Phishing Leads to Man-In-The-Middle Attacks

Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.

dnshijack-600x162
I
mage of malicious iframe scripts used to hi-jack the router and DNS

This type of  attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.

The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.

Sources:

http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Author: Charles Leavitt

Bank Hackers Steal Millions Via Malware

There was a story published in The New York Times, a few weeks ago about a organized group of cybercriminals that pulled off one of the largest bank heists, digitally, ever. This group, named by Kaspersky, Carbanak, is responsible for deploying malware to gain access to computers at more than 100 banks and steal well over $300 million.

Image: Kaspersky

There were 300 IP addresses targeted and the attack spanned nearly 30 countries worldwide. And the method used:

Phising

I’d hope that a bank would have better sense not to fall for a simple phising attack, but this wasn’t very simple. Most times, phishing attacks are aimed at the customers, trying to gain sensitive information. Carbanak targeted the machines in the banks directly, and finding ways to steal cash directly from the financial institution.

This same group is also thought to be behind several credit/debit card breaches at retail stores around the world, including Staples, however there has not been any noticable activity since the bank heists, which the story was covered by Brian Krebs back in December 2014.

Article: http://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/#more-29921

Kaspersky Report: http://krebsonsecurity.com/wp-content/uploads/2015/02/Carbanak_APT_eng.pdf

-Jeremiah Faison

Spear Phishing Attack Costs a Company Millions

The Scoular Company, located in Omaha, Nebraska fell victim to an attack that cost them millions of dollars. The Scoular Company is ranked by Forbes Magazine as the 55th largest privately-held corporation in the United States in 2014. Scoular is a 120 year old company with sales that span over $6 billion every year. Scoular’s primary focus is to provide transportation for end-users and suppliers. Transportation includes food ingredients, grains, and feed ingredients as well as their focus on buying, selling, handling, and storing these products.

This fortune company seemed to have taken all of the proper precautions when it comes to cyber-security and security as a whole for a company. Yet even by taking these precautions, earlier this week it was discovered that the company fell victim to a spear phishing attack by clever fraudsters. This attack ended up losing the company $17.2 million dollars simply by tricking a controller into wiring that amount of money to a bank in China. The attacker(s) sent emails pretending to be the CEO of the Scoular company to one of the controllers of the company, stating that they were going to be buying out a company in China. Even worse, the emails coming from the “CEO” were not even from his official email address. To prevent this employee from reaching out to others in the company and speaking up about the big transfer, the attacker said that this was not to be mentioned in other channels to avoid infringing on SEC regulations. In the controllers defense, and I say this extremely lightly, the company was discussing its expansion to China and is primarily the reason the controller fell for the emails and sent the money. The attacker clearly did his research as he instructed the controller to get the wire instructions from the companies accounting firm, KPMG, that included a phone number and was answered by someone with the correct name. The attacker clearly found a real employee’s information that worked for KPMG, but gave a fake phone number and pretended to be the employee, as when the real employee was questioned he had never heard of Scoular. The fake email address was a kpmg-office.com name which once again fooled the Scoular controller. The kpmg-office.com was actually found to be a server located in Russia and the fake phone number provided was through a skype account with an IP address registered in Israel.

This case is currently under investigation by the FBI and is said that they are working on getting search and seizure warrants against the Shangai-based Dadi Co.Ltd. company which is said to have received the funds in the end. This company is a professional import and export agency mostly dealing with auto parts. If the seizure is granted then it will be carried out and executed by Chinese authorities, with cooperation with American authorities of course.

-Liam Ellis

Source: http://www.csoonline.com/article/2884339/malware-cybercrime/omahas-scoular-co-loses-17-million-after-spearphishing-attack.html#tk.rss_news

More information:

http://www.reuters.com/article/2015/02/04/usa-grain-scoular-idUSL1N0VE2NX20150204

http://www.omaha.com/money/impostors-bilk-omaha-s-scoular-co-out-of-million/article_25af3da5-d475-5f9d-92db-52493258d23d.html

 

Carbanak Cybercriminals Stole Millions Using Malware.

The Carbanak cyber-criminal group has stolen from $300 million to $900 million using malware. In this attack over 100 banking and financial institutions, in 30 nations, have fallen victim; non of which have come forward acknowledging that this attack has occurred. This has been an ongoing attack since 2013 and is still continuing to this day.

The Carbanak group infected admin accounts of these banking institutions through a mass phishing attack that was sent to wide array of employees. This malware included key loggers and remote access tools that allowed the recording of infected computers screen. Through the recordings gathered, they were able to learn the necessary protocols to execute cash transfers without raising red flags.

186888ED-BFBD-4CD1-B8F2-02E66EBECC99
Once the Carbanak group successfully learned the necessary techniques they began transferring various amount of money (up $10 million at a time in some cases) to themselves through four different methods: they transferred cash through fraud accounts and E-payment systems to other banking accounts. They controlled ATMs directly, placing their members near an ATM, which was then ordered to dispense cash at set-times. As well as by inflating banks members account balances and transferring the difference to their accounts (This method was possible do to Carbanaks discovery that many banks check accounts on a cycle of every 10 hours, allowing the inflations and deductions to go unnoticed for some time).

This was one of the most sophisticated cyber robberies that has occurred in recent times and as of now has not been stopped by any authorities.

iCloud Phishing

There have always been phishing attacks on apple but the newest ones are very clever. Instead of telling you about a payment you’re supposed to have made, they tell you an order has shown up on your account, but because it coincides with some suspicious login attempts, it’s been cancelled.

icloud-phish-form-500

The form is obviously fake because:

  • Asks for far too much data, considering the process you are initiating.
  • Isn’t on a typical Apple-named website.
  • Isn’t using HTTPS (secure HTTP).
  • Contains un-Apple-like inconsistencies, such as saying “available only…in the US” yet giving a price in Euros.

Phishing attacks are only getting more and more clever.

https://nakedsecurity.sophos.com/2015/02/06/more-icloud-phishing-dont-get-sucked-in/