ATM “jackpotting” attacks, also known as “logical attacks”, which have long been an issue for banks in Europe and Asia, are now being seen targeting ATMs in the United States. The goal of these attacks is to force the machine to dispense large volumes of cash on demand. To carry out the attack, crooks must gain physical access to the ATM to use specialized electronics and / or malware to control the operations of the ATM. Banks should consider all points where ATMs could be vulnerable to physical attack, such as USB and network ports, and appropriate safeguards should be implemented. All ATMs should also run supported operating systems.
In early January, researchers disclosed two serious flaws in modern processors, Spectre and Meltdown, that could affect nearly every Intel computer released in the last 20 years, as well as the AMD and Arm chips in your phones, laptops, and tablets. The processor manufacturers believe they can fix or mitigate the flaws with software patches, and Apple, Microsoft, and Google have already released some mitigations. The BIOS updates released by Intel are causing some PCs to become unstable; however, software patches from operating system vendors should be applied as soon as possible to mitigate the effects of these flaws.
Less than a year ago, the FBI reported that business email compromise (BEC) attacks were a $5.3 billion industry; however, Trend Micro now projects that BEC attacks will exceed $9 billion 2018. In BEC attacks, crooks typically leverage social engineering, or they try to steal email login credentials through phishing emails or malware. End-user awareness training is critical to prevent these types of attacks, and significant transactions should always require dual-approval and verbal verification from the requester.
According to the World Economic Forum’s 2018 Global Risk Report, cyber-attacks are the third most likely global risk this year, with data fraud or theft coming in fourth place. This shows just how much cyber-risks have increased in their prevalence and disruptive potential as of late. As cyber-risks continue to affect organizations in new and broader ways, risk management should be a high priority.
In 2014, Overstock.com became one of the first e-commerce vendors to accept bitcoin by partnering with Coinbase. Earlier this month, Bancsec identified a flaw with Coinbase and Overstock.com that allowed customers to purchase items at a small fraction of the listed price. Even worse, this flaw allowed customers paying with bitcoin to receive a refund much larger than what they had paid when the order was canceled. Coinbase has since implemented a fix to resolve the issue.
Researchers have discovered a new Android malware dubbed the Catelites Bot, which shares similarities with the CronBot banking Trojan that was used to steal $900,000. This new malware is designed to harvest payment card details and banking credentials from customers of over 2,200 financial institutions. Android users should avoid installing apps from third-party app sources and should always carefully review the permissions that apps request.
Relevant URL(s): https://www.infosecurity-magazine.com/news/cronlinked-malware-impersonates/
An aggregated, interactive database of over 1.4 billion breached credentials was recently discovered on the dark web. This list, which includes decrypted passwords from known breaches such as LinkedIn and Bitcoin, is nearly twice as big as the previous largest discovered. Multi-factor authentication can help mitigate account takeover attempts, and passwords should never be reused across multiple services.
Relevant URL(s): https://www.infosecurity-magazine.com/news/researchers-trove-14-billion/
An undisclosed buyer purchased a Captcha WordPress plugin that had more than 300,000 active installations from developer BestWebSoft, then modified it to download and install a hidden backdoor. This backdoor allowed the plugin author or other attackers to gain remote administrative access to WordPress sites without requiring any authentication. WordPress removed the affected Captcha plugin from its official plugin store. Website administrators are urged to replace this plugin with the latest official Captcha version to mitigate this threat.
Relevant URL(s): https://thehackernews.com/2017/12/wordpress-security-plugin.html
A new attack has been identified that delivers Loki malware through malicious “scriptlets” in Microsoft Office applications. These “scriptlets, which utilize external links embedded in the documents, often bypass traditional antivirus because they show no evidence of shellcode, macros, or DDE functionality. Loki is a type of malware designed to steal usernames and passwords from email clients, browsers, FTP clients, and file management software. This attack exploits a vulnerability that was patched in April and updated in September of 2017. Banks should always ensure critical security vulnerabilities are patched as promptly as possible to protect against threats such as this.
Relevant URL(s): https://www.darkreading.com/attacks-breaches/microsoft-office-docs-new-vessel-for-loki-malware/d/d-id/1330678
A substantial data leak that was the result of a misconfigured Amazon Web Services S3 storage bucket exposed the sensitive data of 123 million American households in December. This leaked data contained information from analytics firm Alteryx and its partners Experian and the US Census Bureau and included details on financial histories, contact information, and mortgage ownership. To limit risk, banks should probe the security culture and controls of their third-party vendors and ensure they meet expectations.
Relevant URL(s): https://www.darkreading.com/cloud/massive-cloud-leak-exposes-alteryx-experian-us-census-bureau-data/d/d-id/1330673
(November 21, 2017)
Tether, the world’s first blockchain-enabled platform that allows traditional currency to be used like digital currency, was the recent victim of a cyberattack that resulted in the loss of around $31 million worth of its tokens. The company is in the process of attempting token recovery, to prevent them from entering other cryptocurrency markets. A thorough investigation is underway to prevent similar attacks in the future.
Relevant URL(s): https://thehackernews.com/2017/11/tether-bitcoin-hacked.html
Two new malware campaigns targeting Android users have been uncovered by a team of researchers. Both of these campaigns spread a new version of BankBot, a persistent banking Trojan that imitates legitimate banking apps to steal users’ login information and credit card details. This malware also has the ability to intercept SMS messages, make calls, steal contacts, and track infected devices. Google has removed the malicious apps identified from the Play Store, but users should always carefully review the permissions that apps request and avoid installing apps from third-party app sources.
Relevant URL(s): https://thehackernews.com/2017/11/bankbot-android-malware.html
Terdot, a revamped banking Trojan based on Zeus, can now spoof SSL certificates in order to gain access to social media and email accounts, in addition to its banking login and credit card information stealing features. These new capabilities allow Terdot to intercept and modify data sent to banks or social media in real-time. This banking Trojan is being distributed through malicious emails and websites compromised with the SunDown Exploit Kit. These threats can often be mitigated with employee awareness education, consistent social engineering testing, and adaptive email and web security filtering.
Relevant URL(s): https://thehackernews.com/2017/11/facebook-twitter-hack.html
Another new banking Trojan, IcedID, has been identified that does not seem to have borrowed code from similar threats. This Trojan, which was first identified in September of this year, is currently targeting banks and other financial organizations in the US, Canada, and the UK in an attempt to capture banking credentials, payment card info, and other sensitive information. The malware also uses the Lightweight Directory Access Protocol (LDAP) to move and compromise other endpoints on the network. Application whitelisting and sophisticated endpoint protection can be utilized to thwart these types of malware.
Relevant URL(s): https://www.helpnetsecurity.com/2017/11/13/icedid-banking-trojan/
A new Trojan, dubbed Silence, has been identified that leverages techniques similar to Carbanak, which allowed crooks to steal about $1 billion over a two-year period from 100 banks in 30 countries. The goal of this new attack is to steal from banks themselves, rather than from the banks’ customers. Presence on the banks' networks is gained by tricking employees with spearphishing emails, using email addresses from organizations that have been infected previously. From there, the criminals monitor victims through screen recording, data exfiltration, and remote control access. Adaptive endpoint protection and continuous social engineering and phishing training can help banks protect against threats such as these.
Relevant URL(s): https://www.darkreading.com/attacks-breaches/silence-trojan-mimics-carbanak-to-spy-steal-from-banks/d/d-id/1330301