Vulnerabilities found in Dendroid mobile Trojan

Posted by Paul Burbage, Threat Analyst

Aug 18, '14

On Friday, the full source code of the Dendroid Remote Access Trojan (RAT) was leaked. Dendroid is a popular crimeware package that targets Android devices and is sold on underground forums for $300. Usually the source code for botnet control panels is encrypted, so it was surprising to find the full source code for the Dendroid control panel included in the leaked files. Analyzing the leaked code revealed multiple vulnerabilities due to a lack of user input validation including Cross-Site Scripting (XSS), Arbitrary File Upload, SQL Injection, and PHP Code Execution.

Read More

Topics: Malware, Threat Analysis, Trojan, Crimeware, Android

Lawsuit to Determine ATO Accountability, Blackphone Hacked and more | TWIC - August 15, 2014

Posted by Lori Gildersleeve

Aug 15, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Tennessee Electric Company Inc., which was the victim of a corporate account takeover scheme, has sued TriSummit Bank, alleging negligence, breach of contract and fraudulent concealment in relation to the bank’s handling of unauthorized transfers. Currently businesses lack the rigorous fraud liability limits that consumers enjoy. This lawsuit could help standardize who is at fault and for how much when businesses are the victims of cybercrime.

More than 75,000 iPhones have been targeted by Chinese AdThief malware, stealing nearly $22 million in advertisements. AdThief is designed to rely on Cydia Substrate, a platform for modifying existing processes, which only works on jailbroken iOS devices. Hackers were able to manipulate advertiser identities, redirecting the revenue each time an end-user viewed or clicked on a given advertisement. 

Read More

Topics: The Week in Cybercrime

Massive Data Breach Revealed, New POS Malware Identified and more | TWIC - August 8, 2014

Posted by Lori Gildersleeve

Aug 8, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

A Russian crime ring has collected more than 1.2 billion username/password combinations and 500 million e-mail addresses, according to researchers with Hold Security. The criminals appear to be using the stolen information to send spam on social networks at the behest of other groups, earning a fee in return. Victimized companies have not been named, due to nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.

Researchers with FireEye and Fox-IT have launched a free online service to help victims unlock and recover files scrambled by the malware CryptoLocker. Cybercriminals used the malware to hold users’ personal files for a ransom, costing a few hundred to several thousand dollars for access. According to Fox-It, 1.3 percent of victims paid a CryptoLocker ransom.

Read More

Topics: The Week in Cybercrime

ATO Fraud Explained, Neverquest Strikes, Cloud Seeded with Bots and more | TWIC - August 1, 2014

Posted by Lori Gildersleeve

Aug 1, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Join Stacy Shelley, VP at PhishLabs, as he explores the reasons common ATO fraud prevention measures are insufficient and how financial institutions can move forward with a more comprehensive and robust anti-fraud strategy. Watch the webcast here.

Cybercriminals are using financial malware, called Neverquest, to attack several regional banks in Japan. Neverquest’s capabilities include key logging, screenshot and video capturing, remote control access and stored credential and digital certificate theft. Researchers indicate that Japan, the United Kingdom and Germany are the most impacted by the malware. 

Read More

Topics: The Week in Cybercrime

Banks Face Sophisticated Attacks, Hacker Attempts Blackmail, WSJ Breached and more | TWIC - July 25, 2014

Posted by Lori Gildersleeve

Jul 25, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

A sophisticated spear-phishing and malware campaign, dubbed Operation Emmental, bypasses the Android-based two-factor authentication systems used at 34 banks. Customers of financial services firms in Switzerland, Austria, Sweden and Japan have been targeted. The attacks are characterized by volume and sophistication, including localized spam, non-persistent malware, rogue DNS servers and more.

Researchers discovered a new, highly sophisticated attack hitting Swiss bank customers, both online and via Android devices, that is capable of compromising systems, intercepting SMS tokens, poisoning DNS settings and manipulating SSL. The Trojan, known as “Retefe,” uses a combination of attack vectors, including classic man-in-the-middle attacks, while evading detection by hiding within victims’ systems. The malware can also prompt users to install a fake banking application that intercepts login activity.

Read More

Topics: The Week in Cybercrime

Why ATO Is a Huge Problem, Gameover ZeuS Revives, Shylock Botnet Disrupted and more | TWIC - July 18, 2014

Posted by Lori Gildersleeve

Jul 18, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

There's been a lot of buzz in financial industry media and conference tracks lately about account takeover, or ATO. And financial institutions are rightly concerned. According to a study conducted last year, losses due to ATO fraud have grown 69 percent and account for more than $4.6 billion in losses (yes, that's billion with a B).

Cybercrooks recently began attempting to resurrect the Gameover ZeuS botnet by sending out spam with phishing lures that include zip files booby-trapped with a new variant of the malware. This revival attempt comes nearly a month after the FBI joined with several nations, researchers and security firms in a global effort to shutdown the botnet. The original Gameover ZeuS botnet, which has been blamed for the theft of more than $100 million worldwide, remains locked down; this new variant appears to be rebuilding the botnet from scratch.

Read More

Topics: The Week in Cybercrime

The 3 reasons why account takeover is still a big problem

Posted by Stacy Shelley

Jul 15, '14

There's been a lot of buzz in financial industry media and conference tracks lately about account takeover, or ATO. And financial institutions are rightly concerned. According to a study conducted last year, losses due to ATO fraud have grown 69% and account for more than $4.6 billion in losses (yes, that's billion with a B). 

The growth in ATO is counter-intuitive. Financial institutions have been beefing up online banking controls since the FFIEC issued their Supplement to Authentication in an Internet Banking Environment back in 2011. You would think those sector-wide improvements in authentication and other fraud prevention controls would have stemmed the ATO tide, but they clearly have not done so.

Which begs the question: Why is ATO still a huge problem for banks, credit unions, and their customers?

Read on to get some answers.

Read More

Topics: Strategy, ATO, Account Takeover

New Commercial Malware for Sale, Zeus Evolves, Microsoft Apologizes and more | TWIC - July 14, 2014

Posted by Lori Gildersleeve

Jul 14, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Widely available, free clones of Zeus, as well the arrests of several crimeware kit developers, have left the commercial malware market barren until now. The developer of a new financial crimeware, called Pandemiya, has begun selling the banking Trojan for between $1,500 and $2,000. The malware features Web injection capabilities, password-grabbers, task automation, a file grabber, encrypted command-and-control communications and the ability to capture screen grabs.

Websense Security Labs researchers announced the discovery of evolving Zeus strains that implement information-stealing procedures. These new Zeus variants are being used in low-volume e-mail campaigns that target users’ financial data. While a recent malware campaign appeared to focus on Canadian banks, U.S. businesses are also being targeted.

Read More

Topics: The Week in Cybercrime

ATO|Prevent: A new approach to curbing account takeover fraud

Posted by John LaCour

Jul 10, '14

I'm very excited to announce that we've launched a new, comprehensive service for community banks and credit unions that goes beyond internal anti-fraud controls to stop account takeover. It's called ATO|Prevent, and we developed it because it's plainly evident that these defensive controls no longer pose a major barrier to cybercriminals seeking to takeover online banking accounts and carry out fraud. 

In fact, we believe that just playing defense against these attacks is a losing battle. The simple truth is that you aren't going to win many fights if you don't fight back. That's why we created ATO|Prevent -- to proactively fight on the behalf of banks and credit unions against the attacks that lead to account takeover fraud. 

Read More

Topics: Company News, ATO, Account Takeover

Phishing Attacks Surge in Q1 2014, Microsoft's Proactive Cyber Fight, and more | TWIC - July 3, 2014

Posted by Lori Gildersleeve

Jul 3, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

The Anti-Phishing Working Group (APWG) reports in its new Phishing Activity Trends Report that the number of phishing sites in the first quarter of 2014 grew 10.7 percent over the previous quarter. The APWG detected an average of 41,738 new phishing attacks per month in the first quarter, resulting in the second-highest number of phishing attacks ever recorded in a first quarter.

Brobot, a powerful botnet specializing in attacks against American financial institutions, appears to be back in action after a year's hiatus. But this time, its operator appears to be unknown.  

Read More

Topics: The Week in Cybercrime

    

Subscribe to Email Updates