It all started with a simple phishing attack, we’ll share the story about a small bank that had a major compromise, plus the Washington Post gets hacked…
A great batch of questions, our answers, and much much more!
Thanks to:
|
Use our code techsnap249 to get a .COM for $2.49. |
|
|
Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.
|
|
|
Visit techsnap.ting.com to save $25 off your device or service credits.
|
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
— Show Notes: —
Attackers use DDoS attack on banks as cover to conduct APT attack on wire transfer switches, stealing millions of dollars
- Rather than attacks like we have previously discussed where the the fraudsters targeted individuals and companies with malware and then drained their bank accounts, this newer series of attacks has targeted the banks and credit unions directly
- Many of these attacks have been against smaller banks and credit unions because of their more limited IT security infrastructure
- It is unclear exactly how the attackers infiltrated the banks’ networks, but attacks similar to those against The Washington Post and The Onion are likely, fairly well executed spear phishing attacks
- Once the computer of someone inside the bank has been compromised, it can be loaded up with keyloggers, remote administration trojans and other malware
- The attacker can then use the ‘trusted’ computer to escalate their privileges, either directly, or by impersonating the person whos PC has been compromised, and sending more phishing emails internally
- Once a computer with access to the ‘wire transfer switch’ (usually an application) is compromised, the attacker can initiate a wire transfer from any account
- Individual bank accounts and bank employees often have limits on the amount they can transfer, however with escalated privileges, the attackers were able to increase or remote these limits in some cases
- Some banks have instituted anti-fraud systems that require a second employee to authorize any large wire transfer, however attackers had managed to compromise multiple employee accounts inside the bank, and were able to provide the secondary approval of their fraudulent transfers
- “In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance”
- Then, to cover their tracks, the attackers launch a Distributed Denial of Service attack against the banks website, and/or online banking portal. This disruption is designed to keep the IT staff at the bank busy and keep attention of other bank employees away from the wire transfer system
- If successful, the DDoS attack distracts the bank long enough to prevent them clawing back the wire transfer. The bank has a much better chance of getting the money back if they can report the transfer as fraudulent within the first few minutes
- \”The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That\’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.\”
- Internet Crime Complaint Center (IC3) issues warning in Sept 2012
- Gartner Report
- Dell SecureWorks Report
Washington Post hacked by Syrian Electronic Army
- The attackers managed to modify specific pages of the Washington Post website to redirect traffic to the site of the attackers for about 30 minutes
- The Syrian Electronic Army (SEA) is a pro-Assad group known for hacking many twitter accounts, as well as other newspapers including The Financial Post, The Onion and the Associated Press
- SEA originally hacked an employee’s twitter account and used it to spread their message
- Some time after that, pages on the website started being redirected
- It is unclear if the employee’s credentials were used to execute the redirect attack
- The method of attack was exactly the same as that used against the Financial Post and The Onion, phishing emails appearing to come from other employees inside the same company, that redirected users to a fake email login page, that captured their credentials. It is unclear if WP uses gmail as the FP and the Onion did
- In a tweet, SEA claimed they had compromised ‘Outbrain’, a business partner of the newspaper that provides ‘content discovery’ mechanisms
- The tweet also claimed that this compromise gave them access to not only the WP, but also CNN and TIME Magazine
- The newspaper promptly disabled the Outbrain module and enacted other defensive measures
- Outbrain acknowledged the problem last Thursday. “We are aware that Outbrain was hacked earlier today. In an effort to protect our publishers and readers, we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it’s safe to turn it back on securely. We are working hard to prevent future attacks of this nature.”
- This type of attack is especially dangerous. If the SEA had redirected users to a site containing malware, rather than just their own site feature a political message in arabic, the results could have been much worse, and it could have gone on much longer before it was noticed
- This is the type of attack that is the most dangerous, it is like a watering hole attack, except it targets a mass audience, instead of a small one
- Additional Coverage
Feedback:
-
- Switch: Netgear GS724T-300NAS
- Router: Soekris net6501
Send us a Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ
Round-Up:
- EFF wins court battle to release document showing FISC court ruled NSA Surveillance unconstitutional in 2011
- Poison Ivy RAT used in 3 new attacks
- Microsoft re-releases patch for vulnerability in Active Directory Federation Services after it caused many servers to stop working
- Twitter oauth token data leaked, attacker claims to have tokens for every twitter user, posts 15k tokens
- Microsoft pulls back patch for Exchange Server 2013, fixes Oracle bug that could allow a malicious .PDF to compromise the SERVER when viewed by a client with OWA
- Microsoft announces that in 6 months they will issue an update that will disable digital certificates with MD5 fingerprints. An optional version of the patch is available for testing, before the patch goes live on all supported OSs. Certifications should use SHA1 or SHA256 hashes
- Jekyll transforming malware developed by Georgia Institute of Technology passed through Apple iOS Review process undetected. Apparently the app was only tested by Apple for 7 seconds. Malware is able to post tweets, take photos, send email and SMS, and even attack other apps – all without the user’s knowledge
- Bruce Schneier’s comments on the Cryptopocalypse
- Trading on NASDAQ halted by unknown technical glitch
- Programming via voice recognition – developing a custom spoken language to express programming concepts like curley braces
- Groklaw shuts down because it can no longer trust the security of email