With the latest retail breach at Home Depot, attention has again turned to credit card black markets, the clearinghouses that sell these stolen cards to the highest bidder. These are no fly-by-night operation. In fact, the largest of these markets have some sophisticated features that any e-commerce site would tout, including:
• integrated Bitcoin funding
• good customer support
• good commerce features
On Monday, the US-CERT (United States Computer Emergency Readiness Team) issued an updated advisory, warning that the ‘Backoff’ Point-of-Sale malware continues to evolve. And just today, UPS confirmed that it is the newest likely victim of Backoff. US-CERT has now seen five variants of ‘Backoff’, each with notable modifications, and the malware has been found in at least three separate forensic investigations. They note that the variants are largely undetected by AV vendors, and recommend that in lieu of such protection, organizations should monitor for ‘indicators of compromise’ (IOCs) to determine if they have been infected. Read more
The Snifula family of malware has been making a name for itself recently in Japan, targeting multi-national and smaller regional financial institutions alike. The effectiveness of this kind of malware is putting banks at risk in other parts of the world too, including North and South America. Our research indicates that most financial institutions in the Western hemisphere have already been attacked by some variant of Snifula.
Last week, reports flooded security forums and publications highlighting an increase in the rate of a fraud attack named Operation Emmental.
The threat type was first noticed by security companies approximately 5 months ago, but the recent rise in successful attacks against mobile banking users has been alarming and underlined the effectiveness of the attack. The fact that the majority of the successful attacks were aimed at Swiss banks led to the name of Operation Emmental, referring to the Swiss cheese containing holes, suggesting imperfections in security. Read more
This week we were greeted with news of a new banking trojan malware variant named Zberb. This trojan was described breathlessly by the security community as an “evil monster” and a “hybrid beast” in one hyperbole-laced article. Why is Zberb so terrifying and why should we take all of our money out of the bank, convert it to bullion and bury it in the yard? Well, from a technical perspective, Zberb was designed and built by combining features already in the wild from two major bank trojan families, Zeus/Zbot and Carberb.
Both of these trojans have been in the wild for a long time and have been consistently improved with new attack vectors, new detection migitations and new communications mechanisms.
One of the hardest responsibilities to tackle when it comes to fraud management is identifying and anticipating emergent attacks that seek to exploit your security controls. When I was in charge of rooting out fraud at a well-known financial services company, I spent a lot of time and money designing and deploying fraud solutions, as well as establishing proactive mitigation efforts to help identify threats in their planning stages. I know what it’s like to be on the client side of the fraud protection fence, regularly evaluating tools to see which ones are effective and which are a waste of time and money.
Today, our research team has confirmed a massive spam campaign leveraging ZeuS GameOver, is now targeting major banks, social networks, and other enterprises.
How is the spamming taking place?
Hundreds of unsolicited emails, impersonating “Broad Oak Toiletries Ltd”, are targeting these organizations. To inspire trust, the emails have the word Invoice and a few random numbers on the subject line and pretends to have been scanned by Symantec Email Security cloud service. In the body of the email, the recipients are being asked to communicate a payment date to an account administrator for the invoice attached.
The email includes a ZIP archive named ‘Invoice [random number] March 2014.zip’ and contains an executable file posing as a Word document. Upon opening, the file will attempt to download a binary form of 55 different URLs. Following this, approximately 35 websites will be serving up the payload of ZeuS GameOver, with the Narcus rootkit and some ransomware.
One of the many services we provide our clients is brand intelligence. This service is usually used by banks and credit unions that want to keep an eye on their brand presence online, as well as any “chatter” about pending or on-going attacks against their infrastructure.
Every April, procrastinators hurry to get all of their paperwork together to file their taxes, while accountants also strive to make every minute count. As it turns out, everyone is busy in April, even cybercriminals.
The end of tax season is prime time for fake phishing e-mails asking taxpayers to log in and check the status of an income tax return, messages claiming that updated tax documents have been issued, and even e-mails asserting that there is an error with your tax return.