DI, Author at Defence Intelligence Blog

Scammers Hijack 15,000 Twitter Accounts for Crypto Fraud

Cryptocurrency scammers are getting more creative to convince potential victims to part with their money. Recently, the security community was shocked when a team of researchers discovered the existence of a sophisticated botnet on Twitter which was used as a comprehensive tool for spreading a cryptocurrency scam.

The botnet was discovered by a team of researchers from security firm Duo Security. The team was doing research on how to identify Twitter account automation and was reviewing the tweets of around 88 million accounts in an effort to study how bots operate.

The researchers used machine learning and other data science techniques to analyze close to half a billion tweets to uncover the structure of botnets. As a result, they discovered the botnet, comprised of more than 15,000 bots.

What is a Twitter bot?

Most people might not exactly know what a Twitter bot is, but virtually anyone who maintains an account with the popular social media platform has likely interacted with one. Simply put, a Twitter bot is just software designed to do a specific task. This automated software is a tool for easier management of social media accounts and is especially useful for large organizations.

Malicious use of such bots has been highlighted by recent media reports. For instance, Russian Twitter bots were used in trying to influence US election results. Bots are also sometimes used to spread false information, rig online surveys, and even inflate social media metrics.

Not All Bots are Dangerous

Conversely, there are a host of legitimate uses for automating Twitter accounts; companies often use them to manage their social media accounts. Some legitimate bots automate the handling of customer responses, others are used schedule the release of online content. Benign twitter bots can do everything from answering frequently asked questions to providing flight information.

The Cryptocurrency Scam Botnet

The botnet involved in the cryptocurrency scam discovered by the Duo Security researchers is significant in scale. According to the firm’s report, the botnet is composed of more than 15,000 fake accounts managed by bots.

To maintain a veneer of credibility, the scam created spoofed versions of legitimate cryptocurrency-affiliated Twitter accounts. These spoofed or fake accounts would mimic the originals by copying the profile pictures and imitating the names of the legitimate accounts.

These fake crypto-related accounts will then post a reply to a tweet sent out by the legitimate Twitter accounts. The reply would contain a link of a cryptocurrency giveaway and victims are fooled into clicking the link, thinking that it was shared by the legitimate Twitter account.

The scam botnet was able to avoid automated detection for so long by employing increasingly sophisticated techniques. For instance, the bots would use Unicode characters in tweets instead of traditional ASCII characters, add spaces between words and punctuations to introduce some variance to the tweets, and edit their profile pics to modify them slightly from the original account’s pictures.

Fake Twitter Accounts Involved in Crypto Scams on The Rise

Fake Twitter accounts promoting various types of crypto scams have been plaguing the platform for months now. Scammers have been impersonating famous personalities such as Elon Musk, Warren Buffet, and even Ethereum co-founder Vitalik Buterin, using their names to ask for a small amount of crypto while promising substantial future returns.

Even Britain’s Financial Conduct Authority (FCA) recently issued a warning that crypto scammers using social media platforms such as Twitter are on the rise. According to the FCA, these scammers are now trying to entice victims by using fake celebrity endorsements to sweeten the deal. Clicking on the links contained in these endorsements will redirect potential victims to a professional-looking site offering various crypto-related products.

Faced with increasingly sophisticated cybercriminals, it pays to be vigilant; especially in making online transactions. Always check if the Twitter account used has been verified and check for how long it has been in use. Avoid links when possible, navigate to the company web page yourself. In addition, always be wary if the promotion seems unrealistic. If the deal sounds too good to be true, then it probably is.

Cryptojacking: A Guide to the Latest Threat in Town

If you think you’ve been consuming web content for free without signing up for a subscription or by disabling ads, you could be in for a big surprise. As it turns out, some websites make you pay for your use whether you’re agreeable to it, or even aware of it. How exactly? By employing cryptojacking, the latest malware fad to hit unsuspecting victims everywhere. Cryptojacking is defined as the unauthorized use of computing resources for the purpose of mining cryptocurrency.

cryptojacking

Why cryptojacking is on the rise

Bitcoin, currently the most widely-circulated of these digital currencies, reached a record high value of more than $19,000 (per coin) last December 2017. It has been on the decline since then, presently valued at roughly $6,000.00.

These prices are nothing to scoff at, especially since malicious actors can get away with mining cryptocurrencies for free. Despite heavy fluctuations in value, the cryptocurrency market isn’t going away any time soon.

It’s therefore no surprise that cryptocurrency mining scripts have been making the rounds across thousands of websites. As an illicit means of generating revenue, cybercriminals have found cryptojacking to be a worthy alternative to ransomware because it’s easier to deploy, requires no interaction with the victims, and can remain undetected for a long time.

How cryptojacking works

There is no central bank that mints these virtual currencies like your regular banknotes and coins. Instead, cryptocurrencies are generated or mined when a computer solves complex math puzzles, adding to the constantly growing “blockchain,” essentially infinite bits of decentralized information. The hardware that contributed to the transaction gets a sort of miner’s fee in the form of that block’s coin.

While a detailed explanation of blockchain technology and cryptomining merits a separate article altogether, suffice it to say that mining for cryptocurrency can be a very profitable endeavor. To have a computer perform cryptomining in secret, hackers deploy one of two ways: by loading cryptomining code onto the victim’s computer, or by injecting a mining script on a website or an ad that circulates in numerous websites.

In the first method, the hacker relies on phishing techniques to load the code into a target computer. The owner receives a legitimate appearing email and is encouraged to click the link to initiate or complete a certain process. Instead of the expected transaction, the victim unwittingly installs a program that secretly mines digital currencies.

Using JavaScript on a website as described in the second method is commonly referred to as in-browser cryptojacking. There’s really no getting around it because as soon as you load a page, the mining code begins to run. No opt-ins are required, and no installations are needed.

While websites most often deploy in-browser cryptojacking to earn the money they can’t generate with just online advertising, hackers usually make use of both methods to maximize their earning potential.

Should you be worried about?

It’s worth noting that unlike other security threats, cryptojacking doesn’t cause any obvious and immediate damage to the host computer or to the data stored therein. Once cryptojacking scripts get to work however, they do affect the computer’s performance adversely by hijacking processing power.

Over time, the constant and intense mining can eventually take its toll on the victim’s device, not to mention driving up one’s electricity bill. According to a widely-cited website that tracks relevant cryptocurrency developments, the electricity used in a single Bitcoin transaction could power about 30 US households for a day. Other examples liken it to energy that could boil 36,000 water-filled kettles. Note that these comparisons are solely for Bitcoin transactions which are known to demand the most high-powered computing resources.

Falling victim to cryptojacking schemes is something that should be cause for concern. The degree to how much this affects the victim however, depends on the amount of processing power one actually contributes. For the average computer user, having a slower computer and a slightly higher electric bill, could be no more than a minor annoyance or even considered a fair trade for being able to access free content.

For an organization with numerous devices connected to their network, the collective illegal usage of company devices could add up to a significant amount of resource and power costs. The lowered productivity for employees who are bogged down by poorly-performing computers, and the added manpower costs for IT personnel who need to track down and troubleshoot the performance issues should also be considered. Of course, the primary concern is the unauthorized usage of your property and the potential for more malicious malware being installed.

If you’d like to learn about how our DNS Security Solutions can help identify and prevent cryptojacking, visit us at http://www.defintel.com

An Introduction to Rootkits

Rootkits are among the most dangerous tools in a malware developer’s toolbox. They can be easily added to malware in order to gain unauthorized, privileged access to a system as well as achieve stealth and persistence. While not all rootkits are used for malicious purposes, we’ll focus on those that are.

Origin of the term ‘rootkit’

The term rootkit can be broken down into two parts. The ‘root’ part can be traced to its origins in UNIX and UNIX-based operating systems. In these environments, the root refers to an account with administrative privileges. Anyone who has root-level access can do pretty much anything on the system.
Because the ability to have unrestricted privileges can be dangerous in the hands of a bad actor, or even a beginner, most modern-day UNIX-based operating systems like MacOS, Red Hat, and Ubuntu disable the root account by default and just issue regular user accounts. A regular user account will have a minimal amount of privileges.

As for the ‘kit’ in rootkit, it’s an abbreviation of the word ‘toolkit’. This particular toolkit, which is used by malware developers, typically consists of programs, scripts, and other pieces of code. So, a rootkit is a malicious toolkit used to gain privileged access and establish stealth and persistence.

Although the term rootkit has UNIX origins, it’s now commonly used in the Windows world. In fact, a large majority of the rootkits currently in circulation are Windows based.

How a rootkit works

In most cases, the rootkit itself doesn’t do any damage. Rather, its main function is to keep the malware (which is the one that does the damage) from being detected. It’s able to do this by hiding characteristics normally generated by programs when they’re installed or running on a system.

As soon as malware establishes residence on a system, its existence can often be given away by several indicators, such as:

The presence of accompanying files
The generation of certain processes (which, in Windows, can be seen in the Task Manager)
The creation of certain registry keys
CPU or disk space utilization
And many others

Most security tools designed to detect malware, like say an antivirus, will monitor the system for any irregularities involving these indicators. The job of the rootkit is to tamper with the parts of the system that show these indicators so that the malware will appear invisible. For example, the rootkit may hide the malware’s files, its processes, or even its registry keys (in the case of Windows-based rootkits).

Types of Rootkits

In the Windows environment, rootkits are often classified into two types:

User mode rootkits – These are rootkits operating in user space a.k.a. Ring 3, which is also where applications run.

Kernel mode rootkits – These are rootkits operating in kernel space a.k.a. Ring 0. Generally speaking, these types of rootkits are the more dangerous (and more difficult to develop), as they are able to acquire the highest level of privileges in the OS.

Common Actions

Rootkits employ several cloaking techniques. But one particular technique used by user mode rootkits to hide malicious software is IAT hooking. The IAT or Import Address Table is a table where applications look up the addresses of pertinent functions found in DLLs (Dynamic-Link Libraries).

A rootkit would typically alter (or ‘hook’) certain addresses so that those addresses would then point to the malware’s malicious code. So, when an application calls a hooked function, what would instead be executed would be the malicious code. Now, if that application were a virus scanner and the hooked function was supposed to support the malware detection process, the result of that scan would understandably be tainted. It would, for instance, omit the malware from the results.

Kernel mode rootkits also employ a similar API hooking technique. In this case, the API hooking technique is targeted at another lookup table known as the System Service Dispatch Table or SSDT. The SSDT runs in the kernel memory, where it stores addresses that point to system call functions.

Similar to what a user mode rootkit would do with an IAT, a kernel mode rootkit would tamper with the SSDT so that system calls would be diverted to the malware’s code. Again, if the original system call had something to do with malware detection, this SSDT hooking technique would remove the malware from the results.

Threat Level

Because rootkits are exceptionally good at hiding malware, they’re a serious threat to any system. Once they get installed, it can be very difficult to detect and, in turn, remove them. Some experts even suggest a total re installation of the operating system.

As with most things, the best way to counter rootkits is through prevention rather than detection and remediation. Rootkits are most commonly installed via social engineering techniques or through malware droppers, so defensive countermeasures should be aimed at these particular threat vectors.

What are Webinjects?

Webinjects have now taken the place of keyloggers and form grabbers in the financial malware arena as the primary means of stealing login credentials and other personal information through a web browser. Some webinjects are even capable of performing tasks that traditional malware modules can’t do, like carrying out automated fraudulent transactions.

In this post, we help you understand what webinjects are, explain their underlying mechanisms, and look into the different ways cybercriminals use them.

How Webinjects Work

Webinjects are modules or packages used in financial malware that typically inject HTML or JavaScript code into content before it’s rendered on a web browser. As a result, webinjects can alter what the user sees on his/her browser, as opposed to what’s actually sent by the server. For example, it can add or remove text, labels, text fields, and other GUI elements.

Figure 1 below shows a simplified illustration of a webinject inserting an additional field to a form sent by an online bank’s server. The purpose of those extra fields (presumably accompanied by supporting labels and instructions) is to dupe the user into entering certain confidential information (e.g. login credentials, credit card numbers, CVVs, PINs, tokens, etc.) even if that information was not being requested by the online bank in the original form.

Figure 1 – A webinject inserting an additional field

Webinjects can remove web page elements as well. One purpose of doing so is to prevent the user from seeing security alerts/warnings that might hamper the malware’s fraudulent activities.

Figure 2 – A webinject removing a warning

Because the extra fields appear in the course of a legitimate transaction after presumably a secure login, the unwitting victim wouldn’t suspect anything amiss and would promptly enter the requested information. Once the attackers get a hold of that information, they can then use the information to perform unauthorized logins and carry out fraudulent transactions.

Can’t we prevent these malicious content alterations by using HTTPS, i.e. so that data can be encrypted by SSL or TLS? Unfortunately not. While HTTPS does encrypt data from the online bank’s web server to the user’s computer, many of these webinjects (like those used by SpyEye and its derivatives, for example) operate between the HTTPS API functions and the browser’s rendering engine. At that point, the data would have already been decrypted and thus be vulnerable to tampering.

When HTTPS is used, the unaltered HTML and CSS source code (which dictate the appearance of the webpage) is transmitted from the web server to the user’s computer in encrypted form. Of course, that code has to be decrypted eventually. Otherwise, the browser rendering engine wouldn’t be able to parse the code, process the layout, paint the tree, and then ultimately display the text, buttons, fields, etc. for the user to see and interact with.

The decryption process takes place when the code reaches the network APIs (in the case of Windows, that would be in the Wininet.dll library). In other words, the code is decrypted before it’s forwarded to the browser’s rendering engine. This is where the attack is carried out and the webinject is called into play. Because the attack essentially happens in the browser, it’s usually considered as a Man-In-The-Browser (MITB) attack.

A man-in-the-browser attack is usually carried out by hooking the API functions responsible for sending and receiving the HTTP or HTTPS data. API hooking is basically a technique that enables a piece of software (in this case, the malware) to intercept function calls or messages exchanged between two other pieces of software and make unauthorized changes. In this case, the changes are able to alter the web content.

There are a number of ways to hook an API but the popular methods include inline hooking, IAT (Import Address Table) hooking, and export address table (EAT) hooking, to mention a few.

Configuration files

Most banking trojans target multiple financial institutions. Because the web pages and the corresponding content of these different institutions naturally vary from one another, the webinjects are designed so that they can easily adapt to whichever URL the user has visited (provided of course that URL is included in the target list). This is done with the help of a configuration file.

A webinject configuration file contains instructions that support the injection process, e.g. the target URL, what to inject, where (on the webpage) to inject, etc. In most cases, the malware polls it’s C&C (command and control) server and obtains its configuration file from there.

Having the malware retrieve its configuration file from a remote C&C provides a convenient way for the malware operators to update the details in the file if needed. This can come in handy if any of the target institutions decide to change the URLs or the web page content associated with those URLs.

A configuration file consists of configuration blocks, with each block consisting of a set of parameters specifying a target URL, the corresponding modifications to be made for that URL, and a couple of other instructions.

For example, if you happen to view the configuration files of Zeus and SpyEye, you’ll find that each block consists of the following parameters:

set_url – This is where the target URL is specified. In most cases, the ‘URL’ is written in the form of a regular expression in order to target a set of URLs that match a certain pattern. These URLs are accompanied by letters like G, P, and L that tell the malware what to do when the browser lands on that particular URL.

For example, G instructs the malware to act on all GET requests, P tells it to act on POST requests, and L instructs it to log certain data.

data_before – Defines existing content on that URL that, after injection, should be displayed right before the injected content.

data_after – Defines existing content on that URL that, after injection, should be displayed right after the injected content.

data_inject – This is where the content to be injected is specified, typically in the form of HTML or JavaScript code, and is basically the web inject itself. The main code can be either written inline or referenced as an external script.

Other Criminal Applications of Webinjects

Their ability to hijack a legitimate transaction on a trusted site (e.g. the user’s online bank) and then display content to dupe users into submitting confidential information or responding to some kind of call-to-action makes webinjects suitable for other criminal activities.

Attacking Facebook users

A couple of years ago, the Qadars banking trojan used webinjects to force an infected system’s browser to display deceptive content when the user was on Facebook. The content was designed to trick the victim into entering his/her phone number, performing a series of actions, and then ultimately downloading Android malware known as iBanking.

Corporate espionage

There have also been reports in the past of browsers getting infected with Zeus (a popular banking trojan) and then displaying pop-ups that asked for the user’s employer and phone number.

It was suspected that the Zeus operators may have combined this information with the user’s passwords (which the operators may have acquired through a separate form also displayed via webinjects) to gain access to that user’s corporate network.

Once attackers are able to gain initial access to a corporate network, they could apply privilege escalation techniques to gain a better foothold into the infrastructure and conduct corporate espionage. But how could attackers infiltrate a corporate network using information gained from a user’s banking transactions? Easy. By taking advantage of poor security practices.

Unless they belong to an organization that implements a strict password policy, a lot of end users tend to recycle passwords. Not only do they use the same passwords for all their corporate business applications, they also use those same passwords in their personal activities – including banking transactions. As you can see, malware operators can use webinjects to steal not only money but also intellectual property.

Webinject kits on the market

You’ve heard of exploit kits, right? Those bundles of exploits sold to malware operators in the dark corners of the Internet. Well, there are also webinject kits. Mainly consisting of webinject configuration files, webinject kits are specifically marketed to banking trojan operators. Some kits are simply designed to steal confidential data, while the more advanced kits are equipped with ATS (automatic transfer system), mechanisms for bypassing 2-factor authentication, and even mobile device components.

The presence of these webinject kits is now making it much easier for cybercriminals to launch their own banking trojan campaigns.

Do you have the capability to detect these types of malware before their operators defraud your employees or, worse, penetrate your network?

ExpensiveWall Affects Millions

ExpensiveWall Affects Millions Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

More Mac Malware Thus Far in 2017 Than Any Other Year

With more than 4 months to go before the year ends, this year has already seen more Mac specific malware than any other. Is this finally the end of Mac OS’s reputation as relatively virus-free?

Obviously, Macs have never been totally virus-free. Compared to Windows malware however, the amount of Mac targeted malware has always been minimal. This has largely been due to the substantially smaller market share of Mac OS X. With far fewer users to target compared to Windows, malware creators didn’t have enough incentive to develop as many viruses for Apple’s personal computing platform.

Interestingly, this year has been quite different in regards to Mac malware activity. According to Malwarebytes, not only was there a 230% year-on-year increase in Mac malware last July, the first half of 2017 has already seen more Mac malware than all of 2016 or indeed, any other year. While we’re accustomed to seeing more malware year after year, Mac focused malware is a bit different.

Could the significant uptick in Mac malware due to a corresponding increase in user base? Not really. In fact, OS X market share hasn’t changed significantly since last year.

Malware in the App Store

What makes this surge even more alarming is that a significant amount of malware has managed to invade even the App Store. Apple is known to be very thorough in screening the applications that make it to the Mac App Store.

They review each app for objectionable content, acceptability, app completeness, hardware compatibility, intellectual property, spam, ability to inflict harm, and a host of other criteria. Apple has even been quick to pull apps from the store if they’re later found to be problematic.

Apple touts the App Store as the safest place to download apps and many users believe that to be wholly accurate. This false sense of security leaves them more vulnerable to attacks as they are perhaps not as vigilant or discerning as they might be on another platform.

Proton RAT leads off 2017 surge

One of the biggest threats to emerge this year was a RAT (Remote Access Trojan) known as OSX.Proton.B or simply Proton. Being a RAT, Proton takes the form of a legitimate application accompanied by a back door that provides administrative control to a victim’s system.

During one campaign, Proton handlers were able to modify Handbrake, an app built to convert video files. Proton’s handlers infiltrated one of Handbrake’s download mirrors, enabling them to replace the app’s DMG file with a modified version infected with Proton code.

Once the compromised application is installed onto a victim’s device, the Proton RAT kicks in. Proton can carry out several malicious acts, including: recording keystrokes, stealing passwords, controlling the webcam, allowing remote access, and gaining access to the user’s iCloud account.

Proton can be installed surreptitiously because the malware uses genuine Apple code-signing signatures. This allows it to bypass Apple’s Gatekeeper, an OS X feature that blocks apps if they aren’t digitally signed using a valid Apple Developer ID.

Proton’s existence was uncovered when researchers from cyber security firm Sixgill chanced upon a post on a notorious Russian cybercrime message board. The post introduced Proton as the “Newest and only macOS RAT in the market.” Originally priced at approximately 100 BTC (bitcoin), which was equivalent to about $100,000 at the time, Proton was out of reach for most.

Findzip Ransomware

Another piece of Mac malware that emerged this year is Findzip. Ransomware has been gaining a lot of notoriety lately, so people in the Mac community were rightly alarmed upon learning that one of the the biggest malware threats in the world today is now right on their doorstep.

Findzip is usually disguised as a crack for either Adobe Premier Pro or Microsoft Office. Being a crack, it doesn’t go through the normal Mac application installation process. People who use cracks typically employ workarounds to bypass Apple’s security measures meant to prevent the installation of malicious programs. Of course, the use of these workarounds plays right into the hands of Findzip’s operators.

Unlike Proton, Findzip isn’t digitally signed using an Apple-issued certificate. As such, it will be considered as coming from an unidentified developer, marked with a ‘quarantine’ flag, and ultimately denied installation. Well and good, but that doesn’t stop Findzip from getting through.

Normally, apps that aren’t downloaded from the App Store, are downloaded through a Web browser. Some popular web browsers are designed to identify the quarantine flag as well as invalid signatures- so if a user attempts to open such a DMG file, the system will prevent the file from being opened.

Alas, people who want to install cracked applications and other pirated software don’t go down that route. Instead, they download files through alternative means, usually torrents. Torrent clients don’t set the quarantine flag when they download a file. Thus, when the user opens the DMG file, the system won’t be able to do anything about it.

It’s comforting to note however that 1) Findzip will not be able to affect users who download apps through legitimate means and 2) it’s now easy to find tools or methods for decrypting files encrypted by Findzip. In fact, if you google for ‘findzip ransomware’, the first search results actually point to removal/remediation solutions, and not just information about the malware itself.

Flashback to Flashback?

The last time there was a surge of Mac malware activity of this magnitude was in 2011-1012, when the Flashback Trojan struck. Flashback was said to have infected about 600,000 Macs then. That number amounted to more than 1% of the total number of Macs at that time.

Taken individually, none of the Mac malware detected this year appear to have infected as many devices as Flashback. The Flashback outbreak remains the largest Mac-based malware outbreak in history, but 2017 shows a disturbing trend that all Mac users should pay close attention to.

A Closer Look at Spyware Apps Distributed by Google

Phone apps and SDK’s

Software Developer kits (SDKs) are used to help developers quickly code their apps with advertising in mind. This way, they can receive advertising payments from their apps. Until recently, Google didn’t allow any changes to SDKs once they were checked into the play store. Enter Chinese SDK creator Lgexin.

Sneaky Lgexin SDK

Lgexin is responsible for more than 500 android apps in the Google Play store being corrupted. Previously they were not able to alter their SDK once it went to market, due to Google’s strict guidelines around SDK implementation. Their workaround for this was to get approval from the dev owner in order to make some small updates to the SDK package and re-submit it into the Google Play store. These small changes were masked and encrypted to try and hide the phone call tracing functionality that was being inserted.

What is the threat?

Lgexin could do whatever they like with the call data they would receive from users of their SDK applications. This call data could be sold to other companies for telemetry purposes or even to the government for global call tracking. Some of the apps include weather apps, teen related games, photo editors, radio and even some fitness apps. With over 100 million downloads of just one of these apps, Lgexin put a lot of people’s privacy and data at risk.

One of the most downloaded apps was called “Lucky Cash- Earn Free Money”, which would prompt the user with a fake google prompt to allow full access to the phone’s call functionality. Millions of users could have unknowingly granted this access. The plugin is called a “phonestatelistener” and can capture the time of the call, the state of the call and the calling number. The data is then sent encrypted to Lgexin’s API for purposes which remain unknown.

What can I do?

From a user perspective, whenever downloading an app from the app store, you should be prompted with any and all permissions that the application will need from your phone in order to operate. This is where common sense needs to come in. First, do you even need or want the app? Do the permissions requested seem reasonable for the app? i.e. does this calculator app really need access to your contact list or pictures? Once you download an app, you shouldn’t be prompted by the play store via pop up for additional permissions. Lastly, be sure to review your apps on occasion and uninstall any that you are no longer using.

Even following the suggestions above is no guarantee. Lgexin has put trusted downloads in a new light and serves as a reminder that you can no longer trust an app based primarily on the number of downloads it has.

How Trojans Withdraw Money From Your Account

How Trojans Withdraw Money From Your Account Gone are the days when malware were simply irritants that caused minor disruptions. Today, most of them are serious threats that can cause considerable financial loss. One class of malware can even steal money straight from your bank account. Known as banking trojans, these types of malware can empty your account once they’ve infected your system.

How banking trojans steal money

Banking trojans infect systems through the same methods used by most malware, including exploit kits, social engineering, phishing emails, droppers, and so on. We’ve already discussed these in many of our previous blog posts, so let’s skip infection methods for now. Instead, let’s focus on how banking trojans actually steal money from your bank account.

Generally speaking, there are two ways these types of malware can steal money from your bank account:

1. By stealing login credentials to your bank account, or
2. By diverting your funds during a legitimate transaction

Stealing login credentials to your bank account

In this method, the trojan acquires your account’s login credentials and then sends those credentials to the malware operators. Once the operators get ahold of your credentials, they can then use them to take over your account and transfer your funds to either their own accounts or to money mule accounts.

Money mules are accomplices who simply open bank accounts for receiving the stolen money before it’s ultimately transferred to the account of the malware operators themselves. Some of these money mules don’t even know they’re doing something illegal. All they know is that they’ve been hired (often through work-at-home schemes) to facilitate in the transfer of funds. Because a single heist can involve several money mules, it is difficult for authorities to trace the main perpetrators.

But how are these bank trojans able to acquire your credentials in the first place? In most cases, they use any or all of these techniques: keylogging, form grabbing, screen capture, video capture, or man-in-the-browser.

Keylogging

Keylogging is probably the oldest trick in the bank trojan’s book. It involves recording user key strokes and then transmitting them to the malware operators. Keyloggers, however, have two major problems: 1) they don’t work with virtual keyboards, auto-fill features, and copy-paste actions, and 2) they normally collect a large number of irrelevant keystrokes.

Cyber criminals are only interested in login credentials and other information that can help them steal from the user’s bank account. Because keyloggers don’t choose which keystrokes to record, malware operators usually have to spend considerable effort parsing the data they receive to find exactly what they want.

Form grabbing

Unlike keyloggers, which grab credentials as they’re being entered into a web form, form grabbers grab credentials straight from a web form before they’re transmitted to the bank’s web server. Specifically, form grabbers grab GET/POST requests. That means, they’re able to acquire credentials before the browser encrypts the data (in the case of an HTTPS session) and even if the user employs a virtual keyboard, an auto-fill tool, or a simple copy-paste.

Screen and video capture

Other trojans capture multiple screenshots or even entire videos and then send those captures to the malware operators. These techniques allow the operators to literally see actual footages of the screen when the user fills up the online bank’s web forms.

Thus, like form grabbing, screen and video captures are immune to the use of virtual keyboards, auto-fill tools, or copy-pastes. The downside of these techniques is that they typically slow down the computer’s performance or consume a significant amount of bandwidth, so they can easily raise red flags.

Man-in-the-browser

Arguably the most widely used technique for stealing credentials, the man-in-the-browser (MITB) can be found in the toolbox of almost all notorious banking trojans, including Bebloh, Carberp, Cridex, Gameover, Gozi, Silent Banker, Spyeye, and Zeus. Just like a man-in-the-middle attack, a MITB attack intercepts the interactions between a user and a legitimate entity, which, in this case, is the bank’s website.

Through a man-in-the-browser attack, the malware can not only steal credentials. It can also alter how a web page or form appears to the user. One common modification is to insert additional fields in order to request more information than is required.

The trojan can, for instance, ask the user to enter his/her PIN, credit card information (name, card number, expiration date, and CVV), cellphone number, additional authentication data, and many others. All this information can be used to gain greater control over the account. Some of this information can come in handy in case the banking site asks for more identification information along the way.

Diverting funds during a legitimate transaction

Also known as a webinject, the man-in-the-browser attack has other, more sophisticated capabilities. In addition to their basic functions like intercepting data and modifying the content of a web page, more advanced webinjects can also alter the values users enter into a web form.

Let’s say a user is in the process of transferring funds to a business partner. A webinject with Automatic Transfer System (ATS) capabilities can change the B2B transaction details and direct the transfer to a money mule account instead. It can even alter the transaction values (e.g. from $500 to $5,000).

The user won’t be able to notice any of these changes because these webinjects can also alter the content displayed to the user. So, even if $5,000 may have been deducted from the user’s account, the user will still see his current balance to be exactly what he/she expected, i.e., only $500 less.

All of this typically takes place after the user logs in, so webinjects can bypass the authentication process, thereby rendering even 2-factor authentication useless.

Stealth and persistence

Banking trojans are designed to spring into action only when certain conditions are met. For instance, when the user visits certain online banking sites or, in the case of ATS-capable trojans, when the user is about to make a transaction.

Because they need to stay undetected for long stretches of time before they can go to work, banking trojans require exceptional stealth and persistence capabilities. One of the stealth methods employed by these trojans is steganography. Steganography applications in malware take on different forms but the basic idea is to hide the malware (or crucial parts of the malware) in an image.

In the case of ZeusVM (a variant of Zeus), for example, this malware used steganography to hide its configuration files in an image of a beautiful sunset. Configuration files play a crucial role in the makeup of banking trojans, for they usually contain the domains of online banks a specific trojan is designed to attack.

Another method trojans use is obfuscation. Obfuscation enables the malware to circumvent heuristic analysis, a security countermeasure employed by antivirus solutions to detect malware whose signatures have not yet been added to their database.

Heuristic analysis involves running a suspicious program in a controlled environment (usually a virtual machine) and monitoring for malware-like behaviors like replication, establishing connection with a remote server, etc. The purpose of obfuscation is to make any binary or text in the malware difficult for the antivirus to decipher or understand.

Since most advanced anti-malware software perform heuristic analysis in virtual environments known as sandboxes, some trojans try to avoid sandboxes altogether. Basically, a trojan with sandbox evasion capabilities checks first if the environment it’s landed on is a sandbox. If there are indications the environment is indeed a sandbox, the malware doesn’t execute.

One particular banking trojan named Ursnif, for example, runs different checks to determine if it’s running in a sandbox. One of these checks involves finding out whether there are more than 50 tasks with a graphical interface on the system, a normal number in real systems. If there are less than 50, then it’s likely the system is actually a sandbox. There are many other sandbox evasion techniques but that’s for another blog post.

A threat to business

While it might initially appear only individuals can be victimized by this type of malware, several enterprises, particularly small and medium businesses, can also be affected. If a banking trojan manages to infect the system of whoever is in charge of carrying out online banking transactions, the malware will be able to initiate a corporate account takeover and facilitate fraudulent fund transfers.

Some of these fraudulent transfers might even be ACH (Automated Clearing House) transfers involving payroll payments. Once the cyber criminals have taken over the corporate account, they could, for instance, change the names in the payroll file to the names of their money mules.

Because most of these accounts aren’t reconciled on a daily basis, the fraudulent transaction can go unnoticed for days. By the time it’s discovered, the funds would have already been in the hands of the perpetrators.

To learn how to protect your corporate bank accounts from these types of threats, contact us.

How Malware Steals Credit Card Data from Your POS Systems

How Malware Steals Credit Card Data from Your POS Systems Some of the biggest data breaches involving credit card data, including those that hit Home Depot and Target, were perpetrated by POS malware – we’ll explain exactly how POS malware works.

A brief overview of the market behind POS malware

POS malware is a vital tool in the highly lucrative credit card data theft industry. At the end of the supply chain, there are people who use fake credit cards to purchase products and services. These people source these fraudulent cards from cyber gangs who produce the fake cards.

The gangs in turn source data that make up the cards from carding forums or stores (a.k.a. card malls or card shops) on the dark net or other online black markets. Sellers in these marketplaces typically offer thousands or even millions of pieces of credit card data. Lastly, the people who sell card data in those forums and stores purchase the data in bulk from hackers (yes, we know they’re supposed to be called crackers).

It’s these hackers who employ POS malware. Cyber criminals are drawn to where the money is. As long as there are people down the supply chain who will use fake credit cards, there will always be criminals who will steal the data to make those cards work. As a result, businesses will always be under the threat of data-stealing POS malware.

How a POS system gets infected

Before any POS malware can go about stealing credit card data, it first has to find its way into a POS system. Unfortunately for us, there are many ways for it to get there.

Because POS vendors sometimes need remote access to their products for troubleshooting, applying patches, or performing technical support, most POS devices are designed to directly or indirectly connect to the Internet. As part of PCI DSS compliance, some systems are also required to connect to the Internet in order to perform time-synchronization with NTP servers. Lastly, an Internet connection may also be needed to enable the system to export purchasing, inventory, or other business data to remote servers.

While needed for upkeep, maintenance, security, and other business functions of the device, the Internet also allows attackers to gain access. Here are the most common ways POS systems get infected with malware:

Phishing and social engineering

Not all of these systems are dedicated POS terminals. In fact, many of them are regular desktops that run on Windows. When a POS system is set up like this, it’s likely to be used for other functions like sending/receiving emails, web browsing, checking social media sites, instant messaging, and other online activities.

Unfortunately, these online activities are susceptible to phishing and other social engineering attacks. Once the user clicks a link or downloads an attachment in a phishing email or message, they could end up downloading either the malware itself or a trojan that subsequently downloads the malware.

Unpatched systems

As in most other systems, a POS terminal can also get infected when malware exploits vulnerabilities in the operating system, browser plugins, or the web browser itself. Known vulnerabilities are easily addressed through patches or software updates. Unfortunately, most people don’t patch properly, and many don’t patch at all.

Hacked administrative interface

As mentioned earlier, the main purpose of these Internet connections is for performing upgrades, tech support, and troubleshooting. To perform these tasks, the vendor has to connect through some form of administrative interface. Attackers sometimes brute force their way into these interfaces or take advantage of default settings. Once they’ve gained entry, they then install the malware.

Compromised third party credentials

It’s common for businesses to employ the services of various third parties. Some of these third party providers are given access to either the POS machine itself (e.g. for vendors of software installed on the same machine) or to another device running on the same network as the POS machine. This gives cybercriminals an avenue for attack.

Cybercriminals can steal login credentials assigned to these third parties in order to gain access into the POS system. This type of attack is difficult to trace because if you view the logs, the logins appear to be carried out by someone authorized to access the system.

Other compromised devices in the network

In the event that the POS device is connected to the office LAN but not to the Internet, cyber criminals can still access the device through an indirect attack. They would first attack a device connected to the Internet and use that as a jump off point to reach their main objective.

They can employ phishing, brute force, or an SQL injection on the corporate website. They can even simply hack into a network device whose factory default passwords have not been changed. Once they’ve gotten a foothold into the network, they usually try to acquire administrative-level credentials before finally seeking out the main target – the POS machine. Once they’ve breached to the POS machine, they install the malware.

RAM scraping

So what happens when malware gets installed on a POS system? It does what it’s programmed to do – steal credit card data. Theoretically, there are number of opportunities for malware to steal credit card data from a POS system. First, while the data is stored (a.k.a. data-at-rest). Second, while it traverses the network (a.k.a. data-in-transit). And third, while the credit card data is in memory.

Most POS systems encrypt data-at-rest and data-in-transit (e.g. via SSL/TLS or IPsec), so POS malware rarely strikes at these stages. Cyber criminals can extract the information they need only if the data is in plaintext (unencrypted) form. Usually, this only ever happens when the data is still in memory. This explains why most current malware (including the one used in the Target data breach) attack there.

The process of stealing information from RAM is known as RAM scraping. Depending on the type of RAM scraper, data is stolen either wholesale (i.e. everything is grabbed from memory) or according to a pattern match. RAM scrapers can typically collect the PAN or credit card number, name of cardholder, card expiration date, CVV code, and other information embedded in the cards magnetic stripe. After the data is scraped from RAM, it is temporarily stashed in a file somewhere in the system or in the network.

As more customers come in and have their credit card data swiped, more data is collected and accumulated into that same file. After a certain period, the malware connects to a remote C&C (Command and Control) server and commences with the exfiltration process.

Covert exfiltration and persistence

To avoid being detected, some POS malware encrypts the data before transmitting to the C&C. Some also use HTTP requests in transmitting the data to avoid suspicion. This will make it appear that the POS system is being used for harmless activities like web browsing, allowing the exfiltration process to bypass firewalls and most antivirus solutions.

Note that, when a RAM scraper grabs data from memory, it only manages to grab information from a single card, i.e. the card that was recently swiped. That’s why, as mentioned earlier, the data scraped from memory would still have to be accumulated into a sort of “staging” file. Because it can take some time before a substantial amount of data is collected, the malware has to persist in the system as long as possible for it to be effective.

To do that, POS malware usually employs privilege escalation techniques like tampering logs or disabling antiviruses and monitoring tools. Some types of malware also create backup copies of themselves, which are retrieved in the event their “production” selves are somehow deleted or incapacitated.

Mitigating the POS malware threat

Last year (2016), the rate of identity theft hit an all-time high, with some 15.4 million consumers getting victimized through some form of ID theft. This translated to about $16 billion worth of losses through fraud. Although not all of these incidents involved the use of POS malware, POS malware still remains one of the biggest threats to merchants who haven’t yet adopted EMV chip cards.

To mitigate this particular threat, businesses must adopt a number of security measures, including:

1. Dedicating a POS terminal solely to POS-related functions;
2. If budget does not permit #1, prohibiting employees from using a non-dedicated POS system for non work-related tasks (e.g. personal web browsing, email, or social media);
3. If #2 is still not possible, training employees to recognize and handle phishing emails/messages;
4. Updating all firmware and software;
5. Using reputable antivirus software;
6. Using firewalls and content filtering solutions that identify and block both suspicious inbound and outbound traffic;
7. Ensuring that in-house admins and third parties use strong passwords and 2-factor authentication; and
8. Adopting EMV-enabled cards, which theoretically eliminates credit card cloning.

For help to protect yourself from POS malware, feel free to contact us.

DNS Security Solutions and Your Brand

DNS Security Solutions And Your Brand How much do you trust a firm once you learn it was the victim of ransomware, data exposure, downtime from a DDoS attack, or some other network breach? If you are like millions of others, you just don’t believe in such firms or sites afterward. That is why you need to consider the longevity and strength of your brand in the face of modern security threats, and implement DNS security solutions that do their best to protect it.

What Can You Do?

We already mentioned DNS security solutions, so let us continue along that thread. In the world of online threats, it seems that DNS has become a popular target for exploits. This is partly due to the rise of IoT or the Internet of Things. These devices are often left unsecured, then infected with malware and turned into an army that floods DNS services and leave their global clients unavailable.

Of course, attacks can also source from within through such activities as torrent and file sharing, adult website visits and other (often prohibited) behaviours. Ideal DNS security solutions would address all of these things through proper monitoring and defence. For example, advanced malware protection, easy to use cloud security solutions, and advanced DNS protection could implement the following actions:

• Network policy enforcement – It may seem extreme to create pre-emptive blocks, but your brand’s reputation is worth far more than a few employees feeling annoyed that you cannot just trust them to follow policy. Optimized solutions are able to create effective blocks for tagged traffic patterns, preventing disasters from striking with a single click.

• Network protection – Real time protection is nearly impossible to overemphasize, and particularly where DNS security is concerned. When built in a layered design, it will allow you to know that any malicious activity or malware in the system will be identified before it can wreak havoc. A solid solution incorporates botnet, APT and malware or ransomware protections.

• Network management – Proper defence of the DNS and network is impossible without the clarity of network assessment and evaluation. Where are your vulnerabilities? Where is there wasted bandwidth? What is the nature of the traffic? It is only through clear data that you are able to make informed decisions about the nature of threats inside or outside of the network.

This is a system of defence that will only enhance your brand. While more and more threats appear, and more and more global names (think Airbnb, PayPal and Sony) are threatened by breaches and botnets, you can easily implement DNS security solutions when you turn to the qualified experts.