Again Social Engineering and Fraud

Interesting article by Brian Krebs (here) about a social engineering fraud which obviously uses “human as the weakest link” but also some aspects of “using security to defeat security” itself.

In very few words, the scammer calls by phone the victim and asks the victim to prove to be the rightful owner of her/his bank account by providing the username and a code that she/he will receive as a 2nd factor authentication code. What the scammer is actually doing with the username and the 2FA code is to reset the password of the victim’s bank account and then to transfer some money out of the bank account. 

What goes wrong here is, first, that the victim should identify the caller, not viceversa, and that the victim should never divulge to a person a 2FA code. Thus by abusing the human weakest link and a “secure” reset password process, the scammer manages to perform the fraud.

On the technical side, one should be very careful on evaluating security risks associated to a self-service reset password process, including social engineering attacks like this one.


Record High Number of Phishing Attacks in Q1 2016

From the APWG press release: “The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history” (here is the full report).

This is hardly surprising, but it quantifies with numbers the latest news about online frauds, like the “CEO Fraud”, the “Business Email Compromise” (eg. see this FBI announcement) etc.

A new Ransomware kind of attack

This describes a new kind of IT ransom which should be much more professional and profitable.

The attacker manages to access some company’s servers, then encrypts the data in the databases but he modifies the DBs access routines to encrypt/decrypt on the fly all data with his own encryption key. In this way for the company all continues to work. He then waits a few months so that all DB backups are encrypted with his keys and at this point deletes the encryption keys from the company’s systems and asks for a ransom to give it back.Notice that backups are unusable because they too are encrypted with the attacker key.

Obviously, strong IT security procedures should prevent and detect this, from off-line testing of backups to intrusion detection.

On Cryptolocker and the like

Cryptolocker and similar malware are getting more and more common. The latest versions that appeared work on also Android (one id called Simplelocker). In general what they do is to encrypt some or most of the files on your PC, tablet or smartphone, in particular text, sound, images and video files, which of course includes all your music video library.

Been a ransom, you are asked to pay some bitcoins (or similar untraceable currency) to get your files decrypted.The only defense, a part from keeping your PC clean, up-to-date, with good anti- … whatever … and being very careful on what you click and the email you open, is to keep very updated backups. Indeed once you get infected and locked / encrypted, there is absolutely nothing that you can do to decrypt the files (unless of course if you pay).

The only precaution is to have good and recent backups, and start all-over again from scratch.

But there is a very important point to remember here, not all backups are equal! Good backups are only those done on off-line media, like dvd, blu-ray disks, external usb disks that are connected only for the time of making the backup, and so on. In technical term it is often called an air-gapped backup, that is a storage that you cannot usually access from your device. This excludes most of the Clod storage and backup systems!

The reason for this is that if the backup is on a continuously or very often connected device, and the backup is done automatically as soon as new data is on your device, when the ransomware encrypts your file, the encrypted version is automatically copied on the backup device substituting the original data, and you can end up having also the backup data encrypted.

Note Added: Simplelocker is more a proof-of-concept than a real malware, in these two posts [1] and [2] Simon Bell describes the malware and how to decrypt the files.

Game Over Zeus and Banking Malware

This announcement by US-CERT made me think about the current status of the war (I think that at the moment this is actually the correct word) between attackers / thieves / fraudsters and ICT Security practitioners, Banks, FInancial Institutes etc.

Recently we have seen banking malware using Tor hidden services to hide C2C (Command-and-Control) servers, or as described in the US-CERT announcement, P2P (peer-to-peer) networks. The purpose is the same, to hide the controlling master of the malware, that is the attacker / thief / fraudster her/himself. This also means that recently security practitioners, law enforcement and bank personnel got very good in finding and at least disrupting the C2C servers, otherwise there would be no need to find new ways of hiding them.

But how is this war going, that is, who is winning? Let’s be clear, we, the good guys, are losing.

At first sight the reason for this is simple: there are just too many bugs in today’s software (and possibly in hardware, or at least in embedded software in hardware) and new bugs are added at such a rate that our efforts to ‘secure’ the software are improving the situation a little but not much. It is just a never-ending chase: find a bug, exploit the bug, fix the bug – repeat… It is true that bugs are getting more difficult to find, that software developers are getting better in writing software and fixing bugs, that Bugs-Bounties are awarded to bugs discoverers from software houses etc., but the same happens on the other side and a real market of exploits (to which even secret services and the like participate) of unknown (also called 0-day) bugs exists and flourishes.

In this situation the approach that it is often adopted to protect financial transactions online (web-based) is to balance the costs of defensive measures with the losses to attackers. In the losses one should consider both those direct and those indirect, like bad publicity and loss of customers. Investing too much in some defensive measures could work but could also be a waste of money since the next attack can just avoid the expensive defensive measure and exploit some other bugs or flow in the process or, even worse, human weakness.

This really looks like a never ending cat-and-mouse game.

On Target and other Breaches

These days one of the top IT security news is the one concerning the Target breach which allowed the criminals to steal up to 40 million credit and debit cards data (see Krebs On Security for details). What is very interesting is the complexity of the entire operation. This is not someone who stumbles almost by accident on a bug or a security weakness and exploits it. This, and other similar ones (it is at least a couple of years that similar frauds have been known to be realized), are really criminal operations, well designed, carefully planned and implemented.

It is enough to mention a few details of this breach to understand the complexity of the operation. The malware has been designed and/or modified to fit exactly the environment in which it has been installed. The way of accessing the the IT systems has been carefully studied and most probably has been through a most unlikely third part. The stealthiness of the operation has been extremely good, including the way of exporting the extracted credit/debit card data from the company network into the criminals’ systems.

These are targeted attacks which adopt the best of technologies, included IT technologies but not limited to the IT world. The biggest issue is that the target of the frauds is not the IT, but is the everyday business which must understand that these new kind of frauds are very real and can target everyone.

How to Abuse Your Customers

This is a 1 Million USD settlement in a consumer fraud against the on-line video gaming company E-Sports Entertainment, LLC. On top of its online gaming business, the company found quite profitable to use the customer PCs to mine for Bitcoins and to monitor the customers’ use of the PC even when they were not running the E-Sports’s program.