Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
WhatsApp users are once again targeted by malware peddlers, via messages that offer WhatsApp Gold, supposedly an enhanced version of the popular messaging app previously used only by “big celebrities.” The alarm was raised by Action Fraud, the UK’s national reporting centre for fraud and cybercrime, but according to Tech Worm, users from India, Pakistan and Brazil have also been receiving the message. The website to which the victims are directed has been taken down.
Read the full article here.
Last year, a white hat hacker developed a cheap Arduino-based device that looked and functioned just like a generic USB mobile charger, but covertly logged, decrypted and reported back all keystrokes from Microsoft wireless keyboards.
Dubbed KeySweeper, the device included a web-based tool for live keystroke monitoring and was capable of sending SMS alerts for typed keystrokes, usernames, or URLs, and work even after the nasty device is unplugged because of its built-in rechargeable battery.
Besides the proof-of-concept attack platform, security researcher Samy Kamkar, who created KeySweeper, also released instructions on how to build your own USB wall charger.
Now, it seems like hackers and criminal minds find this idea smart.
The FBI has issued a warning advisory for private industry partners to look out for highly stealthy keyloggers that quietly sniff passwords and other input data from wireless keyboards.
According to the advisory, blackhat hackers have developed their custom version of KeySweeper device, which if placed strategically in an office or other location where individuals might use wireless devices, could allow criminals to steal:
Since KeySweeper looks almost identical to USB phone chargers that are ubiquitous in homes and offices, it lowers the chances of discovering the sniffing device by a target.
However, according to a Microsoft spokesperson, customers using Microsoft Bluetooth-enabled keyboards are protected against KeySweeper threat. Also, its wireless keyboards manufactured after 2011 are also protected, as they use the Advanced Encryption Standard (AES) encryption technology.
So, the primary method of defense is either to restrict the use of wireless keyboards, or to use keyboards that use the Advanced Encryption Standard (AES) encryption technology.
Although the FBI made no mention of malicious KeySweeper sniffers being found in the wild, the advisory indicates the information about the KeySweeper threat was obtained through an undescribed “investigation.”
Read the full article here.
OWASP has started a new project and is set to publish a new guide on security risks. The issue they aim to tackle this time is API security. The new OWASP API Security Project has been introduced at the recently concluded NolaCon, by project leader David Shaw and colleague Leif Dreizler.
Read the full article here.
In the early morning hours of May 15, 2016, a group of over 100 people executed coordinated, fraudulent ATM withdrawals that netted them about 1.44 billion yen. In a period of less than three hours, the members of the group went around Tokyo and 16 other prefectures, and repeatedly withdrew 100,000 yen from ATMs located in convenience stores. All in all, over 14,000 fraudulent withdrawals have been executed with the help of forged payment cards.
Read the full article here.
Bangladesh is not the only bank that had become victim to the cyber heist. In fact, it appears to be just a part of the widespread cyber attack on global banking and financial sector by hackers who target the backbone of the world financial system, SWIFT.
Yes, the global banking messaging system that thousands of banks and companies around the world use to transfer Billions of dollars in transfers each day is under attack.
A third case involving SWIFT has emerged in which cyber criminals have stolen about $12 million from an Ecuadorian bank that contained numerous similarities of later attacks against Bangladesh’s central bank that lost $81 Million in the cyber heist.
The attack on Banco del Austro (BDA) in Ecuador occurred in January 2015 and, revealed via a lawsuit filed by BDA against Wells Fargo, a San Francisco-based bank on Jan. 28, Reuters reported.
Here’s how cyber criminals target banks:
Over ten days, hackers used SWIFT credentials of a bank employee to modify transaction details for at least 12 transfers amounting to over $12 Million, which was transferred to accounts in Hong Kong, Dubai, New York and Los Angeles.
In the lawsuit, BDA holds Wells Fargo responsible for not spotting the fraudulent transactions and has demanded Wells Fargo to return the full amount that was stolen from the bank.
The lawsuit filed by BDA in a New York federal court described that the some of these attacks could have been prevented if banks would have shared more details about the attacks with the SWIFT organization.
Wells Fargo has also fired back and blamed BDA’s information security policies and procedures for the heist and noted that it “properly processed the wire instructions received via authenticated SWIFT messages,” according to court documents.
According to reports, the heist remained a secret for a long time and now disclosed when BDA decided to sue Wells Fargo that approved the fraudulent transfers.
SWIFT did not have any idea about the breach, as neither BDA nor Wells Fargo shared any detail about the attack.
“We were not aware,” SWIFT said in a statement. “We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us.”
It turns out that the security of SWIFT itself was not breached in the attack, but cyber criminals used advanced malware to steal credentials of bank’s employees and cover their tracks.
In February, $81 Million cyberheist at the Bangladesh central bank was carried out by hacking into SWIFT using a piece of malware that manipulated logs and erased the fraudulent transactions history, and even prevented printers from printing those transactions.
Read the full article here.
As if withdrawing money from an ATM wasn’t dangerous enough, researchers discovered that Russian-speaking Skimer group forces ATMs to assist them in stealing users’ money. Instead of installing skimmer devices onto an ATM, they could turn the whole ATM into a skimmer itself. Main window of the infected ATM Discovered in 2009, Skimer was the first malicious program to target ATMs, and now, the cybercriminals have resurfaced, reusing the malware.
Read the full article here.
A security researcher could have stolen as much as $25 Billion from one of the India’s biggest banks ‒ Thanks to the bank’s vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim’s current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
If this wasn’t enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender’s account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else’s account.
Read the full article here.
Last year, credit card issuers finally introduced “chip” credit cards to the United States. It’s been a painless process for the most part, but now Walmart is suing Visa over the technology, claiming it’s not secure for customers.
EMV is meant to be more secure, and while it will incorporate PINs in the future, for now, chip-enabled credit and debit cards will work just fine with a signature.
Last year, Walmart tried to require debit card customers to pay the old way: with their PINs. Visa came back and demanded they allow signatures for those cards via the new chip technology. Walmart spokesperson Randy Hargrove explained the issue:
PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers. Visa has acknowledged in many other countries that chip-and-pin offer greater security. Visa nevertheless has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing those transactions.
Walmart’s outrage probably has less to do with security and more to do with money, though. It’s cheaper for Walmart to verify via PIN than signature. According to the Wall Street Journal, signature verification costs about five cents more per transaction. In other words, the new technology encourages customers to use their bank cards as credit instead of debit, which is more expensive for Walmart.
It’s easy to see why Walmart is upset—this new technology is costing them money, and the credit card companies still haven’t rolled out cheaper, more secure PIN technology. Their suggestion that customer security is at risk, however, is a little misleading.
Walmart’s statement suggests Visa puts customers’ security at risk by allowing signatures instead of PINs for debit card transactions. It does kind of suck that we’re still waiting for full blown “chip and PIN” technology, which is supposed to be even more secure, but the new credit cards aren’t any riskier than your old ones.
Read the full article here.