Articles from November 19-24
Deliveroo Under Fire After Hungry Hackers Defraud Firm
Infosecurity Magazine | Phil Muncaster | November 23, 2016
Takeaway delivery service Deliveroo has come under criticism after an investigation revealed customers have had their accounts broken into and used to run up huge bills. BBC’s Watchdog program discovered some users of the popular service were left several hundred pounds out of pocket. “I noticed that I had a ‘thank you’ email from Deliveroo for a burger joint in Chiswick,” Judith MacFayden, from Reading, told the program. “I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.” Deliveroo claimed the accounts were hacked because customers reused credentials from other accounts which were compromised in a data breach. It added that no financial data had been stolen as a result. Deliveroo claimed it didn’t want to comment on which anti-fraud measures it has in place, for obvious reasons, but said it’s always working to improve such measures.
Ransomware abusing encrypted chat app Telegram protocol cracked
ZDNet | Charlie Osborne | November 23, 2016
Ransomware which abuses the Telegram app API has been stopped in its tracks only weeks after discovery. The malware, TeleCrypt, is typical ransomware in the way that the malicious code operates. If Russian-speaking victims accidentally run and execute the software — potentially through malicious downloads or phishing attacks — TeleCrypt will encrypt a system and throw up a warning page blackmailing the user into paying a ‘ransom’ to retrieve their files. In this case, victims are faced with a demand for 5,000 roubles ($77) for the “Young Programmers Fund.” However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.” While cryptors either maintain offline encryption or don’t, this Trojan chooses to. In order to keep communication lines between the threat actor and ransomware concealed and protected, secure channels need to be created — and this often increases the cost of malware development. To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.
Two-thirds of London Councils Suffered Breach in Past Four Years
Infosecurity Magazine | Phil Muncaster | November 23, 2016
Around two-thirds of London’s councils have been breached over the past four years, according to a new Freedom of Information request. Identity management firm Secure Cloudlink’s research revealed that 21 out of the capital’s 33 local authorities had suffered a data breach over the period, although Hackney and Kensington and Chelsea refused to disclose the information – ironically for security reasons. Barnet, Camden, Croydon, Greenwich, Lambeth, Lewisham, Wandsworth, Westminster and the City of London were among those affected, while Bexley, Bromley, Ealing, Enfield and Haringey were on the list of those which managed not to spill data during the period. Fortunately, there’s no evidence to suggest that any breached citizens’ data has been subsequently been used in follow-up fraud or cyber attacks. However, the research confirms that data protection in local government is still far from perfect. “Designs that were once suitable have not been updated to keep pace with today’s digital economy, and because of this, hackers have been able to capitalise and steal information much more easily,” argued Secure Cloudlink chairman, Mark Leonard.
Madison Square Garden admits hackers spent a year harvesting visitor credit-card data
ZDNet | Liam Tung | November 23, 2016
The Madison Square Garden Company has revealed that for a year malware has been capturing payment-card data from a system that processes payments for several of its properties. MSG warned customers on Tuesday that the breach had exposed customer data held on the magnetic strip of credit cards, including card numbers, cardholder names, expiration dates, and internal verification codes. Card-issuing banks recently notified MSG of suspicious transaction patterns, which led to an investigation by MSG and confirmation of the infection in the last week of October, it said. It’s not clear why the company only revealed the incident now. “Findings from the investigation show external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment-card data, as that data was being routed through the system for authorization,” MSG said. Cards used to buy merchandise and food and drinks at several properties between November 9, 2015 and October 24, 2016 may have been affected.
The Black Friday Heist: Financial Phishing Increases During Holiday Season
Information Security Buzz | Kaspersky Lab | November 22, 2016
A peak season for sales is obviously also a peak hunting season for criminals. In fact, some £5 billion of transactions are predicted over that period – five times higher than 2015. Retailers offer lots of hard-to-resist deals as people plan on spending money on gifts for family, friends and themselves. Therefore, while e-commerce customers are making wishes for the upcoming sales, retailers are preparing their stores for a massive rise in the number of visitors. Financial infrastructure owners – banks and payment systems — are similarly getting ready for a huge increase in the number and value of transactions. However, cybercriminals are preparing too, as suggested in research from previous years. As Kaspersky Lab threat statistics shows, in 2014 and 2015 the proportion of phishing pages that hunt financial data (credit cards details) detected by the company during Q4 (which covers the holiday period) was around nine per cent higher than the average for the year. In particular, the result for financial phishing in all of 2014 was 28.73 per cent, while the result for Q4 was 38.49 per cent. In 2015, 34.33 per cent of all phishing attacks were financial phishing, while in Q4, that type of phishing was responsible for 43.38 per cent of all attacks. Holidays influence the type of financial targets that criminal’s target. Both in 2014 and 2015, Kaspersky Lab researchers witnessed a significant (several per cent) increase in phishing attacks against payment systems and online stores. Attacks against banks also grew, but at a lower rate.
Catastrophic botnet to smash social media networks in 2017
ZDNet | Charlie Osborne | November 22, 2016
Social media networks and their prolific use will prompt a plague of botnets in 2017, security researchers have warned. Botnets are networks of compromised devices, such as connected home gadgets, PCs, and mobile devices, which have been infected with malware specifically designed to enslave such products. The botnet is run by an operator who utilizes a command and control (C&C) center to send commands to these devices, including what could be flooding a web domain with traffic in what is known as a distributed denial-of-service (DDoS) attack that can severely disrupt online services. These botnets can cost hosting companies a fortune to combat. For example, in September prominent security blog Krebs on Security was the target of a 620Gbps DDoS attack made possible through the Mirai botnet, a network which enslaved millions of vulnerable IoT products. The hosting provider, which offered to host the domain without a fee, was forced to withdraw its services due to the sheer cost of the ongoing attack.
Malicious images on Facebook lead to Locky Ransomware
CSO | Steve Ragan | November 21, 2016
Researchers have discovered an attack that uses Facebook Messenger to spread Locky, a family of malware that has quickly become a favorite among criminals. The Ransomware is delivered via a downloader, which is able to bypass whitelisting on Facebook by pretending to be an image file. The attack was discovered on Sunday by malware researcher Bart Blaze, and confirmed later in the day by Peter Kruse, another researcher that specializes in internet-based crime and malware. The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file. The usage of SVG (Scalable Vector Graphics) files, is important. SVG is XML-based, meaning a criminal can embed any type of content they want – such as JavaScript. In this case, JavaScript is exactly what the attackers embedded. If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL. Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page. If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky. The attack seems to have variations, so it isn’t clear if there is more to it than rogue extensions and downloaded Ransomware.
Happy Birthday Conficker: Malware hits 8
SC Magazine | Doug Olenick | November 21, 2016
As Conficker hit its eighth birthday Monday, it’s still going strong, according to researchers at ESET. Since 2008 the worm has targeted Microsoft Windows computers in 190 million with a total of 11 million devices being infected to date, according to a retrospective blog done by ESET, which estimated damage done by Conficker to be in the $9 billion range. A few of the higher profile targets it has nailed are the U.K. Ministry of Defense and the German armed forces. “Ultimately though, the worm leveraged – and indeed, continues to leverage – an old, unpatched vulnerability to crack passwords and hijack Windows computers into a botnet. These botnets would then be used to distribute spam or install scareware (again, as they are today),” ESET researchers wrote. The malware is now being used to target Internet of Things (IoT) devices, ESET said. Hacked IoT devices were recently responsible for a massive Mirai DDoS attack that knocked Twitter, Spotify, Netflix, GitHub, Amazon and Reddit. One reason Conficker has endured the test of time is the constant upgrades and new variants developed by cybercriminals. Over the years it has graduated from being spread via USB to analysts now believe it can move laterally through a network to target specific devices.
Over 97 Percent of All Phishing Emails Deliver Ransomware
eSecurity Planet | Jeff Goldman | November 21, 2016
According to PhishMe Inc.’s 2016 Q3 Malware Review, the proportion of phishing emails that deliver some form of ransomware reached 97.25 percent in the third quarter of 2016. Locky ransomware executables were the most commonly-identified file type in the third quarter, PhishMe found. “Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally alterered the way security professionals view the threat landscape,” PhishMe CTO and co-founder Aaron Higbee said in a statement. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties.” And while just 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of malware samples in those emails far exceeded that of the ransomware campaigns.
Homeland Security Chief Cites Phishing as Top Hacking Threat
Fortune | Jeff John Roberts | November 20, 2016
Why are people still such suckers for phishing? At a security event in New York this week, top law enforcement officials shared their concerns and, to my surprise, their biggest pre-occupation was plain old e-mail. “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing,” Homeland Security Secretary Jeh Johnson told the crowd, referring to malicious emails that appear to come from a credible source. He has a point. The debacle over leaked emails from Hillary Clinton’s campaign chairman began when the chairman, John Podesta, fell for a fake Gmail message. And those celeb-gate hacking victims likewise got tricked by phishing. So what can we do about it? Education is one approach. Secretary Johnson says his agency sends emails to its own employees with suspicious links for goodies like “free Redskins tickets.” Those who click on the link receive instructions to show up to a spot to collect their tickets—where they instead receive a free lesson on cyber-hygiene. And of course technology is another way to fight phishing. At the security event, Manhattan District Attorney Cyrus Vance announced that the non-profit Global Cyber Alliance had created a free tool to help organizations install DMARC software, which helps authenticate email messages. “Phishing—mundane as it is—is the biggest threat we face and need to tackle,” said Vance, who added that, after terrorism, cyber-security is New York’s top priority.