STE WILLIAMS

George Garofano, 26, one of many pickpockets to rifle through the online accounts of Hollywood stars, on Wednesday was sentenced to eight months in jail and three years of supervised release for phishing credentials out of celebrities and non-celebrities alike, then breaking into about 240 iCloud accounts to steal personal images that he spread far and wide on the internet.

According to a press release from the US Attorney for the District of Connecticut, Garofano pleaded guilty to one count of unauthorized access to a protected computer to obtain information on 11 April, 2018.

At the time of his guilty plea, Garofano admitted to sending emails to the victims under the guise of being a member of Apple’s online security personnel in order to obtain their usernames and passwords.

The charges stemmed from a wave of attacks on the accounts of mostly female celebrities that started in 2014.

Known as Celebgate, that first wave involved intimate images being swiped of stars such as Winona Ryder, Hulk Hogan’s son, Nina Dobrev, AnnaLynne McCord, Victoria’s Secret model Erin Heatherton, Jennifer Lawrence, Kate Upton, Kirsten Dunst, Selena Gomez, Kim Kardashian, Vanessa Hudgens, Lea Michele and Hillary Duff, among others.

We’ve seen multiple men convicted and given jail time over prying open the Gmail and iCloud accounts of the Hollywood glitterati, but that sure didn’t stop Celebgate 2.0: in May 2017, we saw the intimate photos of Emma Watson and Amanda Seyfried stolen and posted.

The stolen images were disseminated online in places such as Reddit and Celebrity Jihad.

A few months later, Celebgate 3.0 swept up personal images of Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods, Lindsey Vonn and Katharine McPhee.

Edward Majerczyk, one of the earlier thieves to be convicted and jailed, hit up his victims with a phishing scam in which he sent messages doctored to look like security notices from ISPs.

The phishing messages led victims to a website that harvested their usernames and the passwords for their Google or iCloud accounts. With the credentials in hand, Majerczyk was free to romp through victims’ accounts and grab whatever photos and videos he could find.

Majerczyk’s case followed a guilty plea by Pennsylvanian Ryan Collins, 36, who was sentenced to 18 months in jail in October 2016.

Both Majerczyk and Collins pulled the same shtick: sending phishing emails spoofed to look like they came from Apple or Google and which asked victims for account credentials.

We never heard the details of how they constructed the phishing emails, but the hacking of the 2016 US presidential election did bring us a fascinating dissection of how hackers used Bitly shortened links in phishing attacks to trick Democratic National Committee officials into handing over their own Gmail credentials.

In another investigation sparked by Celebgate, the US government seized a Chicago man’s computers in June 2015.

None of those cases, apparently, are related to yet another celebrity hacking prosecution: that of Alonzo Knowles’ guilty plea in New York for stealing new screenplays and sex videos from celebrities, nor of the felony hacking conviction of Andrew Helton in Oregon for similar hacking of celebrity-owned Apple and Google accounts.

In other words, Garofano is just the latest in a long string of busted, soon to be imprisoned celebrity hackers. Investigators sure don’t seem to be tired of chasing them down, though.

All the better for the people they’ve victimized.

One of those victims, Jennifer Lawrence, said at the time of her 2014 targeting that the theft and publication of nude photos of her was a “sex crime”.

Prosecutors were looking for a sentence of 10 to 16 months in prison, in line with federal guidelines. Garofano’s lawyers asked for leniency, requesting no more than five months in prison and another five months of home confinement.

What the prosecution said in its sentencing memo:

Mr Garofano’s offense was a serious one. He illegally hacked into his victims’ online accounts, invaded their privacy, and stole their personal information, including private and intimate photos. He did not engage in this conduct on just one occasion. He engaged in this conduct 240 times over the course of 18 months.

Not only did Mr Garofano keep for himself the photographs he stole, he disseminated them to other individuals. He may have also sold them to others to earn ‘extra income’.

In committing this offense, Mr Garofano acted in complete and utter disregard for the impact on his victims’ lives.

Garofano claims to have “already suffered” because of the actions he took beginning when he was in college. From his defense attorney Richard Lynch:

He now stands before the court having matured, accepting responsibility for his actions and having not been in trouble with the law since. There is nothing to suggest that he would ever engage in this or any other criminal conduct in the future.

The judge ordered Garofano to perform 60 hours of community service during his three years of supervised release.

What to do?

We recommend that you enable two-factor authentication (2FA), also known as two-step verification (2SV), for any account that supports it.

Sure, it’s slightly less convenient – when you login using 2FA you need to enter your username and password as usual, and then to enter a a one-time code as well.

To get the code, you usually either need to launch a special app on your phone, or wait a couple of seconds for a text message to arrive.

But the one-time code, as its name suggests, is different every time you log in, so crooks who phish your username and password no longer have enough information to take over your account.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/r0-6LlyJSgs/

US senators from both sides of the housee have announced a bill that would force the President to act against overseas hackers found targeting the US, or explain why he hadn’t.

Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) this week.

The text of the bill cites several cybersecurity incidents, including the charging of Chinese military hackers for allegedly attacking a range of US industries, and the indictment of seven Iranians for alleged cyberattacks in the US, including DDoSes against 46 different financial institutions.

The document also pointed to a May 2018 State Department recommendation to the President. That document cited a rising number of cyberattacks that were serious, but not serious enough to warrant a counterattack. That document proposed:

…developing a broader menu of consequences that the United States can swiftly impose following a significant cyber incident, and taking steps to help resolve attribution and policy challenges that limit U.S. flexibility to act.

This bill seems to provide a framework for those consequences. It requires the President to label any foreign individual or agency that knowingly participates in an attack as a ‘critical cyber threat actor’, and publish their identity in the Federal Register.

The President can avoid publishing those details if it is important to national security or law enforcement to do so, but he must tell Congress about it, the bill said. Specifically:

The President shall transmit to the appropriate congressional committees in classified form a report containing any such identification, together with the reasons for exercising such authority.

The President must then impose sanctions on these threat actors, says the bill. These could take the form of removing security assistance, blocking US loans, investments and business purchases, and stopping technology exports. He could also revoke visas.

If he waives those sanctions, he can do so for up to a year but must explain to Congress why he is doing so on economic, national security, law enforcement or humanitarian grounds, the legislation said.

The bill explicitly calls out election tampering, which has become an increasingly critical problem for the US, citing as an infraction:

Interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data.

Publicly naming and shaming overseas hackers tampering in US elections would complement a new DoJ policy to publicly disclose election tampering schemes.

SS.3378 is a companion bill to H.R.5576, introduced in the House of Representatives in April 2018. To reach the President’s desk, a bill must eventually go through both the House of Representatives and the Senate, but introducing a companion to an existing bill lends support to it.

Senator Gardner said:

This bipartisan legislation is another step that Congress and the Administration can take to deter foreign actors from carrying out cyberattacks against the United States. Our legislation will help provide additional tools for the Administration to impose significant costs against malicious cyber actors, including state-sponsored actors, around the world that aim to endanger U.S national security and our economy.

This proposed legislation punctuates a chaotic period for the White House’s cybersecurity policy. The National Infrastructure Advisory Council (NIAC), which advised the President on cybersecurity issues, quit a year ago, citing “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.

More recently, national security advisor John Bolton removed the position of cybersecurity advisor from the National Security Council, and the President issued an Executive Order rolling back Obama-era guidelines for launching cyberwarfare attacks on other nations.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dq8gjP3sVyk/

Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers.

Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there’s no plan to fix older versions.

What they found was that the system broadcasts spaff “Wi-Fi network name, BSSID, local IP addresses, DNS server information and the MAC address” to any application running on the device, even though this is supposed to be protected information, “bypassing any permission checks and existing mitigations”.

The reason older Android versions won’t get a fix, the post claimed, is that Google said it would break older APIs.

The problem is in how application developers use what Android calls “intents” for inter-process communication. The Nightwatch post explained: “While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data”.

The intents in question are in the WifiManager NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION, the post said.

Android data slurping measured and monitored

READ MORE

An application trying to get information like MAC address, network name, IP gateway and so on from the WiFiManager process would raise a dialogue to get user permission, but that information is readable as system broadcasts, the post said.

As a result, an attacker creating a malicious application could harvest the system broadcast info from a user, send it “home”, use the MAC address to track the device’s movement between networks (in spite of Android’s MAC address randomisation, the post said), and compare network IDs to public databases.

As proof that the broadcasts are sniffable, Nightwatch points to this app at the Play Store by Lithuanian developer Vilius Kraujutis (@viliusk on Twitter). Developers need fewer than 20 lines of code to sniff the information in applications.

Kraujutis’s source code is also available at GitHub. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/android_user_tracking/

A notorious hacking group suspected in attacks across dozens of countries has launched a campaign against banks in eastern Europe and Russia.

The so-called Cobalt Group is slinging spear-phishing emails in an attempt to get into the systems of targeted financial organisations. The emails are set up to look like they were sent by a firm or partner that would normally have dealings with the target orgs, increasing the likelihood of infection. The hacking group then uses tools that can bypass Windows defences to burrow deeper into compromised networks.

Security firm NETSCOUT said that recently intercepted phishing emails targeting NS Bank (Russia) and Banca Comercială Carpatica/Patria Bank (Romania) were sent by Cobalt Group. The attribution is based on analysis of the contents of these dodgy emails and the infrastructure of the online traps they attempt to trick the unwary into visiting.

These phishing emails contained two malicious URLs. The first linked to a booby-trapped Word document containing obfuscated VBA scripts. The second URL pointed to a malicious executable that poses as a benign .jpg picture file. Both vectors were ultimately geared towards planting backdoors.

The binaries analysed point back to two unique command-and-control servers, which NETSCOUT researchers reckon are owned and operated by the Cobalt hacking group, as explained in a blog post here.

Targeted phishing is common vector of initial compromise in attacks against banks, and is suspected in the recent $13.5m raid against Cosmos Bank in India, for example. The two-pronged phish associated with the latest east European bank targeting hacking operation is unusual, if not unprecedented.

Richard Hummel, ASERT threat research manager at NETSCOUT, said the use of two URLs in a phishing email is rare. “It’s not something we typically see,” he told El Reg. The two different URLs each went to different places and served different downloads.

Hackers may have done this in order to create redundancy, Hummel speculated, adding that their intentions in this department are unclear.

Cobalt Group (aka TEMP.Metastrike) has been active since at least late 2016, and has been implicated in attacks across dozens of countries. The group primarily targets financial organisations, often with the use of ATM malware. Security researchers believe it is responsible for a series of attacks on the SWIFT banking system, costing millions in damages to the affected financial institutions.

Europol recently arrested a suspect whom it claims is the leader of the gang.

Rustam Mirkasymov, head of dynamic analysis department at Moscow-based Group-IB, said the Cobalt hackers have been busy of late.

“In addition to these attacks, we have detected at least 17 campaigns since the beginning of this year, and at least 14 attacks after the arrests by Interpol,” Mirkasymov told El Reg. “We have seen phishing emails on behalf of Oracle, Bank of Santander, Western Union, Akamai Technology, SWIFT, Apple, Kaspersky Lab, Diebold Nixdorf, Interkassa, Sepa Europe, etc. Also, at least two companies were hacked and their infrastructure was used by Cobalt to deliver emails with malware in attachment.

“This year Cobalt stole money through SWIFT [terminals*] from one European bank but all money was successfully returned. In previous year they managed to steal money via SWIFT [terminals] from [a] Russian bank.” ®

* SWIFT has previously explained in both cases, as in others, that its network was not compromised and that it has offered its help to beef up security at its customer institutions.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/31/cobalt_bank_hackers_phishing_campaign/

Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.

In a paper distributed via ArXiv, researchers Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck analyzed the prevalence of cryptomining on websites and found that 1 out of every 500 of the top million Alexa-ranked sites hosts cryptojacking code.

Where cryptocurrencies like Bitcoin depend on CPU cycles for solving the computational puzzles that generate currency, cryptocurrencies like Monero, Bytecoin, and Electroneum rely on memory resources. Commodity hardware can’t compete with GPUs and ASICs in the computation of Bitcoin hashes, but it can help churn out memory-bound calculations. That’s made pretty much any internet user’s hardware potentially useful for those looking to turn stolen processor time into something of value.

Cryptojacking code gets placed on websites, either as a result of a security flaw or deliberate action by the site owner. The two most common libraries are CoinHive and Advisorstat, the researchers say. When someone visits a site that implements these or similar libraries, the visitor’s device will begin cryptographic number crunching and credit the work to someone else, the attacker or site owner, with the software’s developers also taking a cut.

Fine in theory, sucks in practice

In theory, this can be remunerative. The researchers calculate that a cryptomining script on a popular website like Pornhub, with 81 million visitors a day last year, could earn US$50,208 per day, at an exchange rate of 1 XMR (Monero) per US$225. That’s less than the $81,000 per day the site would earn from advertising, based on a CPM of US$1.

But on average, most cryptojackers don’t earn much. “With a hash rate of 80 H/s and CoinHive’s payout ratio, a miner earns about US$5.80 per day per website on average, which supports our observation that web-based cryptojacking currently provides only limited profit,” the paper explains.

The ten most profitable cryptomining sites identified generate between US$119 to US$340 per day.

Existing detection methods – static blacklists – fall short, the researchers contend, noting that their approach mixing static and dynamic analysis performs better. And they argue that browser makers should move toward mining-aware browsing by implement tab-based CPU quotas to detect unauthorized mining.

Pulitzer-winning website Politifact hacked to mine crypto-coins in browsers

READ MORE

“The only reliable indicator in the presence of an adversary that actively tries to avoid detection is the measurement of prolonged and excessive CPU usage,” they say.

Underscoring the interest in cryptojacking among miscreants, security biz Talos on Thursday delved into the doings of an individual identified as “Rocke,” whom the firm links to a number of recent malicious mining campaigns.

Rocke, says David Liebenberg, senior threat analyst at Talos in a blog post, operates from China’s Jiangxi Province, based on details in various associated code repositories and email accounts. The firm anticipates that Rocke will continue to deploy browser-based miners, trojans, and the Cobalt Strike malware, while also exploring social engineering attacks.

“Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,” said Liebenberg. “Rocke’s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/30/cryptojacking_pays_poorly/

Aug 30, 2018

Article source: https://www.informationweek.com/whitepaper/network-and-perimeter-security/risk-management-security/research-report-how-data-breaches-affect-the-enterprise/400553?cid=mp_rptbx&_mc=mp_rptbx&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The open-source tool lets penetration testers gather credentials by convincing targets to open a Microsoft WCX file.

A new open-source penetration testing tool, dubbed Firework, will let pen testers collect sensitive data by tricking their targets into opening Microsoft WCX files.

Firework is a Python-based tool designed to find weak spots in enterprise security practices, and address the issue of social engineering tactics in corporate network breaches. It leverages these techniques to get targets to open a WCX file, which can be used to configure a Microsoft Workplace on a system and grant an attacker remote access.

An attacker could leverage the Workspace functionality to deploy a malicious application or desktop as part of a larger social engineering campaign. This could have broader implications; for example, data loss in the event that local resources are mapped to an attacker’s terminal server.

Once the target opens the file, the tool links to Firework, gathers credentials (including password hashes), and offers resources that were set up in the file, such as links to potentially malicious Office documents or a remote desktop environment that the pen tester controls.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/new-pen-test-tool-tricks-targets-with-microsoft-wcx-files/d/d-id/1332706?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Latest campaign by the hard-to-kill cybercrime group hides malicious code behind legitimate files, Windows processes.

The most financially destructive cybercrime organization in the world continues to hammer away at financial institution targets: The Carbanak Group – aka Cobalt Group and FIN7 – most recently was spotted trying to break into Russian and Romanian banks with spear-phishing emails loaded with dual malicious links.

The twofer strategy of loading an email with both a Word document and a JPEG – both rigged with malware – appears to be an insurance policy of sorts that the victim will be tempted to click on at least one of the links that leads to the malicious files, according to Richard Hummel, threat research manager for Arbor ASERT, which analyzed the group’s latest attack campaign.

“I think it’s more of a redundancy thing with the two vectors,” Hummel says, noting that it’s relatively unusual for attackers to have two malicious links in one phish. “We’ve seen where they have a malicious attachment and a malicious link, but not two malicious links. That was different.”

Carbanak/Cobalt/FIN7’s resilience runs deep, and its tentacles wide. In late March, Spanish police arrested the alleged leader of the organization, which is believed to have stolen more than $1.2 billion from 100-plus banks across 40 countries since it was first observed in 2013. His name was not released, but Spanish authorities reportedly said he was a Ukrainian and identified as “Denis K.”

In August, the US Department of Justice announced that three additional high-level leaders of the organization – Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 – were in custody and had been indicted. US law enforcement officials said the cybercrime group stole payment card data from millions of customers via more than 100 US retail companies, including Saks Fifth Avenue, Chipotle Mexican Grill, Arby’s, and Red Robin.

Experts say Carbanak/Cobalt/FIN7’s ability to continue its operations despite the high-level arrests of its leaders, as well as the regular exposure by security researchers of its cyberattack campaigns, demonstrates how hard it is to fully shutter a massive cybercrime operation with global ties.

“There are a lot of people involved in this operation,” Hummel says. Arresting someone at the top is akin to a botnet “takedown,” where plenty of other members continue the operation, even without the botnet operator or, in Carbanak/Cobalt/FIN7’s case, its lead.

ASERT researchers first spotted the latest attack campaign on Aug. 13, targeting financial institutions in Eastern Europe and Russia with convincing-looking spear-phishing emails that purported to be from a financial vendor or partner of the targeted institution. ASERT identified two specific bank targets: NS Bank in Russia and Banca Comerciala Carpatica/Patria Bank in Romania.

The cybercrime group is well-known for its slick and realistic-looking spear-phishing emails that contain malicious Word documents and other attachments. The attacks found by ASERT researchers include malware that can bypass Windows AppLocker whitelisting by employing legitimate Windows processes that AppLocker does not block by default: regsvr32.exe and cmstp.exe. 

Cisco Talos researchers last month found the group employing an email posing as the European Banking Federation, with a spoofed email address. In that case, the attachment was a malicious PDF file that included an URL leading to exploits for CVE-2017-11882, CVE-2017-8570, and CVE-2018-8174. “The final payload is a JScript backdoor … that allows the attacker to control the affected system remotely,” Talos said in a blog post on the campaign, as well as others that use similar tools and techniques as Carbanak/Cobalt.

The Payloads
ASERT researchers found in the latest campaign that the malicious Word file contains hidden VBA scripts, and the JPG file contains a binary file – both with malicious code calling out to two command-and-control servers known to be run by Carbanak/Cobalt/FIN7. “What they plan to do with the current campaign is unclear,” Hummel says. “But they are trying to get two backdoors installed and get into the network,” possibly to gain a foothold, he says.

Hummel says there are least five other registered domains, although his team likely only scratched the surface of the entire campaign.

The URL that loads the malicious, VBA script-rigged Word document operates if macros are enabled. The script then launches cmstp.exe with an INF file to sneak past AppLocker, and downloads a remote payload – a JavaScript backdoor – that gets executed. A DLL file posing as a text file launches the final piece of malcode using regsvr32.exe.

The JPEG contains a URL with multiple layers of obfuscation, and calls out to the C2 server for more payloads.

ASERT has alerted the victim organizations and recommends that financial institutions train users about what to click and what not to click. “Criminal actors are a lot better at crafting well-done spear phishes where the sender looks like it’s coming from someone inside the organization,” Hummel says, so users need help knowing what to do.

“Most stand-alone email clients and browsers allow corporate policy to disable scripting by default, unless it’s coming from internal sources,” he adds.

Related Content:

• 6 Reasons Security Awareness Programs Go Wrong
• Carbanak’s Back And Using Google Services For Command-and-Control
• Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
• Leader of Cybercrime APT Behind $1.2 Billion in Bank Heists Arrested

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/carbanak-cobalt-fin7-group-targets-russian-romanian-banks-in-new-attacks/d/d-id/1332707?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers increasingly are distributing malware that can be used for a variety of different tasks, Kaspersky Lab says.

In a troubling trend for enterprises, an analysis of botnet activity in the first six months of 2018 shows that multifunctional malware tools are becoming increasingly popular among attackers.

Kaspersky Lab inspected more than 150 malware families and their modifications across some 60,000 botnets around the world and found that the share of multipurpose Remote Access Tools has almost doubled on botnets since the beginning of 2017 – from 6.5% to 12.2%.

The three most widespread of these RATs or backdoors—Njrat, DarkComet, and Nanocore—are all malware tools that attackers can relatively easily modify for different purposes or adapt for distribution in specific regions. Kaspersky Lab discovered Njrat to have command and control centers in 99 countries, mainly because of how easily attackers can use it to configure a personal backdoor with very little knowledge of malware development. Nanocore and DarkComet have C2 centers in over 80 countries for the same reason.

Similarly, Trojans capable of being modified and controlled by different command and control servers and used for different purposes were another category of malware that grew in Q1, though not quite as dramatically as RATs. Kaspersky Lab’s analysis showed that the share of such Trojans increased from 32.9% in the second half of 2017 to around 34.3% in the first six months of 2018.

Over the same period, the proportion of single-purpose tools being distributed through botnets declined substantially. For example, the share of special-purpose banking Trojans distributed via botnets dropped over 9.2%, from around 22.5% in the second half of 2017 to 13.3% of all malicious files in the first half of 2018.

Similarly, the share of spamming bots, which are another category of single-purpose malware, dropped to 12.2% this year from almost 19% in H2 of 2017. DDoS bots—another category of single-purpose tool—followed a similar pattern dropping from around 3% in Q3 and Q4 last year to about 2.7% in the first six months of this year.

Botnets on a Budget

One factor driving the trend is the relatively high costs of operating a botnet, says Alexander Eremin, security expert at Kaspersky Lab. Bots can be costly, so botmasters are looking for every opportunity to make money from their malware tools. Multi-purpose malware allows bot owners to quickly adapt their network for different purposes: from delivering spam, for instance, to distributing banking Trojans and ransomware, he says.

“[The] trend is driven by significant botnet ownership costs. Criminals will attempt to take everything at the first chance,” Eremin notes. “The emergence of multifunctional malware means that users need powerful protection as criminals try to steal users’ credentials, money, sensitive data, using the same malware sample.”

Botnets increasingly are being used according to the needs of the operator at that time, so it is often difficult to identify the primary specialization of a botnet, he says.

The Kaspersky Lab report is the second in recent weeks to warn about an increase in multi-purpose and adaptive malware tools. Earlier this month security vendor Proofpoint said it had seen a recent increase in the use of modular downloaders that allow attackers to modify malware after it has been installed on a system.

Basically, the tools allow adversaries to fingerprint infected systems and then modify or update the malware based on items of interest that the downloader might identify on a system.

Modular malware like the multiple-purpose tools that Kaspersky Lab highlighted in its report this week is problematic for enterprises because of how it can be quickly adapted for a variety of different tasks.

Related Content:

• Modular Downloaders Could Pose New Threat for Enterprises
• How Hackers Hide Their Malware: Advanced Obfuscation
• Malware ‘Cocktails’ Raise Attack Risk
• 7 Cryptominers Cryptomining Botnets You Can’t Ignore

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/botnets-serving-up-more-multipurpose-malware-/d/d-id/1332709?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CEOs only make up 2.2% of business email compromise targets, a sign most victims are further down the corporate ladder.

A common misconception in security is that business email compromise (BEC) attacks most frequently target corporate leaders, specifically CEOs and CFOs.

Not the case, according to a new study of 3,000 BEC attacks analyzed by the Barracuda Sentinel Team. These threats, which have been responsible for billions of dollars in fraud losses over the past two years, are slipping past security tools as attackers learn which tactics work best.

Earlier this summer, the FBI reported BEC scams have caused more than $12 billion in domestic and international loss between October 2013 and May 2018. And the threat is growing: between December 2016 and May 2018, there was a 136% increase in reported global exposed losses.

While their techniques may be shifting, BEC attackers’ primary motivation of financial gain remains the same. Barracuda found 46.9% of attacks were created to facilitate a wire transfer; in comparison, less than 1% aim to steal personally identifiable information (PII).

The small percentage of attacks targeting PII are focused on industries like healthcare and education, where organizations have vast stores of user data, explains Asaf Cidon, Barracuda’s vice president of email security. Even in these incidents, the ultimate goal is financial gain: actors who steal users’ personal data can turn around and sell it on the Dark Web.

But harvesting and selling PII is a more arduous process than getting an employee to wire funds straight into an attacker-controlled account. Cybercriminals want easy access to funds and, as researchers learned, they’re increasingly proficient at getting targets to do their bidding.

Malicious Emails: No Links, No Problem

There are a few ways to go about deceiving employees into sending money. Some threat actors send “urgent” requests for specific amounts, assuming the employee will act immediately. Others try to build rapport with their targets before requesting the money transfer.

An important finding – the most significant, says Cidon – is fewer of these attacks include malicious links, which are often caught by security filters. Only 40% of BEC messages include links, while 60% do not, instead relying on social engineering techniques to be successful.

“What attackers realize is there’s actually a lot of harm you can do in sending an email without any links,” Cidon explains, adding most plaintext BEC emails request wire transfers. “They can probably do more damage through impersonation than by using phishing as the main hook.”

Chris Hadnagy, founder and CEO at Social-Engineer, Inc., says he has noticed attackers get craftier as security technology improves and employees become more security-savvy. However, improved hardware and software has lulled companies into a false sense of security. They think they’re safe with strong firewalls and IPS, but attackers are changing the game.

He explains the rise of combination attacks in which threat actors will send a plaintext email, sans links, in which they claim to have authority and request a wire transfer. They’ll follow this up with a phone call: “Hey, this is Paul, I just sent an email … can you make that happen?”

“The combination of a vishing call with a phishing attack tends to help people believe and trust the attacker more,” Hadnagy continues. “The days of sending malware-laden PDFs are gone – that doesn’t exist anymore.”

Prime Targets Have Less Power

The most likely targets for BEC attacks have less power than people think, says Cidon, noting that this is “actually a really big misconception” in the enterprise. CEOs, CFOs, and other high-level executives are frequently impersonated by attackers, he continues, but they are less frequently hit than the employees who report to them in IT, sales, marketing, operations, etc.

CEOs make up 2.2% of attack recipients but 42.9% of those impersonated, Barracuda researchers found. CFOs made up 16.9% of recipients and 2.2% of those impersonated. Finance/HR made up 16.9% of targets, while “other” made up more than half of attack targets.

“[Attackers] are portraying someone in higher power, whether it’s the CEO or their secretary, and they’re attacking those who fear for their jobs from that department,” Hadnagy explains. The CEO and CFO can question their motives and deny wire transfers. Employees in middle management or below will hesitate to question an authority who makes a request.

“The point is, the separation has to be far enough that the individual doesn’t know everyone in that higher level personally,” he continues. If an attacker claims to work with the CEO and demands an urgent wire transfer, a lower-level employee is more likely to comply.

Threat actors can often find the corporate hierarchy – and other information they need to launch a BEC attack – with a simple online search. Employees often put their phone numbers on LinkedIn or business cards; even if they don’t, there’s a good chance their colleagues will. It’s not hard to call someone and ask for their coworker’s phone number, he points out.

It’s even easier to seek out an employee’s email address. Once an actor knows the email format for a company ([email protected], for example), they can plug in the name of their desired target.

Related Content:

• 6 Reasons Security Awareness Programs Go Wrong
  
• Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks
• ‘Security Fatigue’ Could Put Business at Risk
• Windows Zero-Day Flaw Disclosed Via Twitter

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/whos-at-greatest-risk-for-bec-attacks-not-the-ceo/d/d-id/1332711?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple