Tag Archives: cyber attacks

An Oversight in Online Payments Allows Cards to be Hacked in Seconds

The countdown to year’s end almost inevitably means an increase in online purchases. On the heels of Black Friday and Cyber Monday, a full-blown consumerist race kicks off the goes until January. This 2016 will continue to show consumers turning more and more to e-commerce for their gift giving needs.

However, the convenience of paying by credit card online comes hand in hand with a real risk to our wallets. A recent study by investigators at the University of Newcastle revealed that the existence of a multitude of online payment systems, with their corresponding security measures, isn’t enough to guarantee consumer protection.  It’s more like the opposite — often, as a result of so much variety, we end up with a chaotic jumble that generates major vulnerabilities.

After analyzing several different payment methods, researchers discovered a new type of attack that allows cybercriminals to hack a credit card in only six seconds.

This kind of attack, which takes advantage of a couple of vulnerabilities with Visa cards, is already being used. In fact, it is believed to be the system used to steal money from 20,000 accounts of Tesco’s clients.

Actually, the attack is not very complex. It uses sheer brute force. Specifically, it exploits two oversights in online payment platforms. On the one hand, these platforms do not detect multiple erroneous payment requests when coming from different websites. On the other hand, they allow up to twenty erroneous payments for each credit card on each page. And as if that wasn’t enough, the payment system doesn’t refresh to request different information from the buyer after each failed attempt.

Thus, the attacker needs only a credit card number to start randomly guessing the CVV (Card Verification Value) and expiration date until it arrives at the right combination through brute force. Investigators tested this kind of attack on the 400 most popular e-commerce websites. They demonstrated that if we trust a credit card’s security as the sole safety measure, theft becomes a real possibility.

Platforms which use the Verified by Visa system or even payments with Mastercard actually escape these vulnerabilities. This shows that online credit card security by itself may, paradoxically, pose a serious risk.

The post An Oversight in Online Payments Allows Cards to be Hacked in Seconds appeared first on Panda Security Mediacenter.

Billion Dollar Sting: A Financial Corporation’s Worst Nightmare

Banks panda security

For years cybercriminals have had their focus on money, and most specifically in the financial system. For more than a decade they have been mainly targeting the weakest link in the chain: the final user that uses online banking services. This approach has some benefits for these cybercriminals: poor security in the end user, small money thefts that can go undetected for some time, etc. However it also has some cons: need of money mules, being able to find (infect) a victim that is using one of the targeted banks, avoiding antimalware software, etc.

In other words, they can make a lot of money, but at the same time it will require a lot of effort from their side.

Where is the big money? Financial institutions themselves. There is no discussion about this. However it is hard to break into them, and even more complicated to understand how their specific internal systems work in order to be able to fully compromise them, take the money and leave without leaving a trace. It requires a great investment to gather all the intelligence needed for this kind of heist, it is not easy to perform and it might require several months, if not years, of careful planning. Anyway it is worth it if 1 billion dollars can be stolen in just one hit.

This is basically what happened in February at the Bangladesh Central Bank, where attackers infected their system with malware specifically created for this attack and tried to make fraudulent transfers totaling 951 million dollars. That money was in the account Bangladesh Central Bank had at the Federal Reserve Bank of New York. Gladly most of the transfers could be blocked, and “only” 81 million dollars were stolen. But this was not the only case.

Tien Phong Bank, a Vietnamese bank suffered a similar attack in the last Quarter of 2015. That time cybercriminals also tried to make transfers through SWIFT, although the bank could realize in time and could halt the 1 million dollars transfers already on route. And a few months earlier, in January 2015, a bank from Ecuador –Banco del Austro –was hit in a very similar way, and 9 million dollars were stolen.

banks-sting-illustration

What are the similarities among the three cases? Malware was used to perform the attack, and all the money transfers were made using the SWIFT network. SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative society formed by thousands of financial institutions around the world. Founded in 1973, it provides different services to their members.  The secure transfer of money among banks is one of the services offered and processed by the SWIFT network.

The biggest concern was if the SWIFT network, that was believed to be secure, had been compromised. If this was the case the entire financial system could be at risk. It looks like this was not the case and SWIFT has issued a press release where it clearly states this: “the SWIFT network, core messaging services and software have not been compromised.”

However, that depends on the point of view: cybercriminals successfully used the SWIFT network to perpetrate these heists. And they took a similar approach as the one described in the beginning of this article: target the weakest link in the chain. SWIFT provides a safe environment, but at the end of the day, each financial institution has its own internal system that communicates with the SWIFT network. In the same way cybercriminals were targeting final customers with banking Trojans, now instead of going after the SWIFT network, they are going after the banks connected to it. This means that, while we can say that the SWIFT network is safe so far, we can also say that there are potentially thousands of holes that exist, as many as financial institutions connected to them.

How did these attacks happen exactly?

There are still many unknowns, and some of them won’t ever be solved. These criminals have covered their tracks. In fact, the main purpose of one of the malware pieces used in the heist was to delete these tracks. One thing we know for sure: malware was used. How did it enter? For this we have two different options: there was help from an insider, or it was an external attack through Internet. Both seem plausible, even more so after we learned that the security infrastructure at the Bangladesh Central Bank was obviously not good enough.

If we take a deeper look at the Bangladesh incident, it was a highly sophisticated attack targeting specifically the Bangladesh Central Bank, but the way the malware is structured (using an external configuration file, which makes no sense if this was just a one time job) points out that we’ll find new victims. They will go after banks that have flaws / weaknesses in their security model, such as those that do not monitor the execution of software in their network, and so far the information we have on the other attacks confirm this hypothesis.

In their customer communication SWIFT tells all the banks that their first priority should be to ensure that you have all preventative and detective measures in place to secure your environment.

So that’s easy, right? How can we ensure that? Is there anything at all that can be done to completely prevent any new heist?

Criminals will keep trying, and eventually they may succeed. Anyway we know what they are after (money) and what computers they want to target (those connecting to the SWIFT network). Access to the SWIFT network is highly restricted, it can only be performed from certain computers and only certain users are allowed access to them. Those computers have to be highly fortified, and of course we are not just talking about having updated software and use an antimalware solution.

Only pre-approved software should be let executed in those computers. All executed processes have to be monitored in real time, logging everything that happens and looking for abnormal behaviors. It does not matter if the attack comes from the Internet or with the help of an insider. No unauthorized software can be allowed to be executed in those terminals, and the allowed one has to be protected with anti-exploit technologies and monitored in real time in case some abnormal behavior takes place.

Of course, if some person has physical access to a target computer, at some point they could disable any security solution, which is not a problem by itself if you can get an alert about it on the console used by the security team. Is there any better indicator of compromise than someone tampering with the security software installed in a critical system?

How to avoid these cyber-attacks

One of the most frustrating things that victims have to go through is the lack of knowledge of how the incident happened. How did it happen? When did it start? For how long? What did they do once the computers were compromised? Was there any confidential information leak? As an example, in the Bangladesh Central Bank case, three pieces of malware could be recovered after the incident, but that’s what there was left. Attackers probably used many other tools that were deleted and the victim won’t know anything about them.

Knowledge is power: being able to know how a security incident happened will help you fix any security weakness in your environment.

There are only a few solutions that are capable of delivering this level of service, Panda created Adaptive Defense for these type of cases and we already have financial companies, governments, and big corporations in different verticals (health, hotels, insurance, public utilities, etc.) actively using Panda Adaptive Defense. All of them suffer not just the regular cyber-attacks, but really targeted attacks against their assets. We have shown some of them, such as the one targeting a luxury hotel chain a few weeks ago or the one against oil tankers.

Our conclusion after studying these attacks is that If those banks would have had Panda Adaptive Defense in their SWIFT connected terminals, the heist could have been stopped in time.

The post Billion Dollar Sting: A Financial Corporation’s Worst Nightmare appeared first on Panda Security Mediacenter.

MIT builds Artificial Intelligence system that can detect 85% of Cyber Attacks

In Brief
What if we could Predict when a cyber attack is going to occur before it actually happens and prevent it? Isn’t it revolutionary idea for Internet Security?

Security researchers at MIT have developed a new Artificial Intelligence-based cyber security platform, called ‘AI2,’ which has the ability to predict, detect, and stop 85% of Cyber Attacks with high accuracy.

Cyber security

More than one in 10 American mobile users is the target of mobile malware

Threat analysts and malware researchers in the Avast Virus Lab detect and neutralize threats as soon as they appear.

Threat analysts and malware researchers in the Avast Virus Lab detect and neutralize threats as soon as they appear.

The Avast Threat Report provides an overview of global threat activity.

 

Avast malware researchers and Avast customers work 24/7 to protect each other.

Avast protects 230 million people worldwide in more than 186 different countries — we are present in more countries than McDonalds and protect more people than any other antivirus security provider. We stream 250 micro updates a day that protect our users from attacks. This is made possible by the 230 million devices we protect that simultaneously act as de facto sensors. These sensors provide us with information about suspicious files to help detect and neutralize threats as soon as they appear. Once we identify a suspicious file on a single device, it is reported back to the Avast servers and all Avast users around the world are immediately protected. This is called our Community IQ – it not only lets us better protect our users but also gives us valuable insights into the current security landscape.

Top targeted countries

Romania, Turkey and Vietnam were targeted the most in terms of PC threats in Q1 of 2015, with Romanians having a 54% chance of encountering threats. In France, Germany, Brazil, Great Britain and the United States, the chances were much lower; nonetheless, nearly one out of every three PC users encountered threats in these countries.

Percentage of PC threats encountered by country:

  • 41 percent Russia
  • 37 percent Spain
  • 34 percent Brazil and France
  • 29 percent Germany
  • 28 percent United States and Great Britain

Within the mobile sphere, Romania also had a high chance of encountering malware, along with China and Malaysia.China was targeted the most, which is most likely due to the fact that the Google Play Store is blocked in the region and, therefore, mobile users download apps from third-party stores.

The number of users accessing the Internet in China via mobile devices has surpassed the number of users accessing the Internet via PC this year, which also makes them an attractive point of access for cybercriminals on the hunt for a widespread target pool.

Percentage of mobile threats encountered by country:

  • 21 percent Russia
  • 16 percent Spain
  • 12 percent United States
  • 10 percent Brazil
  • 8 percent France and United Kingdom
  • 6 percent Germany

Top detections and exploits

Despite Android being fairly secure, mobile malware did grow dramatically with potentially unwanted programs (PUPs – a cute acronym for a not-so-cute threat), including adware, dominating the top ten Android detections.

On the PC side, the majority of the top ten detections included LNK files. LNK files are used to create shortcuts that typically point to an executable file or script and appear on one’s computer desktop as an icon, tricking users into using malicious shortcuts.

In terms of exploits, two of the biggest vulnerabilities that were exploited targeted Javascript and an HTML parser. The first exploit, targeting Javascript, could lead to a remote code execution in Internet Explorer versions 6 to 10 The second, on the other hand, targeted an HTML parser in Internet Explorer 10, and if successful, the attack could lead to remote code execution. Even if the attack was unsuccessful, it could still cause a denial of service.

Malicious ways

We observed a variety of tricks that cybercriminals use and one interesting, less common technique cybercriminals use is domain rotation. This method regularly creates new domains and subdomains and redirects malicious traffic to them. This is done to avoid blacklisting and capitalizes on the fact that it takes time for antivirus software to find and check these new domains, releasing new detections after they’ve been properly examined. Fortunately, Avast uses advanced algorithms to recognize domain rotations and block infected subdomains.

We also watched ransomware targeting PCs and mobile devices evolve. For example, PC ransomware CryptoWall did not originally use anonymization networks in earlier versions. CryptoWall 2.0 began using TOR to communicate with the command and control (C&C) server and now CryptoWall 3.0 uses I2P (Invisible Internet Project) a lesser-known anonymization network to avoid being blocked. Mobile ransomware Simplocker, on the other hand, reappeared in February 2015 using asymmetrical cryptography, making it impossible to recover encrypted data without accessing the C&C server.

Global Wi-Fi experiment

We not only observe malware threats, but we also ventured out of the office to further explore the security risks of public Wi-Fi. Our mobile security experts traveled to nine cities in the United States (San Francisco, Chicago, New York), Europe (Barcelona, London, Berlin), and Asia (Seoul, Hong Kong, Taipei) to observe public Wi-Fi activity.

Our observations revealed major security flaws in Wi-Fi hotspots and showed how easy it is for hackers to view users’ browsing activity, searches, passwords, videos, emails, and other personal information. While security issues were found in all cities, the experiment showed that users in Asia are more prone to attacks than users in both Europe and the U.S. Users in Berlin and San Francisco were most likely to take the necessary steps to protect their browsing.

Our experiment also shed light on the fact that a significant portion of users browse primarily on unsecured HTTP sites while connected to open Wi-Fi networks. HTTP traffic is not encrypted and is therefore unprotected, meaning that our team was able to view all of the users’ browsing activity, including domain name and page history, searches, personal log information, videos, emails, and comments. Taking this a step further, it was even possible for the Avast researchers to see products that a user browsed on eBay while not being logged in to the site as well as articles that people read on Wikipedia.

We have put together a security report for the first quarter of 2015, which includes a list of top targeted countries, threats, exploits, domain detections and much more. Open the full Avast Threat Report here.

Follow Avast on FacebookTwitter and Google+ where we keep you updated on cybersecurity news every day