17 May Malicious PACs and Bitcoins Fabio Assolini
22 Dec Lab Matters - Brazil Banks in the Malware Glare Ryan Naraine
19 Dec Thousands of European cards blocked following payment processor breach Stefan Tanase
28 Jun Gold rush Aleks
20 May Smart money? David
30 Dec Gaming the Security Christian
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Now cybercriminals from Brazil are also interested in Bitcoin currency. In order to join the horde of phishers on the lookout for the virtual currency they have applied their best malicious technique: malicious PAC on web attacks, and phishing domains.
The malicious usage of PAC (Proxy Auto-Config) among Brazilian black hats is not something new – we’ve known about it since 2007. Generally, these kind of malicious scripts are used to redirect the victim’s connection to a phishing page of banks, credit cards and so on. We described these attacks in detail here. In 2012 a Russian Trojan banker called Capper also started using the same technique. When it’s used in drive-by-download attacks, it becomes very effective.
After registering the domain java7update.com, Brazilian criminals started attacking several websites, inserting a malicious iframe in some compromised pages:
Fabio Assolini talks about the explosion of banker Trojans in Brazil and explains why it is so difficult to fight back against cyber-crime in the Latin American region.
Several Eastern European banks have started notifying their customers in the beginning of last week that their cards have been blocked and will be replaced with new ones. Most of the banks did not give out any more details about what happened, and in many cases even failed to notify their customers prior to actually blocking their cards. Is it just another day in the payment processing business? Based on the rushed response from banks and the lack of information surrounding the case, I would say no.
It all started one week ago after the state-owned Romanian bank CEC Bank blocked ~17,000 cards in response to a security breach at one of VISA’s European payment processor.
The reaction of other banks followed soon. The Romanian branch of ING Bank also confirmed to have blocked compromised cards, but didn’t put out a number. They say they’ve only blocked a few cards, but are closely monitoring the situation.
A few days later, Serbian banks also started blocking thousands of cards for security reasons. Raiffeisen Bank, Komercijalna and Societe Generale confirm they have been informed by VISA about some of their customer’s cards being compromised. Very similar to what happened in Romania.
Rumors indicate the European branch of an electronic payment services provider, Euronet Worlwide, to be the source of this breach. This information has been going around Romanian business media (1, 2) – and though it hasn’t been confirmed officially, it would explain why customers from different banks in different countries were affected.
It’s very hard to assess the severity of this security breach, as the banks’ reaction to these events was very mixed. Some banks proceeded immediately to blocking and replacing all affected cads, while others decided to monitor the situation more closely.
Currently, it’s very hard to get a full picture of what is going on, but as it usually happens, these are unlikely to be isolated incidents. Actually, these stories could be just the tip of the iceberg. If you have recently received such a notification from your bank, we’d like to hear from you, especially if it’s outside Serbia and Romania.
Meanwhile, make sure to follow these 3 basic steps to make sure you don’t become a victim of credit card fraud:
Last, but not least, we know it’s the holiday season and shopping is on everyone’s mind. So if you want to keep your money safe when doing online shopping, this insightful article we’ve put together is for you: Online shopping made safe and convenient.
We decided to see how successful our nameless ‘miner’ was, and ended up getting a bit of a surprise.
The BBC today reported the announcement of the first UK 'mobile wallet', allowing people to pay for things using their mobile phone.
It sounds very convenient. I use my mobile phone for so many other things these days - why not as an alternative to cash? And on the face of it, isn't this just an extension of the same concept behind the Oyster Card? For those not familiar with the Oyster Card, it's an alternative to buying tickets to travel across London. You use a card instead: you put credit on the card at your convenience and the cost of the trip is debited automatically when you travel.
There's a key difference of course. If I lose my Oyster Card my loss is limited to the credit I've put on the card. The consequences could be far more serious if it's my smartphone, since someone could get access to my entire online identity. If my phone is my wallet too, it becomes even more of a target - to real-world criminals as well as cybercriminals.
We know from experience that convenience typically wins out over security. Keep watching.
Modern game consoles are not only dedicated to gaming anymore, they rather offer a great variety of entertainment and many methods to support the whole gaming experience by offering platforms to meet other gamers from around the globe, share thoughts via private messages and status updates, a fully fledged browser to surf the web, media server capabilities and even online stores to buy games and additional game content via credit cards and gift coupons, which can be bought at shops if you're not having a credit card.
Does that remind you of something? Indeed, it's actually pretty similar to a social network - and it can also be connected to Facebook & Co. to keep your friends updated what trophies or achievements you just won.
In terms of security the vendors of these consoles did a pretty good job, all inner systems got hardened and signed installers made sure you can't install anything you want - which may annoy some people but keeps the system secure. But now it seems like the game has changed for the PS3. While it was possible to jailbreak the system with specially crafted USB sticks before, the first soft-mods are now available. The reason behind this? Four years after the release of the PS3 the master key was now found out by a group of modders. Many gamers now take their chance to individualize their system by installing a home-brew environment that allows to roll out programs unapproved by Sony.
So what are the consequences? First of all, many people will jailbreak the PS3 just for the sake of it, because it's considered fashionable as it is with the iPhone, as my colleague Costin points out in a recent issue of Lab Matters. Unfortunately most people are unaware that this might open the floodgates for malicious or unwanted software. Parallels to the Ikee worm on iPhones are inevitable. This worm spread itself only via jailbreaked iPhones - making apparent how many devices are actually jailbroken and how dangerous this can be. And now home-brew software variants for the Playstation 3 have been released and are spreading through the web over different sources. Who knows what's behind those offers? The original intention of the programs might be benign, but who knows if the installer package has been compromised and re-offered for downloading?
As pointed out before, buying games and related content from the online shop via credit card is popular and potentially dangerous if homebrew software is installed,as the software could carry out a man-in-the-middle attack or redirect to phishing sites. Alternatively, installed games or the respective game scores could be blocked and thus the software would act as ransomware or send out spam via the internal message system... There are many malicious possibilities that the bad guys can utilize for financial profit!
Are these scenarios realistic? -Unfortunately yes
Is it going to happen? -I hope not...
In this latest installment of the Lab Matters webcast, senior malware analyst Denis Maslennikov provides an inside look at the mobile threat landscape.
Maslennikov discusses the recent surge in SMS trojans targeting the Android platform, the use of search engine optimization techniques to spread mobile malware and the financial incentives involved.
He also talks about how attacks differ between mobile platforms and offer some startling predictions about what we'll see in the coming years.
As anyone who reads the IT press knows, some security measures have been introduced in the UK to make online banking safer. And now there's an interesting little story where APACS, the UK payments association, announces that UK banks are to introduce 'contactless' payments. If a transaction is under £10, customers will be able to simply hold their credit or debit card up to a secure reader: no signature or PIN required.
According to the APACS press release, 'Contactless cards provide customers with a fast, effective, easy-to-use alternative to cash, building on the same highly secure technology of chip and PIN cards'.
This system may prove fast, effective and easy-to-use, but I don't see how it builds on chip-and-PIN! The only security safeguard, it seems, is a request for a PIN number every so often or after any 'suspicious' activity. That's something, but it doesn't add up to real security.
Although the value of the transactions will be limited, I don't think that this will necessarily deter criminals. If they want my card anyway, surely this is just a bigger incentive? Also, if it's possible for an instore device to read the card, where's the guarantee that a hand held reader operated by a criminal standing nearby won't be able to access the same data?
Last Friday, we came across an interesting site: a message board where stolen credit card numbers have been published since August 2005. The site included over 300 credit card numbers and additional information. On Friday more than 60 numbers were posted, showing that the site is definitely active.
It was clear that the information came from a variety of sources - the entries varied from basic (card number, three digit pin code, validity, name and address of the owner) to comprehensive (all the data above, plus phone number, email address, ATM pin code and account details).
Having looked at the site, we decided to call one of the victims to check that the information was authentic. Once he got over his surprise, he confirmed that the details we'd found were his. And that was the start of our telephonic odyssey.
15.30 - Telephoned the Bundeskriminalamt (German Federal Office of Criminal Investigation)
We were given the names of three people to talk to. After a few unsuccessful attempts to get through, it turned out that these three people were either on holiday, or had already gone home. We were finally told to send an email to email@example.com.
16.00 - Telephoned the Landeskriminalamt (German State Office of Criminal Investigation)
Our last phone call made it seem pretty likely that no-one would read our email (let alone do anything with it) before Monday. So we decided to call the local branch of the criminal investigation office - unfortunately, with the same lack of success. The result: we sent another email.
16.15 Telephoned the credit card companies
The situation wasn’t any better when we called Visa and Mastercard - we couldn’t get through to anybody. As a last resort, we called the customer emergency number:
"We’re calling from Kaspersky Lab, an IT security company; we've found a website which has hundreds of your customers' credit card numbers on. Could you please tell us who in your company we should contact?"
“Er - could you please give me your credit card number, Sir?”
In order not to waste any more time, we got our US local office involved. They contacted the credit card companies and the FBI. Meanwhile, our Russian office started the process of getting the website taken down.
So everything’s been set in motion, but the whole thing still makes me a bit uneasy. If you lose your credit card, you’re obliged to inform the card issuer asap. And credit card companies do provide emergency numbers to make this easier. But the story above shows that if, like us, you come across more than 300 stolen numbers, it's going to be a bit more difficult. Yes, all of this happened on Friday afternoon, but criminals don’t take weekends off!
We’ll see how everything develops over the next couple of days and keep you posted. We'll also be publishing a short article about this case, with further details, in the very near future.
Next to the more or less daily scams mentioned in the previous post, we're seeing a resurgence in another scamming tactic.
Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards - for no reason whatsoever.
About a year ago we saw a similar trend and now it has been picked up again.
The scammers hope that because the amount of money is so small, the charge will go unnoticed. They're also using names which closely resemble real company names to make the charges look (at first glance) more legitimate.
So be sure to check your accounts for odd charges on a regular basis.