Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Banking malware stole 36 million euros

• The Zeus trojan was used as part of a sophisticated malware attack that was able to steal an estimated 36 million euros from over 30,000 customers based at 30 different banks in Germany, The Netherlands, Spain and Italy
• The trojan infected victims’ PCs and Mobile phones, and intercepted their attempts to interact with their banks
• Victims were tricked into infecting their Mobiles when the trojan on the PC claimed it ‘needed to upgrade your online banking software’, and asked for additional information, including the number of your mobile phone
• The mobile version of the trojan targeted both Blackberry and Android devices
• The mobile infection was the key to the success of the trojan, as it allowed the attackers to intercept SMS messages containing the ‘TAN’ (Transaction Authentication Number) that the banks would send, and would need to be entered to confirm any large transactions
• This allowed the attackers to transfer money out of the victims account without alerting the victim, and the banks saw the transactions passing the additional fraud verification steps (SMS TAN), so were not alerted to a problem
• The trojan would initiate transfers ranging from 500 to 250,000 euros to various accounts around europe, where the funds would then be withdrawn by mules
• The Zeus trojan is also known for modifying the pages returned by online banking, to show the expected account balance and transactions. It would hide the transfers, and adjust the displayed balance to be correct, even after additional valid transactions. (See previous episode on man-in-the-browser attacks)
• The attack consisted of a number of steps:
• Victim accidentally visits malicious site, or is tricked into clicking a link by a phishing email or social media attack
• The victim visit their bank’s site and log in to their account to make a transaction
• The trojan modifies the code of the bank page, prompting the user to enter their mobile phone number and operating system
• The collected information is sent back to the attacker’s C&C server
• The attacker then sends a text message to the victim device, prompting the user to download the Zitmo (Zeus in the mobile) trojan, disguised as an ‘upgrade to the security of the online banking system’
• Each time the victim logs into their online banking, the trojan initiates transfer of money out of the victim’s account using their real credentials
• The banks recognize this as a large, high risk transaction, and as such, delay the transaction and request the user complete 2 factor authentication, the bank sends a TAN number to the user’s mobile
• The TAN SMS is intercepted by the trojan on the victim’s mobile device and delivered to the attacker’s C&C server, the victim never knows they received the text message
• Javascript injected into the online banking page via the PC trojan receives the TAN from the C&C server and authorizes the transfer
• The Eurograbber attack is now complete and the attackers transfer money out of a victim’s account
• This attack highlights the need for better phishing prevention by financial institutions
• All financial institutions should be using SPF and cryptographically signing all legitimate emails with DKIM. Then some type of DNS whitelist, that says ‘any domain on this list, will ALWAYS have a DKIM signature, if it does not, this email should be rejected’, similar to the recent HSTS standard for HTTPS
• Threatpost Coverage

---

Researcher developes 0day exploit against Samsung SmartTVs

• Luigi Auriemma, a researcher for Malta based security firm ReVuln, has developed a number of 0day exploits against Samsung SmartTVs
• He has apparently found some signature that allows him to scan networks to find the IP addresses of any connected SmartTV devices
• The exploit allows him to remotely image all storage devices connected to the TV, including the internal storage, but also any USB devices that happened to be attached
• The exploit could also allow an attacker to install custom firmware, malicious applications, operate any microphones or cameras connected to the TV, steal credentials stored on the device, overwrite the root certificate store to allow spoofing of HTTPS sites (allowing a successful man-in-the-middle attack), or keep a log of all content played on the TV
• The exploit can also be used to remotely control the device, using a feature allowing the TV to be controlled from a smartphone. This allows the attacker to have the same control over the device they would have if they were in the room, further allowing them to exploit the device
• Technical details were not disclosed, ReVuln is currently selling the vulnerability
• If your TV is connected to the internet behind a NAT router or firewall, such that it cannot be connected to directly from the internet, it is less vulnerable. However you still have to consider the case of an attacker cracking your WiFi and being able to access the device via the LAN, or SmartTV devices connected to office networks, as well as those devices in bars, cafes, hotels and the like.
• Luigi has previously disclosed other flaws in the Samsung SmartTVs

---

Researchers develop attacks that could cripple GPS receivers

• Using $2500 worth of gear, researchers from Carnegie Mellon were able to disrupt both customer and professional grade GPS receivers
• “A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks ”
• Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700, whereas Trimble was working with researchers to push out a patch for its affected products
• These new attacks are quite different than existing GPS spoofing attacks, the new research covers a much larger attack vector “by viewing GPS as a computer system”. This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems
• The attacks include messing with the time, since GPS is used as a source of clock synchronization, allowing the attackers to trigger the UNIX epoch rollover or otherwise tamper with devices
• Full research paper

---

Feedback:

• URGENT VPS Question
• Few questions about Nginx
• Win8 Password Exploit?
• RSA encryption Video

Happy 18th Birthday to Chris Eadle from Jupiter Broadcasting, and his lovely lady friend Angela.

Round-UP:

• BBC News – The hum that helps to fight crime
• Intel announces new ATOM based SoC servers. Dual-core w/ HT and density in excess of 1000 cores per rack
• GhostShell hackers release 1.6 million NASA, FBI, ESA accounts
• Researcher from last week’s MySQL vulns posts more, faster online password cracking
• Eric Schmidt says that Google Fiber ‘is a real business’ and plans to expand it
• FreeBSD Could Miss Year End Funding Target By Nearly 50%
• FreeBSD foundation gets 650 new donations in the last three days raising $43196
  
• Ho, ho, Bing: NORAD Tracks Santa switching from Google to Microsoft

The post 2-Factor Trojan | TechSNAP 88 first appeared on Jupiter Broadcasting.

]]>