Malware Called Eurograbber Steals 36 Million Euros
If cybercriminals were to promote their malware, for sure they would call their EuroGrabber ‘next-generation’ Zeus crimeware. This is (a lot) more than your run-of-the-mill banking Trojan. These guys have penetrated SMS-based 2-factor authentication and are exploiting it at full speed, Check Point Software Ltd intrusion prevention product manager Darrell Burkey announced. What’s most concerning, as per Burkey, is how smart the criminals engineered this malware to be. “The attack specifically targeted a certain type of authentication,” he stated. The new version has already stolen more than 36 million Euros ($47 million U.S) from roughly 30,000 accounts at European banks, both consumer and corporate users, performing automatic transfers that varied from €500 to €250,000 to intermediary accounts controlled by members of the gang.
First you have to understand that mobile authentication is used all over in Europe for bank transactions, and that U.S. banks are moving in the same direction for some services. The Eurograbber attack first infects a user’s PC with a banking Trojan, using social engineering and next it infects the user’s mobile device with a second social engineering trick, when the user is fooled again into clicking on a link that now infects their phone.
The malware targets the Android and Blackberry platforms, and has not been spotted on the iPhone yet. Originally, the attacks were first reported in Italy, and then bank customers saw the same exploit pop up in Germany, Holland and Spain after the cyber gang had done their translations, testing and quality assurance.
What you may not be aware of is that in Eastern Europe, there are some people that go to work at 9 in the morning, punch the time clock, have lunch, leave the office at five and get health insurance, but what they do during the day is develop and test malware for criminal use. There are several competing criminal software companies out there, trying to outdo each other in creating the most advanced banking trojans.
“This attack meets all the key buzzwords we hear about attacks today,” Burkey says during an interview with BankInfoSecurity. “It’s sophisticated in the way it goes about taking advantage of two-factor authentication. It’s targeted. It’s stealthy. And, unfortunately, it’s successful.”
The exploit was first discovered in August by Versafe, an online identity-theft protection provider. The command-and-control servers have been taken down at the moment, but this could easily be repeated.
Now, how can these attacks be prevented? The bad guys go after the weak link in IT security: the human. That means they send well-crafted emails that make people click because they either think they get something for free, or try to prevent a negative consequence. There are thousands of ways that the bad guys can trick someone, and only one way to prevent an attack from happening: security awareness training which will arm both consumers and organizations against increasingly sophisticated malware attacks. To see the illustration describing the attack, check the KnowBe4 Blog.
Two Warmly Recommended Holiday Reads
First is a list with the "Top 10 Tech Biographies That Any Geek Will Love." Number 2 on that list is 'Ghost in the Wires' by my business partner Kevin Mitnick! Actually a really exciting read, and it's all true, so grab a copy.
Second is the new Tom Clancy book 'Threat Vector' which is completely about hacking and how the Chinese infiltrate the U.S. infrastructure, I am midway, it's very exciting and technically all very close to correct, so this is a great fiction novel for a few quiet days at year's end.
Quotes Of The Month
"Good judgment comes from experience. Experience comes from bad judgment."
-— Mulla Nasrudin
"If you can do something about a situation, why worry? And if you can't do something about a situation, why worry?" -— Dali Lama
Editor, WindowSecurity.com Newsletter
Email me at firstname.lastname@example.org
Released: Kevin Mitnick Security Awareness Training
Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.
Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.
Guy Gets SWAT Team-ed For Not Securing His Wireless Network
Lying on his family room floor with assault weapons trained on him, shouts of “pedophile!” and “pornographer!” stinging like his fresh cuts and bruises, the Buffalo homeowner didn’t need long to figure out the reason for the early morning wake-up call from a swarm of federal agents.
That new wireless router. He’d gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.
“We know who you are! You downloaded thousands of images at 11:30 last night,” the man’s lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, “Doldrum.”
“No, I didn’t,” he insisted. “Somebody else could have but I didn’t do anything like that.”
“You’re a creep … just admit it,” they said.
You know where this is going. They got the wrong guy. Someone else had used his wireless connection to download child porn. Law enforcement officials say the case is a cautionary tale, and it could also happen in your place of work. More.
$345,000 Cyberheist Settles After Three Years Dispute
Patco Consulting was one of the first companies to seek protection via the courts after more than half a million dollars was stolen out of their bank via an account takeover by eastern European cyber criminals. It has finally settled and the bank is paying back the still missing funds. It was caused by an employee clicking on a phishing link, and has cost Patco an incredible amount of lost time due to the initial lawsuit and the following appeal. I have followed this story since it began, and I do not wish this on my worst enemy. They finally got their lost money back, but you can never pay back the thousands of hours of lost time, legal wrangling and worries. And to think that all this could have been prevented with security awareness training for their employees. Here is the story in ComputerWorld.
Watchguard Lists Its Security Predictions For 2013
WatchGuard Technologies revealed its annual security predictions for 2013. The list, which has been assembled by WatchGuard’s security research analysts, reveals an uptick in emerging cyber threats and an increased focus by governments to fight back through legislation. While the security industry is predicted to focus on “strike back” measures, WatchGuard predicts these actions will be ineffective and ultimately unviable for most organizations.
WatchGuard Director of Security Strategy Corey Nachreiner, a Certified Information Systems Security Professional (CISSP) said, "2012 was an eye-opening year in cyber security as we saw the number of new and more sophisticated vulnerabilities rise, impacting individuals, businesses and governments. This is a year where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys." For the whole story.
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at email@example.com
SecOps: What You Need To Know
Inside The Blackhole Exploit Kit!
George Chetcuti wrote in his blog: "A technical paper about one of the most active exploit kits around details how this kit works. The first portion of the paper by Gabor Szappanos, Principal Researcher at SophosLabs focuses on version 1.0.2 of the exploit kit which dates back to 2010.
The Blackhole backend costs ranges from $1500 per annum to a few hundreds per week but a downloadable free version of this version is available from torrent sites! Compromised legitimate websites redirect users’ traffic to malicious websites that are hosting exploit kits to infect users’ machines with malware.
Worst Security Snafus Of 2012
Some of the worst online security problems of 2012 came in the form of DDoS attacks, cloud outages and political unrest. Ellen Messmer at NetworkWorld took the time to put the list together. Read it and don't let this happen to you.
Scam Of The Week: "You Accessed Illegal Content"
There is a significant uptick in a ransomware attack that declares a law enforcement agency has determined that a computer with the victim's IP address has accessed child pornography and other illegal content.
Moreover, this scam uses the good name of the Internet Crime Complaint Center (IC3) to lure the victim to a drive-by download website, which in turn installs the ransomware on the victim's computer, and tries to extort money.
As you well know, cyber criminals use social engineering to make people click on links to 'prevent a negative consequence'. To trick users to click this latest version of the malware claims that the victim's computer activity is being recorded using audio, video, and other devices.
We strongly recommend you warn your users about this one, as they can be hit both in the office and at the house. Download and send it this PDF all employees. It's a free service from KnowBe4 and lists the 22 Social Engineering Red Flags that they need to watch out for.
The Secret Of The Net: One Big Buggy Beta
Most people look at me surprised when I tell them the whole Net is still in beta, but it's true, Vint Cerf, the father of the Internet said so himself. He was quoted in the book Fatal System Error: "My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I could not tell if even the basic ideas would work. We never got to do the production engineering." If you know software development jargon, that means it remained in beta... and -has- been up to now! The protocols they built at the time focused on fault tolerance, they simply were not built for security. Unfortunately, the bad guys know this full well, and are exploiting it to the limit.
Web security is fundamentally broken, and anonymity does not exist. If the owner of a website wants to know who you are, where you live, and much much more, they can get that information easily.
With that in mind, lets look at some realities regarding websites and web browsers. It is possible to defend a website against a malicious browser. Takes a lot of work, but it is achievable. However, the other way around
is impossible. If you visit a malicious website using your browser, you cannot to defend against that site, which explains the incredible success of the Blackhole exploit kit. Anonymous browsing is simply not something you can count on, and your browser is a paradise for the hacker as they can make it do all kinds of things. But don't take it from me, listen toJeremiah Grossman, Founder and CTO of WhiteHat Security, and his recent presentation where he -shows- how you can easily 'de-anonymize' site visitors. This is a very interesting (and scary) 45 minutes.
Spear Phishing Remains Preferred Point of Entry in Attacks
Excellent post in the Kaspersky blog. "Nine times out of 10, attackers walk into an organization right through the front door of its Exchange Server, crafting convincing email messages purportedly from a trusted source that either trick the victim into opening an infected attachment or visiting a website where credentials are stolen, or malware is surreptitiously installed on the visitor’s machine. In any event, the first wave of the targeted attack kicks off from a lowly email." More.
Social Engineering Defense Contractors on LinkedIn and Facebook
Jordan Harbinger, expert in interpersonal dynamics and social engineering, gives a great keynote at DerbyCon event, highlighting the methods it takes to elicit confidential information from people with top secret level security clearance. There are some very important lessons tobe learned here, because he is using the pretext of being a recruiterand we all deal with these people now and then. Moreover is that the article is a riot. Warmly recommended.
Fave links & Cool Sites
Here is your 5-minute Virtual Vacation: beautiful footage of Alaska in areas that have never been rafted before.