STE WILLIAMS

When we think of infrared technology, our minds go in many different directions at once as we march through the variety of uses for infrared. For those who follow the myriad television crime dramas, their minds no doubt go to the use of infrared photography at crime scenes. For those who are birdwatchers, infrared video can capture the hummingbird’s expenditure of energy. For most us, we think of the remote control which connects us from our couch-potato position to our television.

Well, there’s one more to add to this list – use of infrared video to transmit data captured at your bank’s ATM by criminals wishing to clone and use your bank cards.

The newfangled ATM skimmer was found in Norman, Oklahoma and according to the Norman police department, the device which they discovered in June 2017 was wafer-thin and undetectable by the victim. This skimmer had an antenna attached which served to broadcast the collected information to a tiny camera, which had visibility of the ATM’s keypad.

Security investigative reporter Brian Krebs dug a bit deeper into this skimmer and learned that these criminals had mastered, using infrared technology, to not only transmit the data captured by the skimmer, but also to transmit the accompanying keypad video.

The criminals showed a great deal of technological acumen and savvy in their use of infrared.

Infrared for data transfer is not new

Using infrared as a means to transmit data has been around for many years and is a highly efficient means to transmit at speeds many magnitudes faster than both Bluetooth and WiFi.

Furthermore, the use of an infrared transmitter greatly reduces the odds of having their transmissions inadvertently detected, when compared to WiFi or Bluetooth, which is present on every smartphone.

The criminals had only placed themselves at risk during time they put the device and video camera in place (Krebs has posted a photo of the two Oklahoma suspects), and when receiving the infrared signal (being in proximity to the ATM).

You’d have thought the criminals were Cold War history buffs, as their use of the concept of collect, store and forward data was previously perfected by the Russians. The KGB doctored several electric typewriters within the US embassy in Moscow in the 1980s which stored the key strokes and then used signal bursts to send the data to listening posts nearby. The implants were, like the ATM skimmers, deeply embedded in the hardware of the typewriter.

Available information doesn’t tell us if these ATM skimmer devices used directed or diffused infrared, a point of interest from a defensive standpoint. If the criminals used directed infrared, then their data collection point was within line of sight of the infrared transmitter – in other words, they would have to see the ATM, and thus could be seen from the ATM.

If their infrared signal used diffused infrared, then their collection point need only be in signal proximity, as the signal is more forgiving to line-of-sight disruption and therefore, a bit harder to observe.

The ever-reducing costs of readily available component parts make these devices essentially throw-away devices. Run the device for as long as the internal battery provides energy, and then move on.

What can the financial institutions do?

• Review the video at their ATMs with regularity – in this instance, it appears that the criminals were visible on video at the ATM but do not conduct a transaction.
• Install touchless technology, like NFC (near field communications), which will enable users to use their EMV/NFC debit/credit cards, key fob or smartphone to access their accounts.
• Or as has recently been implemented in Macau, by the Macau Monetary Authority, “Know Your Customer” technology requires that each ATM use facial recognition technology.

What should we do?

The low-tech solution is to cover your keyboard hand with a newspaper or your other hand when entering your pin codes – which will certainly stop anyone sneakily filming you as you tap in your PIN.

Follow @NakedSecurity
Follow @burgessct

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5SXz5wCYxM8/

Your daily round-up of some of the other stories in the news

Visit the ISS – without leaving your house

Fancy a trip to the International Space Station? Most of us won’t be able to visit it for real while it’s in orbit above the Earth, but now thanks to Google Street View, you can poke around the ISS from the comfort of your sofa.

Google worked with astronaut Thomas Pesquet, who spent six months on the ISS as a flight engineer, to record the images that have been used to create the Street View tour of the space station.

In a blog post, Pesquet says: “Because of the particular constraints of living and working in space, it wasn’t possible to collect Street View using Google’s usual methods.”

Pesquet goes on to explain: “Instead, the Street View team worked with NASA at the Johnson Space Center in Houston, Texas and Marshall Space Flight Center in Huntsville, Alabama, to design a gravity-free method of collecting the imagery using DLSR cameras and equipment already on the ISS.”

The result is a pretty impressive experience when viewed in the browser: you can visit the cupola for a window out to the Earth, and float through the various modules.

Naked Security is slightly disappointed to see that when you click on the Maps reference, the modules are located firmly on Earth rather than in space, but then it is called Google Earth – not Google Space.

Warning to fans torrenting Game of Thrones

Game of Thrones fans, be warned if you prefer to acquire your episodes via torrents (which obviously we never recommend as it’s a great way to end up with malware or find your activities being tracked), HBO is apparently monitoring torrent swarms and warning users that they’re breaking the law.

TorrentFreak reported on Thursday that warnings sent to ISPs including IP addresses of alleged pirates and a request to the providers to warn their customers to desist, as well as a stern reminder that torrenting is a copyright infringement and “is also a security risk for computers, devices, and networks”.

As TorrentFreak notes, ISPs aren’t obliged to pass on the warnings to their users, but that many do. However, to take further action against someone torrenting the latest episodes, HBO would have to go to court to get the ISPs to reveal who the IP addresses belong to.

It’s unlikely that HBO will be following up to catch individual pirates, but it is a reminder that – in theory at least – you probably could be identified and get a lawsuit. Is it worth it? That’s up to you.

Russian man jailed over Citadel

Remember Citadel, the malware used to steal personal financial information from thousands of people around the world? A Russian man, Mark Vartanyan, known as Kolypto, was sentenced to five years in prison in Atlanta on Wednesday for his part in its creation and use.

Reuters reported that Vartanyan had been held in Norway for two years before being extradited to the US in December. He had helped develop, improve and maintain Citadel, which infected some 11m computers and caused about $500m in losses, according to prosecutors.

Vartanyan is the second person to be sentenced in connection with Citadel: Dmitry Belorossov was sentenced to four and a half years back in October 2015.

As we reported back in 2012, Citadel was based on Zbot, and improved on it, even adding customer support to make it easier to deploy.

US Attorney John Horn said that “Mark Vartanyan utilised his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of all time.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7eeVxzQG7hk/

Gnome developers, take a bow: a bug in your image thumbnailer has opened up a (not too scary, thankfully) hole for script injection.

The security vulnerability was revealed this week by Nils Dagsson Moskopp here, and his advice for users is:

“Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code” (our emphasis added).

Here’s the rub: while creating thumbnail images, Gnome Files can, if you Wine installed, accidentally execute parts of some filenames as if they were in a script – and that’s problematic. Specifically, we’re talking about .MSI files, aka Windows software installer packages: when you see one in Files, Gnome’s software tries to make a thumbnail for it, and if there’s any VBScript code in the filename, it may get executed. Damn.

Imagine downloading a ZIP archive, and it unpacks a .MSI with a malicious filename. Bam, Gnome Files executes that code before you’ve clicked on anything else – if you have a viewer open for that directory, of course.

Here’s where it gets weird: Gnome’s thumbnail generator for .MSI files uses Wine to parse the contents of the installer file. The generator crafts a custom temporary script to run within Wine that looks inside the .MSI and pulls out information and stuff to create the thumbnail. But due to a programming blunder, VBScript in the filename can end up being executed, too.

“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype,” said Dagsson Moskopp.

He picks out this single line of code in /usr/bin/gnome-exe-thumbnailer as the culprit:

DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\tmp\${TEMPFILE1##*/}.vbs 2/dev/null 

He went on to explain:

“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.”

Dagsson Moskopp says developers should not use “ad-hoc parsers” to parse files, should “fully recognise inputs before processing them”, and should use unparsers.

This issue has now been addressed by using a proper MSI parser rather than screwing around with scripts and Wine: make sure you fetch and install the latest updates for Gnome Files as soon as they land. If you don’t have Wine installed, you’re not at risk, of course. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/bug_of_the_week_gnome_files_msi/

TSB has announced plans to roll out iris-scanning technology for its mobile banking app from September.

The move will make the UK high street bank the first in Europe to debut iris-scanning tech.

Biometric authentication for banking, in general, has become commonplace over recent years with fingerprints among the preferred method, thanks in large part the inclusion of fingerprint reader technology in higher-end smartphones, particularly since the launch of Apple’s TouchID back in 2013. Voice recognition is used elsewhere in the banking industry, particularly in call centres.

The TSB tech is based on technology from Samsung and only customers with the latest Samsung Galaxy S8 will be able to use iris recognition to access their TSB accounts. The bank already supports fingerprint recognition-based logins.

TSB’s chief information officer, Carlos Abarca, told the BBC that iris recognition was more secure than other forms of biometrics. “It takes advantage of 266 different characteristics, compared with 40 for fingerprints,” he said.

The tech offers a blend of security and convenience, according to the bank. Once customers log in after going through an iris scan app, they will need to enter a password or secret number, a TSB spokesman explained. Use of the tech is optional and other account access options will continue to be offered.

German hackers from the Chaos Computer Club were recently able to trick a Samsung Galaxy S8’s iris scanner with a picture of the device owner’s eye and a contact lens. TSB said it was relying not only on biometrics but on a digital certificate pushed onto the phone during the enrolment process, so would-be hackers would need not only a high definition image of their target’s iris but their smartphone in any serious attempt to circumvent the bank’s authentication controls.

Security experts gave the move a cautious welcome, noting that biometrics are useful but far from invulnerable. Biometric security is no longer the stuff of spy or sci-fi films. The technology is more secure than password alone but by no means a panacea.

Etienne Greeff, CTO and co-founder of SecureData, commented: “It’s good to see businesses like TSB looking to replace passwords, which are flimsy and easily breached, but hackers are wise to biometrics and it won’t stop them from trying to get their hands on your data. Biometric security has been hacked in the past and there are countless examples of fingerprints being copied, voices being mimicked and iris-scanning software being tricked.”

Multiple attacks on fingerprint scanners have been recorded over the years. HSBC’s voice recognition security system was recently fooled by a BBC journalist and his brother.

“Biometric authentication is not entirely immune to potential attack and therefore should not be relied on as the sole means of verifying a user,” said Richard Parris, chief exec at Intercede. “Rather than use biometrics in isolation, instead businesses need to be looking at strong authentication that incorporates three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, an iris scan).

“This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect.”

Companies storing authentication data have a greater responsibility to safeguard it because it’s harder to recover from breaches. Fingerprint or iris patterns can’t be revoked and changed, unlike password or credit cards. “With board directors to soon be responsible for complying with GDPR, more consideration needs to be had for security techniques deployed today and how we can better protect consumers,” SecureData’s Greeff concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/iris_biometrics_tsb/

Two of the largest dark net marketplaces – AlphaBay and Hansa – have been shut down following an international police operation.

AlphaBay was the largest criminal souk on the dark web, accessible through a hidden service on the Tor network. Prior to its takedown, AlphaBay reached over 200,000 users and 40,000 vendors, according to a Europol statement on the takedown.

During a joint FBI/ Europol press conference today, AlphaBay was described as 10 times bigger than its infamous predecessor, the Silk Road.

There were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. Law enforcement estimate $1bn in trades made in digital currencies flowed through the site since its inception in 2014.

Hansa was the third largest criminal marketplace on the dark web, and also specialised in trading illicit drugs and other illegal commodities. Europol revealed today that the market had been under the covert control of cops for the last month, following a series of raids and arrests last month.

With the help of Bitdefender, an internet security company advising Europol’s European Cybercrime Centre (EC3), Europol provided Dutch authorities with an investigation lead into Hansa in 2016. Subsequent enquiries located the Hansa market infrastructure in the Netherlands, with follow-up investigations by the Dutch police leading to the arrest of its two administrators in Germany and the seizure of servers in the Netherlands, Germany and Lithuania.

Europol and partner agencies in those countries supported the Dutch National Police to take over the Hansa marketplace on 20 June 2017 under Dutch judicial authorisation, facilitating the covert monitoring of criminal activities on the platform until it was shut down today, 20 July 2017. In the past few weeks, the Dutch Police collected valuable information on high value targets and delivery addresses for a large number of orders. Some 10 000 foreign addresses of Hansa market buyers were passed on to Europol.

Elsewhere an FBI and DEA-led operation called Bayonet, identified a suspect whom they believed could be the creator and administrator of AlphaBay, a Canadian citizen resident in Thailand. On 5 July 2017, Alexandre Cazes was arrested in Thailand and the site taken down. The 25-year-old died in custody in Thailand a week later.

Millions of dollars worth of cryptocurrencies were frozen and seized. Servers were also seized in Canada and the Netherlands, a DoJ statement on the operation explains.

Andrew McCabe, acting director of the FBI, hailed the international law enforcement co-operation that led to the takedown of the two marketplaces. He conceded that other dark web markets were likely to spring up and take their place. These too would be targeted.

“The so-called anonymity of the dark web is illusory,” said Acting Administrator Chuck Rosenberg of the DEA. “We will find and prosecute drug traffickers who set up shop there.”

During the press conference, Deputy Attorney General Rod Rosenstein echoed these sentiments and warned prospective dark net customers and traders that Tor would not necessarily shield their identities. Dark net users assume Tor will protect their ID but that’s not always true, he said.

The investigation into AlphaBay revealed that numerous vendors sold fentanyl and heroin. Multiple overdose deaths across the US have been attributed to purchases on the site. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/dark_net_megabust/

Foreign students looking to experience the stochastic joys of a year at Newcastle University in England are being warned that phishers are after their cash – using an unusually well-crafted attack.

The raiders set up a very realistic-looking fake website proclaiming itself to be Newcastle International University, complete with pages of well-laid-out information. The URL isn’t that of the actual university site, but if you’re a student unfamiliar with the center of learning, it would be easy to be fooled.

“We have been made aware of an unofficial website which is fraudulently using the Newcastle University brand and accepting credit card payments to apply for courses,” the university said. “The website Newcastle International University is in no way affiliated with the University and we are advising anyone who finds the website should not submit any personal details.”

It’s the ideal time for phishers to pull a stunt like this. The exam results announcements for British students looking to go to university will be released within a month and overseas students are already trying to secure their places, and so could be vulnerable to slapping down the plastic if they think they can secure their place in academia now.

While the university has no comment at this time, it’s thought the website was spammed out via email to these foreign students, who are also unlikely to notice that the site uses faked Newcastle University logos and coat of arms. The fake site not only tries to harvest credit card data, but also asks for other personal information, including passport details.

“Make no mistake, this is an effective scam. They’ve put in the time and effort to create a remarkably realistic website. It is well designed, well executed, and it highlights the very real danger of modern spoofing attacks,” said Azeem Aleem, director of advanced cyber defence practice – EMEA at RSA.

“Newcastle University’s response has been admirable, quickly identifying and warning prospects about the site. Yet it is often very hard for a company or organisation to know if their site has been spoofed until someone has already become a victim.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/newcastle_uni_website_phishing/

A combination of culture change, automation, tools and processes can bring security into the modern world where it can be as agile as other parts of IT.

DevOps has been a hot topic now for the better part of a half-decade – and IT security has been on fire for longer than that. However, the two disciplines have been going down parallel paths for years, never to meet, because infrastructure teams and application development groups tend to work in their own little silos and claim ignorance as to what they others group does.

Why? There appears to be no good reason other than, “that’s the way it’s always been.” I believe there is some element of CYA in here, where if something doesn’t work, it’s easy to point a finger to a group you have nothing to do with. But by in large it’s just a legacy IT mindset. 

This sentiment seems to be changing and IT leaders are actually attempting to bring infrastructure and applications together. I attended a recent conference where Mike Giresi, the CIO of Royal Caribbean Cruise, discussed this issue and noted that “the fact [that] the infrastructure and application teams don’t work together is completely insane.” He said there was a mandate inside Royal Caribbean that the DevOps and infrastructure teams would be goaled on the same thing – the success of applications. The common goal was in place to ensure collaboration and avoid finger-pointing. 

I get why DevOps teams may be hesitant to work with infrastructure groups. The primary focus of DevOps is speed and continuous innovation. Infrastructure, particularly security, thrives on keeping the lights on so “if it ain’t broke don’t fix it,” which is in stark contrast to the agile mindset of DevOps. 

Recently, DigiCert, a vendor of encryption solutions for enterprise and Internet of Things (IoT) security, ran their “2017 Inviting Security into DevOps Survey” to find the status of enterprises integrating security with DevOps. 

Before I get into the survey results, le me get on my soapbox regarding the need to bring infrastructure, particularly security, and DevOps together. Digital transformation requires businesses to move with speed. Speed requires IT agility. IT agility requires app development and infrastructure to be agile and, in most organizations, security is anything but agile.  In fact, security is often left to the very end so companies can build a new app and then have to wait months until the security teams have made their changes and are ready. A better approach is to build security into the application development process.

The survey shows that a surprising 49% of organizations have completed the process of integrating security and DevOps, and another 49% are in the process of doing so. I suspect the group that says they were “finished” simply does not know what they do not know, so there’s likely more work to be done that they aren’t aware of it.  From personal interviews, I think that the number of companies that have completed the process is about 25% or less. 

Whatever the real number is, the survey shows that the results have been positive as respondents are 22% more likely to report they are doing well with information security, 21% more likely to report they are meeting application delivery deadlines, and 21% more likely to lower application risk.

The study also looks at the ramifications of not changing, and these results really hit home.  Respondents to the survey were concerned that failure to integrate security and DevOps would add to the following already existing problem:

• 78% cite increased costs
• 73% cite slower application delivery
• 71% cite increased security risk.

I find it interesting that more respondents are concerned with cost and speed than increased security risks but that’s likely a function of how critical agile development has become to organizations. Another way to think about this result is that security doesn’t matter if costs skyrocket or application development is too slow, as the organization will fall behind its competitors. 

To DigiCert’s credit, the company didn’t just run the survey and show the results.  The company also provided some recommendations and best practices on how to bring these formerly independent worlds together:

• Appoint a social leader. Putting a leader in place to drive cultural change across the company is extremely important to success. This needs to be a top-down initiative where all parties understand the importance and the consequences of failure. Personally, I like the approach Royal Caribbean took of shifting to an outcome-based approach as it gives everyone a common lighthouse to row to.
• Bring security to the table.  A security lead must be present on all DevOps initiatives – and be involved from the outset of projects. DigiCert suggests limiting access, signing and encrypting everything in the network using automated PKI. This makes sense given DigiCert’s solution but baking security into the development process ensures success at every step.
• Invest in automation. This is music to my ears as I’ve long been a proponent of automating everything possible.  People work too slowly to keep up with digital trends, and automating things like patching, vulnerability scanning and certificate management is the only way to keep up with the speed of business today.
• Integrate and standardize. Standardization and repeatability is the key to on-going success. Doing things ad hoc is a sure way to lead to failure.

DevOps and security have been butting heads for years but they don’t have to. A combination of culture change, automation, tools, and processes can bring security into the modern world where it can be as agile as other parts of IT. The DigiCert survey shows the importance of going down this path and the repercussions of not doing so. There’s never been a better time to bring security and DevOps together, so let’s start now. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

• 98% of Companies Favor Integrating Security with DevOps
• 7 Steps to Transforming Yourself into a DevSecOps Rockstar
• The True State of DevSecOps

 

Zeus Kerravala provides a mix of tactical advice and long term strategic advice to help his clients in the current business climate. Kerravala provides research and advice to the following constituents: end user IT and network managers, vendors of IT hardware, software and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/devops-and-security-butting-heads-for-years-but-integration-is-happening/a/d-id/1329407?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers leveraged popular cloud service platforms to conduct persistent – and stealthy – login attempts on corporate Office 365 accounts.

Enterprise Office 365 accounts, many belonging to high-level employees at Fortune 2000 companies, were hit with a brute-force attack in one of the earliest operationalized cloud-to-cloud business attacks, according to Skyhigh Networks, which began tracking the campaign early this year.

Skyhigh detected a pattern of organized attacks including more than 100,000 failed Office 365 logins from 67 IP addresses and 12 networks. Attackers tried logging in with different versions of employees’ usernames, a sign they may have already possessed names and passwords but needed usernames for spearphishing campaigns or data access.

All login attempts came from instances hosted on cloud service platforms and targeted 48 businesses. The “slow-and-low” pace of attacks indicates threat actors were trying to stay under the radar; for each business, only a handful of senior employees were targeted. All those who were hit have been notified.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/microsoft-office-365-users-targeted-in-brute-force-attacks-/d/d-id/1329413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BEC fraud netted cyberthieves five times more profit than ransomware over a three-year period, according to Cisco’s midyear report released today.

Despite all the recent attention paid to ransomware, cybercriminals walked away with $5.3 billion from business email compromise (BEC) attacks compared with $1 billion for ransomware over a three-year stretch, according to Cisco’s 2017 Midyear Cybersecurity Report released today. 

Cybercriminals are increasingly taking a practical approach to their pilfering, going for the fastest method that they can steal a buck, or in this case, billions, says Steve Martino, Cisco’s chief information security officer. “What we are looking at is the continual commercialization of cyberattacks,” Martino says, pointing out that is a major theme in the report.

Ransomware exploits take time to develop before any financial gain is realized for cyberthieves, compared to crafting a phishing attack or blasting out spam of which 8% is found to be malicious, notes Martino. BEC attacks are less time-consuming to wage.

In addition, ransomware Bitcoin fees are often lower-dollar figures.

Spam volume peaked towards the end of the year and has since tapered off a bit this year, the report found.

Exploit kits have sharply declined, according to the report. In the February to March period last year, 5,799 exploit kits were blocked. But in May, that figure has since plummeted to under 1,000 exploit kits blocked.

 [Source: Cisco 2017 Midyear Cybersecurity Report]

 

Malware Evolution

Cisco found that in the first half of this year, attackers altered their methods of delivering, hiding, and evading their malicious packages and techniques.

Fileless malware is popping up, which lives in memory and deletes itself once a device restarts, according to the report. As a result, it makes detection and the ability to investigate it more difficult.

Additionally, attackers are also making use of anonymized and decentralized infrastructures, such as Tor proxy services, to hid command and control activities.

Meanwhile, three families of spyware ran rampant, with Hola, RelevantKnowledge, and DNSChanger/DNS Unlocker affecting more than 20% of the 300 companies in the sample for the report.

Ironically, however, many companies and organizations underestimate or virtually dismiss spyware. “Spyware is being disguised as adware and adware, unlike spyware, does not create damages for a company,” says Franc Artes, Cisco’s Security Business Group architect. He adds that attackers are injecting spyware and other forms of malware into adware, since adware is a low priority for security teams.

Schooling Users on BEC, Ransomware

Cisco’s Martion says targeted cybersecurity education for employees can help prevent users from falling for BEC and ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus email comes across the transit of the CEO asking for a funds transfer it can be detected, Martino says.

“I believe in educating the right people on the matters that mean the most to them. I don’t believe in sitting everyone down for 45 minutes to run through the same cybersecurity awareness training,” Martino says.

Regular software patching also is crucial. When spam laden malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized. “People focus on new technology, but forget about patching and maintaining the infrastructure,” Martino observed.

And a balanced defensive and offensive posture, with not just firewalls and antivirus but also including measures to hunt down possible attacks through data collection and analysis, he adds.

Related Content:

• Hacking the Business Email Compromise
• FBI: BEC Scam Attempts Amount to $3 Billion
• Nigerian Charged With BEC Scam Involving $3.1 Billion
• What To Watch For With Ransomware: 2017 Edition

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/bec-attacks-far-more-lucrative-than-ransomware-over-past-3-years/d/d-id/1329414?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

International law enforcement operations result in AlphaBay, the largest online marketplace for selling illegal goods from malware to herion, and Hansa, going dark.

In a one-two punch, international law enforcement authorities shut down AlphaBay and Hansa Market, which both sold illegal goods online including stolen identification documents, malware, counterfeit goods, computer hacking tools, firearms, toxic chemicals, fentanyl, and heroin, US and European law enforcement agencies announced today.

AlphaBay, the largest online marketplace for illegal goods on the Darknet, was shut down by a coordinated effort of international law enforcement agencies led by the US. The FBI and US Drug Enforcement Agency (DEA), seized AlphaBay’s infrastructure earlier this month, following the arrest of AlphaBay’s alleged mastermind.

Thai authorities arrested 25-year-old Canadian national Alexandre Cazes, who also goes by the alias Alpha02 and Admin, on July 5. But Cazes, who was living in Thailand at the time of his arrest, committed suicide while in Thai custody on July 12.

Prior to AlphaBay’s shutdown, one of its staff members had posted to the site that it had 40,000 vendors and more than 200,000 users. And when the site was shutting down, it had over 250,000 listings for illegal drugs and toxic chemicals, as well as more than 100,000 listings for stolen ID documents, counterfeit goods, firearms, fraudulent services, malware, and computer hacking tools, according to the DOJ.

Federal authorities on Wednesday filed a civil complaint against the late Cazes and his wife, seeking forfeiture of the couple’s assets located across the globe, including Cyprus, Lichenstein, Antigua, Barbuda, and Thailand. The assets range from luxury vehicles to homes, as well as a hotel in Thailand. The FBI and Drug Enforcement Administration previously seized millions of dollars in cryptocurrency that Cazes allegedly possessed.

Prior to his death, Cazes faced a federal criminal indictment that was handed down in June, charging him with one count each of conspiracy to engage in racketeering and conspiracy to distribute narcotics, six counts of distribution of narcotics, one count of conspiracy to commit identity theft, four counts of unlawful transfer of false identification documents, one count of conspiracy to commit access device fraud, one count of trafficking in device making equipment, and one count of money laundering conspiracy, according to the DOJ.

“This is likely one of the most important criminal investigations of the year – taking down the largest Darknet marketplace in history,” according to a statement by Attorney General Jeff Sessions. “The Darknet is not a place to hide. The Department will continue to find, arrest, prosecute, convict, and incarcerate criminals, drug traffickers and their enablers wherever they are.”

AlphaBay relied on the Tor anonymization network as well as cryptocurrencies including Bitcoin, Monero, and Ethereum, to mask the operation’s infrastructure, administrators, operators, and users, according to the DOJ announcement. The FBI has identified an AlphaBay employee living in the US.

The investigation into AlpaBay’s operations is still ongoing, according to the DOJ.

Meanwhile, the Dutch National Police shut down the Hansa Marketplace on June 20, after receiving a lead from Europol’s European Cybercrime Centre (EC3) last year, according to a statement today by Europol. The European law enforcement agency noted that Dutch police arrested two of its administrators in Germany and seized its servers in the Netherlands, Germany and Lithuania.

After the Hansa Market seizure, Dutch police continued to operate it covertly to glean information on criminal activity on the platform before formally shutting it down today. It collected information on “high-value” targets and passed the information on 10,000 foreign addresses of Hansa Market buyers to Europol, the European agency stated.

“The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries. By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the Dark Web. There are more of these operations to come,” says Rob Wainwright, executive director of Europol, in a statement

Kyle Wilhoit, senior security researcher with DomainTools, says he is not surprised about AlphaBay’s demise given its APIs were compromised and 210,000 private messages leaked on two separate occasions.

“When you are conducting business with criminals, you must expect to some degree that your business is on shaky footing anyway, so this isn’t terribly surprising to me,” Wilhoit says.

Andrei Barysevich, director of advanced collections for Recorded Future, says he expects the level of cybercrime to go down in the short term.

However, he added, “Despite the recent news, we don’t expect criminals to abandon dark Web marketplaces, as the business opportunity exposure to hundreds of thousands of buyers is too lucrative and as we have seen before, eventually new market leaders will arise, filling the void.”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

• Darknet Is Full Of Criminals Governments Giving TOR A Bad Name
• OWL Cybersecurity Launches Darknet Index
• Darknet: Where Your Stolen Identity Goes to Live
• Best of Black Hat: 20 Epic Talks in 20 Years

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/major-online-criminal-marketplaces-alphabay-and-hansa-shut-down/d/d-id/1329415?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple