software approaches are simply not capable of protecting against this threat..."
* https://www.trusteer...eenShot1180.png

[AplusWebMaster]

FYI...

Security on Trial: Effectiveness vs. Convenience
- https://www.trusteer...-vs-convenience
March 25, 2013 - "On March 18 a Missouri US District Court ruled that BancorpSouth was not liable for a fraudulent $440,000 wire transfer executed by cyber criminals using a hijacked account belonging to one of its customers (Choice Escrow Land Title LLC) account. The primary basis for the court’s ruling was the Uniform Commercial Code (UCC) Article 4a. Essentially it states that if a bank offers commercially reasonable security procedures and a commercial customer refuses to implement them, then the customer is liable for any fraud on their account.
BancorpSouth offers its customers dual authorization for wire transfers. The customer, Choice Escrow Land Title, declined to use it. While many aspects of this case will be discussed and debated, a key point made by Judge John Maughmer in his summary judgment is worth noting: “The tension in modern society between security and convenience is on full display in this litigation." This case perfectly illustrates the ongoing struggle between security effectiveness and convenience. Choice Escrow declined to implement dual authorization for wire transfers because they deemed the control could interfere with their ability to conduct business. As a small company, Choice was concerned that two employees would not always be readily available to execute a wire transfer. Because wire transfers are typically used when immediate payment is required, any delays would impact the timeliness of these payments.
While not overtly stated in the summary judgment, the fraud was most certainly enabled by Man-in-the-Browser (MitB) malware. The correct username and password were used from a device with a valid software token and a regularly used IP address. These are all indications of MitB malware, which can inject fraudulent transactions into authenticated online banking sessions or use the legitimate user’s machine as a proxy to route fraudulent transactions.
Device identification methods (including software tokens and IP address used here) simply cannot reliably detect fraud conducted using MitB malware. In fact, dual authorization is also highly susceptible to MitB malware. The fraudster simply needs to compromise multiple devices at the target business, which has been done on numerous occasions. The heart of the matter in this case is usable security. It’s considered commercially reasonable to require the customer to use (and often pay for) hardware tokens to authenticate online banking sessions and subsequent transactions within the session. It’s also considered commercially reasonable for risk engines to regularly block legitimate transactions suspected of being fraudulent, and place a hold on suspicious transactions until the customer is contacted. Finally, it’s considered commercially reasonable to regularly ask online banking customers to answer multiple challenge questions. Even though answers to these questions can be easily captured via malware and phishing, and often can be discovered using a simple web search.
All the solutions listed above provide marginally improved security, but they do so at the high cost of customer inconvenience. As commercial banking customers become more educated about the legal liabilities surrounding online banking and payments fraud, we expect to see a shift in their behavior. Banks that provide convenient, effective security controls and place a strong emphasis on maintaining a frictionless customer experience will be perceived more favorably. Those that force their customers to adopt cumbersome, questionable security controls will be viewed as adversarial. Financial institutions that do not provide effective, usable security controls should be prepared for some of their customers to look for and move to providers that do."

- https://krebsonsecur...erheist-victim/
26 Mar 2013 - "... The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring -two- employees to sign off on all transfers... a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password. The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money..."

Edited by AplusWebMaster, 26 March 2013 - 10:51 AM.

[AplusWebMaster]

FYI...

Shylock starts targets New Countries ...
- http://atlas.arbor.n...index#801352216
April 08, 2013 - "The Shylock banking trojan continues to evolve, adding new functionality to increase its reach.
Analysis: Just like other banking trojans before it such as SpyEye, Shylock is evolving to offer more comprehensive attacks. By proxying through the infected computer, the attackers perform "man in the browser" banking transactions that don't arouse the immediate suspicion of the financial institution. Its ability to spread through other mechanisms such as Skype and it's FTP password grabbing functionality aren't new in the malware world, but they are new to Shylock. The ability to upload video to the attackers and the ability for the attackers to interactively take over the screen of the infected system are also new. While some recent arrests in Russia for the use and development of the Carberp banking trojan may slow down that particular malware family, innovations in other malware families will keep financial institutions and consumers on their toes.
- http://www.symantec....s-opportunities

> https://www.symantec...first_graph.png

[AplusWebMaster]

FYI...

New Crimeware In BANCOS Paradise
- http://blog.trendmic...ancos-paradise/
April 15, 2013 - "Traditionally, Brazil is known for being the home of BANCOS, which steals the banking information of users and is generally limited to the Latin American region. Other banking Trojans like ZeuS, SpyEye, and CARBERP, which are common in other regions, are not traditionally used by Brazilian cybercriminals and not aimed at Brazilian users either. However, that might be changing. In a local hacker forum, we saw a post where somebody was selling some rather well-known malware kits:
• Zeus version 3
• SpyEye version 1.3.48
• Citadel version 1.3.45
• Carberp (“last version with all resources”)
• CrimePack Exploit kit version 3.1.3 (leaked version)
• Sweet Orange exploit kit version 1.0
• Neutrino exploit kit
• Redkit exploit kit
In addition, if an interested buyer purchases any of the kits listed above, he will also get the kit for SpyEye version 1.3.45 for free... In the end, we will have both botnets and BANCOS malware become more furtive and powerful in stealing data and money from users. A side effect is we expect to find more botnets active in Brazil, which may even end up forking to create versions that are specifically targeted at Brazilian users..."

[AplusWebMaster]

FYI...

KINS banking Trojan...
- https://blogs.rsa.co...kins-inth3wild/
July 23, 2013 - "... KINS is the name of a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors... With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade 'quality'..."

- http://atlas.arbor.net/briefs/
July 26, 2013 21:35 - "The KINS banking malware is -not- new*, despite press hype that suggests otherwise. Threats to banking transactions continue to evolve..."
* http://blog.fox-it.c...e-kins-malware/
___

Zeus Botnet Impersonating Trusteer Rapport Update
- http://blogs.cisco.c...rapport-update/
July 19, 2013

Edited by AplusWebMaster, 29 July 2013 - 12:53 PM.

[AplusWebMaster]

FYI...

BGP multiple banking addresses hijacked
- https://isc.sans.edu...l?storyid=16249
Last Updated: 2013-07-30 00:29:00 UTC - "On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you aren't there. You are still at home and haven't moved at all. All packets that should happily route to you now route elsewhere. Emails sent to you bounce as undeliverable, or are read by other people. Banking transactions fail. HTTPS handshakes get invalid certificate errors. This defeats the confidentiality, integrity, and availability of all applications running in the hijacked address spaces for the time that the hijack is running. In fact this sounds like a nifty way to attack an organization doesn't it? The question then would be how to pull it off, hijack someone else's address? The Autonomous System (AS) in question is owned by NedZone Internet BV in the Netherlands. This can be found by querying whois for the AS 25459. According to RIPE this AS originated 369 prefixes in the last 30 days, of these 310 had unusually small prefixes. Typically a BGP advertisement is at least a /24 or 256 unique Internet addressable IPs. A large number of these were /32 or single IP addresses. The short answer is that any Internet Service Provider (ISP) that is part of the global Border Gateway Protocol (BGP) network can advertise a route to a prefix that it owns. It simply updates the routing tables to point to itself, and then the updates propagate throughout the Internet. If an ISP announces for a prefix it does not own, traffic may be routed to it, instead of to the owner. The more specific prefix, or the one with the shortest apparent route wins. That's all it takes to disrupt traffic to virtually anyone on the Internet, connectivity and willingness to announce a route that does not belong to you. This is -not- a new attack, it has happened numerous times in the past, both -malicious- attacks and accidental typos have been the cause.
The announcements from AS 25459 can be seen at:
- http://www.ris.ripe....d.html?as=25459
A sampling of some of the owners of the IP addresses that were hijacked follow:
1 AMAZON-AES - Amazon.com, Inc.
2 AS-7743 - JPMorgan Chase & Co.
1 ASN-BBT-ASN - Branch Banking and Trust Company
2 BANK-OF-AMERICA Bank of America
1 CEGETEL-AS Societe Francaise du Radiotelephone S.A
1 FIRSTBANK - FIRSTBANK
1 HSBC-HK-AS HSBC HongKong
1 PFG-ASN-1 - The Principal Financial Group
2 PNCBANK - PNC Bank
1 REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION
Some on the list were owned by that ISP, the prefix size is what was odd about them. The bulk of the IP addresses were owned by various hosting providers..."

Diagnostic page for AS25459 (NEDZONE-AS)
- http://google.com/sa...c?site=AS:25459
"... over the past 90 days, 186 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-12... we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 60 other site(s)... We found 41 site(s)... that infected 332 other site(s)..."

Edited by AplusWebMaster, 12 August 2013 - 05:50 PM.

[AplusWebMaster]

FYI...

Banking Threats: The Apollo Campaign
- http://atlas.arbor.net/briefs/
Elevated Severity
October 21, 2013
The Apollo Campaign targets eastern European banks for man-in-the-browser style attacks which lead to financial theft.
Analysis: This trend is not new, but it is getting more press. Shylock is another banking threat that has targeted specific regions of the world. Attackers have resource constraints as well, and may be finding that their ROI is enhanced when they target specific regions. This could be due to having some local understanding of the target audience, banking security measures, and the typical end-user security measures that are commonly put into place. Despite having been around for many years, banking trojans continue to be a problem and they continue to innovate. In this case, the threat actors used "Bleeding Life Exploit Pack, Pony Loader, Ann Loader, and ZeuS" to support the operation. Detecting all of these types of threats on the wire and on the host provides many opportunities to intercept this threat at multiple places on the "kill chain".
Source: http://blog.trendmic...pollo-campaign/

[AplusWebMaster]

FYI...

Neverquest Trojan - Banking Threat
- http://www.symantec....on-older-threat
4 Dec 2013 - "... Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006... We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address 195.191.56.245 was used as a C&C server by Trojan.Snifula... The Aster Ltd domains Pluss .com .tw and Countdown .com .tw are hosted on the IP address 195.210.47.173. Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3 .net and Facestat .com .tw, are being hosted on the IP address 195.137.188.59, another known C&C IP address for Trojan.Snifula... Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon..."   
* http://www.symantec....-112803-2524-99

- https://www.virustot...45/information/

- https://www.virustot...73/information/

- https://www.virustot...59/information/
 

Edited by AplusWebMaster, 04 December 2013 - 04:48 PM.

[AplusWebMaster]

FYI...

Tiny Banker Trojan - targets customers of major banks ...
- http://blog.avast.co...anks-worldwide/
Sep 15, 2014 - "After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
> http://blog.avast.co...9/hsbc_bank.png
... How does Tiny Banker work?
1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
4. If he/she -confirms- the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.
> http://blog.avast.co...014/09/form.png
... Targeted financial institutions:
Bank of America, Associated Bank, America’s Credit Unions, Etrade Financial Corporation, US bank, Banco de Sabadell, Farmers & Merchants Bank, HSBC, TD Bank, BancorpSouth, Chase, Fifth third bank, Wells Fargo, StateFarm, Regions, ING Direct, M&T Bank, PNC, UBS, RBC Royal Bank,  RBS, CityBank, Bank BGZ, Westpack, Scotiabank, United Services Automobile Association
Screenshots of targeted banks:
- http://blog.avast.co.../09/us_bank.png
...
- http://blog.avast.co.../09/td_bank.png
... Conclusion: Keep your software up-to-date. Software -updates- are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about updates available for your computer..."
 

 

[AplusWebMaster]

FYI...

29 charged in Chicago with 'cracking cards' bank fraud
- http://www.reuters.c...N0SO1VR20141029
Oct 29, 2014 - "Twenty-nine people in the Chicago area face state or federal charges for involvement with a bank fraud scheme known as 'cracking cards', which found participants through rap music and social media, prosecutors said on Wednesday. The multimillion-dollar scheme, which started on Chicago's South Side about three years ago, involved recruiting bank customers to give up their debit cards and PIN numbers with the promise of making fast cash, the U.S. Attorney's Office in Chicago said. Bank customers were recruited at parties, schools, on the street or through social media such as Instagram and Facebook, prosecutors said. The scheme, which has been seen in other areas of the country, is also known as 'card popping'. After the defendants got the cards and information, they made or bought counterfeit checks to deposit into the accounts, waited for the amount to be credited, and then withdrew money. Four defendants called themselves the "R.A.C.K. Boyz" or "Rack Boyz." They have Facebook and Twitter accounts and posted videos on YouTube, including a rap video called "For the Money," which refers to "cracking cards" and shows large amounts of cash, prosecutors said... One defendant, Matthew Mosley, 26, of Chicago, made counterfeit checks that he used and sold to others, prosecutors said. He was one of 16 people charged in Chicago with federal bank fraud for causing more than $1.7 million in bank losses. Ten of the defendants are still at large. Citibank, U.S. Bancorp, JP Morgan Chase & Co , Bank of America Corp and others were identified as victims of the scheme. Persons whose bank cards were used may also be victims if the bank made them pay the money back, or if they were promised money they didn't get..."
___

Two Charged in $5.8M reloadable Debit Card Extortion Scam
- http://www.justice.g...ws Release.html
Oct 28, 2014 NEWARK, N.J. – "Two Philadelphia men were arrested this morning for allegedly conspiring to extort victims to load prepaid debit cards with funds that were stolen as part of the scheme, U.S. Attorney Paul J. Fishman announced. Special agents of the FBI and U.S. Immigration and Customs Enforcement, Homeland Security Investigations (HSI) arrested Alpeshkumar Patel, 30, and Vijaykumar Patel, 39, of Philadelphia at Vijaykumar Patel’s home on a complaint charging them with conspiracy to commit wire fraud. The pair, who are not related, are expected to appear this afternoon before U.S. Magistrate Judge Mark Falk in Newark federal court.
According to the complaint unsealed today:
From September 2013 through March 2014, Alpeshkumar Patel and Vijaykumar Patel were part of a conspiracy to steal money using reloadable debit cards. First, the conspirators would purchase reloadable Green Dot Cards, and register them in names other than their own. The conspirators – some of whom were located in India – contacted victims by phone and used threats or deceit to induce them to put money on MoneyPak cards, which are used along with assigned PIN codes to add funds to Green Dot Cards. The conspirators then used the reloadable cards to purchase money orders that were deposited into bank accounts. All of the steps were taken quickly so law enforcement and victims could not identify the conspirators or prevent or reverse the fraudulent transfers. As one example, a retail store located in New Jersey received a telephone call from an unknown caller on Sept. 10, 2013. The caller said there was a bomb in the store and the store manager had five minutes to comply with the caller’s demands or the bomb would detonate. The caller then demanded the manager load 10 $500 MoneyPak cards and provide the caller with the associated PIN codes.  The manager had provided the code for one card before law enforcement arrived at the store, instructed the manager to hang up the phone, and evacuated the building.
The $500 associated with that code was transferred to an existing prepaid reloadable Green Dot Card. Surveillance video showed Alpeshkumar Patel in the Philadelphia CVS where the Green Dot Card was bought. That card was then used by Vijaykumar Patel, who was caught on video purchasing two money orders in a Philadelphia Wal Mart. The money orders, in turn, were used to deposit funds into a bank account.
Phone numbers and IP addresses associated with the Sept. 10, 2013, call and other calls tied to the conspiracy were tied to approximately 2,500 Green Dot Cards that were funded in excess of $5.8 million..."