One Million IP Addresses Used In Brute-Force Attack On A Bank

Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses — and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign.

 

Crooks used 993,547 distinct IPs to check login credentials for 427,444,261 accounts. For most of these attacks, the crooks used proxy servers, but also two botnets, one of compromised Arris cable modems, and one of ZyXel routers/modems. Most of these credentials have been acquired from public breaches or underground hacking forums.

 

For more information, read the full article here.

Cryptocurrency raider takes $60 million in digital cash

A cryptocurrency is only as reliable as the technology that keeps it running, and Ethereum is learning this the hard way. An attacker has taken an estimated $60 million in Ethereum’s digital money (Ether) by exploiting vulnerabilities in the Decentralized Autonomous Organization, an investment collective. The raider took advantage of a "recursive call" flaw in the DAO’s code-based smart contracts, which administer the funds, to scoop up Ether many times in a single pass.

 

Ethereum’s Vitalik Buterin has revealed a planned software fork that would prevent the intruder from using the ill-gotten goods, but there are still plenty of headaches in store for both contract creators and investors. Contract makers will have to take extra care to avoid the flaw and limit the value of their contracts so that a bad actor doesn’t make off with a huge sum of cash. Buterin says that Ethereum itself is safe — miners can carry on, and users should "sit tight and remain calm" while they wait to trade again. Still, it’s easy to imagine everyone being nervous.

 

The kicker? People were convinced that the bug posed no risk to DAO funds just a few days prior. Clearly, that wasn’t true. While the invader didn’t get away scot-free, the breach has caused a lot of chaos. And while one person’s claims that they legitimately took the funds is sketchy, Bloomberg notes that the code defining the smart contracts may have explicitly allowed this attack even if that’s not what the DAO wanted. This may not be so much a hack as exploitation of poorly-defined terms, and there may not be a legal recourse. In short: basing an investment framework around code instead of human-made contracts may have been too optimistic.

 

Read the full article here.

Corporate Email Phishing Scams Result in $3.1B Loss, Near 1300% Increase in 18 Months

Total number of Business Email Compromise (BEC) related crimes have reached epidemic levels, at nearly $3.1 billion in losses and involving 22,143 victims worldwide since January 2015, according to a new FBI report.

 

BEC or Business Email Compromise is defined by FBI as "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."

 

Most victims, according to reports to FBI, "use wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices."

 

The BEC scam continues to grow, evolve, and target businesses of all sizes the FBI reports. Since January 2015, there has been a 1,300% increase in identified exposed losses (i.e. Exposed dollar loss which includes actual and attempted loss in United States dollars.) The scam has been reported by victims in all 50 states and in 100 countries. Reports to FBI indicate fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.

 

Characteristics of BEC Complaints

The IC3 has noted the following characteristics of BEC complaints

•  Businesses and associated personnel using open source email accounts are predominantly targeted.

•  Individuals responsible for handling wire transfers within a specific business are targeted.

•  Spoofed emails very closely mimic a legitimate email request.

•  Hacked emails often occur with a personal email account.

•  Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.

•  The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent email requests.

•  The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.

•  Fraudulent emails received have coincided with business travel dates for executives whose emails were spoofed.

•  Victims report that IP addresses frequently trace back to free domain registrars.

The FBI recommends victims to always file a complaint regardless of dollar loss or timing of incident at www.IC3.gov.

Read the full article here.

Time Inc. confirms Myspace has been hacked

Time Inc. only got the keys to Myspace.com a few months ago, but it’s already having to confirm some bad news: the social network has been the target of a hack. In a press release, the company says that just before the Memorial Day weekend (or Spring Bank Holiday in the UK), its technical teams were notified of someone trying to sell Myspace usernames, passwords and email addresses that were registered before June 2013.

 

Time Inc. doesn’t say how many accounts are affected, but a blog post on LeakedSource suggests that 360 million records may have been stolen in the breach.

 

Myspace is already in the process of alerting those affected and is working with the authorities to identify who may be responsible. Given that the person (or people) involved shared an alias with LeakedSource, investigators will have at least something to go on.

 

Read the full article here.

Banking service SWIFT adds new security plan following hacks

Banks use a service to send secure messages built by the Society for Worldwide Interbank Financial Telecommunications (SWIFT) to send financial transaction instructions. But recently it hasn’t been so secure: Hackers stole $12 million from Ecuador banks earlier this week, the latest in a slew of thefts. Today, SWIFT released a plan to work with its customers (the banks) to shore up the messaging system’s security.

 

The plan is rooted in some standard anti-cyber attack strategies: Share information on breach attempts, beef up safety tools and enforce security protocols at all staff levels. While SWIFT’s core business has been passing authenticated messages between banks, the security overhaul includes checking whether those messages are consistent with past activity, much like how banks flag suspicious activity on personal accounts.

 

But the outline seems more plaintive than commanding, urging SWIFT customers to obey its security protocols rather than requiring adherence to use the service. As SWIFT CEO Gottfried Leibbrandt said in a statement, "While each individual SWIFT customer is responsible for the security of its own environment, the security of global banking can only be ensured collectively."

 

This year has already seen numerous instances of fraudulent SWIFT requests funneling money into hackers’ dummy accounts. Earlier this month, a Vietnamese bank prevented an attempted heist, while a typo tipped off bank officials to an attempt in Bangladesh back in February — but not before the thieves made off with $81 million. The latter group of hackers have also been connected to SWIFT-breaching attempts in the Philippines and other Southeast Asian countries.

 

Read the full article here.

Hackers steal $12 million from an Ecuadorian bank via SWIFT

Earlier this week reports showed another round of SWIFT-related cyber heists, this time targeting banks in Ecuador. A new report in Reuters sheds light on what actually happened to the high-tech thieves’ $12-million loot. Apparently, they moved $9 million to 23 banks in Hong Kong and $3 million to Dubai and other parts of the world. Wells Fargo transfered sums with the total value of $9 million to the accounts of four companies at HSBC and Hang Seng Bank based on authenticated SWIFT transactions. The hackers then distributed the money to what are believed to be phoney business accounts.

 

Similar to the recent Bangladesh and Vietnam bank attacks, the thieves’ scheme involved the use of the SWIFT messaging platform. Banks use SWIFT’s platform to make financial transfers between each other, and cyber thieves typically send out fraudulent SWIFT messages requesting for funds to be routed to dummy accounts.

 

In Bangladesh Bank’s case, the thieves used the SWIFT credentials of the institution’s employees to request several transfers to accounts overseas. They got off with $80 million, which would have been much larger if they didn’t misspell the word "foundation." The hackers could have easily accessed the employees’ credentials, because the bank lacked a proper firewall. It’s not clear if that’s also what happened in Ecuador, but the thieves obviously had the same MO.

 

Read the full article here.

Up to a dozen banks are reportedly investigating potential SWIFT breaches

More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh central bank earlier this year through rogue SWIFT transfers. Security firm FireEye, which was hired to investigate the Bangladesh bank attack, was also called in to look for possible compromises at up to 12 additional banks, Bloomberg reported Thursday, citing an unnamed source familiar with the investigations.

Read the full article here.

Philippines Bank hit by SWIFT Hacking Group allegedly linked to North Korea

SWIFT Bank Hackers have attacked another bank in the Philippines using the same modus operandi as that in the $81 Million Bangladesh Bank heist.

 

Security researchers at Symantec have found evidence that malware used by the hacking group shares code similarities with the malware families used in targeted attacks against South Korean and US government, finance, and media organizations in 2009.

 

Read the full article here.

WhatsApp Gold doesn’t exist, it’s a scam that spreads malware

WhatsApp users are once again targeted by malware peddlers, via messages that offer WhatsApp Gold, supposedly an enhanced version of the popular messaging app previously used only by “big celebrities.” The alarm was raised by Action Fraud, the UK’s national reporting centre for fraud and cybercrime, but according to Tech Worm, users from India, Pakistan and Brazil have also been receiving the message. The website to which the victims are directed has been taken down.

 

Read the full article here.

Beware of Fake USB Chargers that Wirelessly Record Everything You Type, FBI warns

Last year, a white hat hacker developed a cheap Arduino-based device that looked and functioned just like a generic USB mobile charger, but covertly logged, decrypted and reported back all keystrokes from Microsoft wireless keyboards.

 

Dubbed KeySweeper, the device included a web-based tool for live keystroke monitoring and was capable of sending SMS alerts for typed keystrokes, usernames, or URLs, and work even after the nasty device is unplugged because of its built-in rechargeable battery.

 

Besides the proof-of-concept attack platform, security researcher Samy Kamkar, who created KeySweeper, also released instructions on how to build your own USB wall charger.

 

Now, it seems like hackers and criminal minds find this idea smart.

 

The FBI has issued a warning advisory for private industry partners to look out for highly stealthy keyloggers that quietly sniff passwords and other input data from wireless keyboards.

 

According to the advisory, blackhat hackers have developed their custom version of KeySweeper device, which if placed strategically in an office or other location where individuals might use wireless devices, could allow criminals to steal:

  • Intellectual property
  • Trade secrets
  • Personally identifiable information
  • Passwords
  • Other sensitive information

 

Since KeySweeper looks almost identical to USB phone chargers that are ubiquitous in homes and offices, it lowers the chances of discovering the sniffing device by a target.

 

However, according to a Microsoft spokesperson, customers using Microsoft Bluetooth-enabled keyboards are protected against KeySweeper threat. Also, its wireless keyboards manufactured after 2011 are also protected, as they use the Advanced Encryption Standard (AES) encryption technology.

 

So, the primary method of defense is either to restrict the use of wireless keyboards, or to use keyboards that use the Advanced Encryption Standard (AES) encryption technology.

 

Although the FBI made no mention of malicious KeySweeper sniffers being found in the wild, the advisory indicates the information about the KeySweeper threat was obtained through an undescribed “investigation.”

 

Read the full article here.