More than 1,000 people have been tricked into installing a Trojan after clicking on a new Facebook scam that promises naked videos of their friends. According to Bitdefender Labs, the countries with the most detected infections are Romania, the UK, Italy, France and Germany.
The scam has just started to make rounds on the social network and can multiply itself and tag users’ friends extremely quickly. Over 6,000 .tk websites have been registered for malicious purposes. To avoid detection, cyber-criminals vary the scam messages from “user’s name private video” to “user’s name naked video” or “XXX private video”. Malware writers can also redirect users to fake surveys or toolbar, video and converter downloads.
When clicking the link that promises videos of their friends naked, users are redirected to a fake YouTube website where a “FlashPlayer.exe” file deploys a Trojan. The malware installs a browser extension capable of posting the scam on users’ behalf and stealing their Facebook pictures.
“Adobe Flash Player has crashed, please update to the latest version,” the fraudulent web page reads.
To increase the infection rate, the malware has multiple installation possibilities. Besides the automated and quick drop on the computer or mobile device, it also multiplies itself when users click the fake Adobe Flash Player update.
To make the scam more credible, cyber-criminals faked the number of views of the adult video. Over 2 million users have allegedly clicked on the infected “YouTube” link. To add another touch of realism, the malware creators also added a message that the video is “age-restricted” based on “Community Guidelines.”
Scammers also fake the date they uploaded the malicious video by making it current. Bogus Flash Player installers have been infecting users on Facebook and Twitter for a couple of years.
The malware is detected by antivirus software provider Bitdefender as Trojan.FakeFlash.A (Trojan.GenericKD.1571215), while the fake YouTube link is marked as a fraudulent attempt. For maximum protection, the Bitdefender free application Safego also alerts users about the naked video scam circulating on the social network.read more
How long would it take for an attacker to break into a business? Get on the corporate network as an authenticated user? If you think it would take a few days or even a few hours, you are way, way off.
Try 20 minutes.
It took David Jacoby, a senior security researcher with the Global Research and Analysis Team at Kaspersky Lab, three minutes to sneak into the building, four minutes to get network access, five minutes to get authenticated access to the network, and ten minutes to install a backdoor onto the corporate network. He was able to download and walk away with “gigabytes of data” from the company, he told attendees at last week’s Kaspersky Lab Security Analyst Summit.
Jacoby was invited by a company come in and tests its defenses. As it turned out, he didn’t need any fancy hacks or zero-days to get through. It was all social engineering.
“They spent so much money [on security], and I still got in,” Jacoby said.
Being Nice to Tailgaters
The company required employees to use a badge to enter and leave the building. Jacoby waited for other employees to go inside, and just hurried in after them. Most people want to be polite and will hold the door open if someone is going in at the same time—something most tailgaters take advantage of. Jacoby went a step further, in case the employee thought to ask to see the badge. He dressed up a bit to look a little managerial and held a cell phone up to his ear as if he was having a conversation with someone. As he was going through the door, he said, “I am right in the lobby. I will be up in a minute.”
No one will interrupt a phone call, and if you convey the impression that you are someone important heading off to meet someone important, most people won’t stop to question you, Jacoby said.
There’s Always a Hub
Surely, getting on the network had to be a little more difficult, right? It turned out Jacoby didn’t bother trying to get on the corporate wireless. Instead, he went straight to the printer room, where there is invariably a network hub for the printer. He plugged his laptop into the hub and as easy as that, he was on the network.
Getting on the network as a valid user took more talking than hacking. Jacoby found an employee sitting next door to the printer room and explained he was having trouble with the network. He asked if he could borrow the employee’s computer. When he sat down, the employee was still logged in, which meant he could do whatever he wanted on the network.
At this point, he installed a backdoor on the network, giving him full control. He no longer needed the employee’s computer or credentials.
Every Step Matters
It’s really hard to defend against social engineering because it’s human nature to want to be nice and helpful. We want to give people the benefit of doubt and not assume everyone is out to cause harm, but it’s exactly this human emotion that makes us fail at security. While it’s important to remind users repeatedly that they should log out before letting someone else use the computer and have signs asking employees to not let people tailgate into the office, people will default to being nice and helpful.
It’s also important to remember that small businesses aren’t immune. In fact, they may be even more susceptible to these attacks, if the employee thinks the person is an IT contractor or electrician.
This is why it’s so important to use technology to secure the network. Instead of letting just any device plugged into the hub get on the network, administrators can enable MAC Address Restrictions, so that only known devices get a valid IP address. After getting access to the network, Jacoby found that the network was segmented incorrectly, so sensitive systems were easily accessible. He found outdated and vulnerable software. He also found 300 user accounts with passwords set to never expire. All these things made his job, as an attacker, much easier.
Think like an attacker. You will be surprised at just how vulnerable your organization may be.read more
Nationwide beauty products chain Sally Beauty appears to be the latest victim of a breach targeting their payment systems in stores, according to both sources in the banking industry and new raw data from underground cybercrime shops that traffic in stolen credit and debit cards.
On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store. Three different banks contacted by KrebsOnSecurity made targeted purchases from this store, buying back cards they had previously issued to customers.
The card shop Rescator advertising a new batch of cards. 15 cards purchased by banks from of them from this batch all were found to have been recently used at Sally Beauty stores.
The banks each then sought to determine whether all of the cards they bought had been used at the same merchant over the same time period. This test, known as “common point of purchase” or CPP, is the core means by which financial institutions determine the source of a card breach.
Each bank independently reported that all of the cards (15 in total) had been used within the last ten days at Sally Beauty locations across the United States. Denton, Texas-based Sally Beauty maintains some 2,600 stores, and the company has stores in every U.S. state.
Asked about the banks’ findings, Sally Beauty spokeswoman Karen Fugate said the company recently detected an intrusion into its network, but that neither the company’s information technology experts nor an outside forensics firm could find evidence that customer card data had been stolen from the company’s systems.
Fugate said Sally Beauty uses an intrusion detection product called Tripwire, and that a couple of weeks ago — around Feb. 24 — Tripwire detected activity. Unlike other products that try to detect intrusions based on odd or anomalous network traffic, Tripwire fires off alerts if it detects that certain key system files have been modified.
In response to the Tripwire alert, Fugate said, the company’s information technology department “shut down all external communications” and began an investigation. That included bringing in Verizon Enterprise Solutions, a company often hired to help businesses respond to cyber intrusions.
“Since [Verizon's] involvement, which has included a deconstruction of the methods used, an examination of network traffic, all our logs and all potentially accessed servers, we found no evidence that any data got out of our stores,” Fugate said. “But our investigation continues, of course with their assistance.”
In any case, the stolen cards mapping back to Sally Beauty appear to have been pilfered quite recently, roughly matching the intrusion timeline noted by Sally Beauty: All of the banks reported fraud occurring on cards shortly after they were used at Sally Beauty, in the final week of February and early March.
The advertisement produced by the criminals who are selling these cards also holds some clues about the timing of the breach. Stolen cards fetch quite high prices when they are first put on the market, but those prices tend to fall as a greater percentage of the batch come back as declined or canceled by the issuing banks. Thus, the “valid rate” advertised by the fraudsters selling these cards acts as an indicator of the recency of the breach, because as more banks begin noticing fraud associated with a particular merchant, many will begin proactively canceling any cards used at the suspected breached merchant.
In this batch of cards apparently associated with the Sally Beauty breach, for example, the thieves are advertising the cards as “98 percent valid,” meaning that if a buyer were to purchase 100 cards from the store, he could expect that all but two would still be valid.
Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.
In the weeks prior to December 18 — the day that the world learned Target had been breachedin a similar card compromise — the thieves running this very same card shop had been advertising several huge batches of cards at 100 percent valid. In the days following Target’s admission that malicious software planted by cyberthieves at its store cash registers had siphoned 40 million credit and debit card numbers, the “valid rates” advertised for those stolen cards began falling precipitously (along with the prices of the stolen cards themselves).
The items for sale are not cards, per se, but instead data copied from the magnetic strip on the backs of credit cards. Armed with this information, thieves can simply re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
Interestingly, this batch of stolen card data was put up for sale three days ago by an archipelago of fraud shops that is closely affiliated with the Target breach. In my previous sleuthing, I reported that a miscreant using the nickname Rescator (and an online card shop by the same name) was among the first — if not the first — to openly sell cards stolen in the Target breach. Further tying the Target breach to Rescator, forensic investigators also found the text string “Rescator” buried in the guts of the malware that was found on Target’s systems. According to additional reporting by this author, Rescator may be affiliated with an individual in Odessa, Ukraine.read more
The new report details a world in which the means to launch attacks are cheaper and easier to get hold of than ever before, while the criminals themselves increasingly hide their activities from prying eyes on the deep Web.
Any of the attack products and services favoured by Chinese gangs and listed by Trend Micro will be familiar to security watchers.
These include premium service abuser apps which sign the victim up to expensive, unwanted services. The outlay for a premium service number alone can apparently cost the cyber criminal as much as 220,000 yuan (£21,400).
Also mentioned in the report are “SMS Forwarder” Trojans, which intercept 2FA passcodes sent by banks or online service providers, to help the attacker crack online accounts; and SMS spam.
To launch mobile spam campaigns, Chinese criminals can either invest in a GSM modem, or for greater volumes an “internet short message gateway” or SMS server.
The latter apparently sends out a high power signal which forces all mobiles in the area to disconnect from their legitimate base station and connect to it – after which it pushes out large volumes of spam.
Apple users in China are also at risk from attack, with iMessage spammers able to “buy” 1,000 message spam services for as little 100 yuan (£9.70).
Another necessary tool is software to scan multiple sets of phone numbers and thereby ensure they’re linked to an Apple ID and are still working. This will set you back 30,000 yuan (£2,900).
Aside from phone scanning services, which are an essential first step on the road to a successful spam campaign, the Chinese underground is also awash with app rank-boosting services for sale, said Trend Micro.
These are important if a malware writer wants their malicious apps to be disseminated as far and wide as possible.
The report explained:
Cyber criminals usually boost an app’s ranking by creating several dummy accounts to download and write good user reviews for it. This is especially true for Android apps in third-party app stores in China. Doing so is, however, costly.
To get an iPhone app in the top five of Apple’s China App Store will set you back a cool 60,000 yuan (£5,800).
In Android third party stores – where most Chinese users shop as Google Play is very limited there – cyber criminals can pay according to the number of downloads they want.
This starts at just 40 yuan (£3.90) for 10,000 downloads.
Via TheRegisterread more
Educating employees about the dangers of a social-engineering attack is important, and companies should provide active awareness training. “Simply having staff sign a social-media policy or code of conduct doesn’t mitigate the risks or create adequate awareness,” said Nejolla Korris, CEO of InterVeritas International, which specializes in social-engineering awareness and lie-detection training.
What should employee training impart? For starters, awareness of what phishing, elicitation and impersonation look like and how they’re used.
It’s important for employees to understand how a social-engineering attack is tied to psychology and human nature. “The ability to discover what individuals’ sensitive spots are and target them by tapping into the good nature of human beings makes the work of social engineers much more effective,” Korris said.
Another aspect of employee training is learning how to mitigate problems when they occur, according to Social-Engineer’s Hadnagy. Many companies still lack a person or department to route any suspicious email or phone calls to.
“It’s critical to have a place to report these events, before it turns into a mess,” said Hadnagy. “It’s also important to remove the fear of being fired. When employees feel good about reporting incidents, companies can mitigate the effects of social engineering much faster.”
Social-engineering pen tests can also reveal surprising vulnerabilities as well as provide awareness on a more personal level.
“The biggest portion of any social-engineering pen test we do is information gathering; more than 50% of our time goes into it. And we gather everything,” said Hadnagy. “Social media makes it easy. We go to LinkedIn, Myspace, Facebook, Twitter or the hundreds of other social-media sites to see what they’ve put out on the Web publicly.”
LinkedIn is “a dream tool for social engineers, because many people post their entire professional histories and rarely use any privacy settings,” said Korris. “It has very few filters, and unless you’ve made a conscious effort to hide it, your information is there for anyone to see.”
What, specifically, are social engineers looking for? “How people use their corporate email addresses, how they spread the message about their likes, dislikes, favorite restaurants, kids, all those things,” explained Hadnagy. “A malicious attacker will search for weaknesses, which generally involve something you like or enjoy because you’re more prone to click a link or allow a person access to you if it’s something you’re in tune with.”
One bank manager had a Facebook profile with 796 photos of herself with a drink in her hand, and another 398 photos of herself in a bikini. That’s a “weakness” that can be easily exploited, according to Korris. “This bank manager also posted her birthdate, photos of her Escalade, and her driver’s license,” she said. “For someone required to maintain the privacy of her clients, she showed no discretion on Facebook.” And it gets worse: The bank’s corporate logo appears next to her Facebook profile, along with photos of the bank staff, all tagged of course.
Information that may seem benign can literally open the door to social engineers. “We were able to infiltrate a company because we called up and someone told us who their waste disposal vendor was,” said Hadnagy. “A few days later, after we had a couple of hats and shirts made with that vendor’s name, they let us right in,” he added. “All from a one simple piece of information given out over the phone — no verification that we were who we said we were.”
Hadnagy and his colleagues use their audit findings to help educate companies. “Having a third party come in and ‘go to town’ on your people and network to see where the vulnerabilities exist is a huge benefit,” he said. “At the end of our pen tests, we’ll show you the spear-phishing emails and the phone calls we used, as well as the impersonations. We teach what worked and why, what failed and, especially, what to do when they fail.”
Not everyone agrees about the extent to which training can help fight social engineering, because at some levels you’re dealing with highly motivated pros. “At the corporate level, user awareness and training about social engineering won’t have the same impact,” said RSA’s Cohen. “Pro attackers use incredible strategic detail, and attack statistics reveal that many companies only discover they’ve been attacked after a third party warns them they’re seeing odd things.”read more
While phishing has traditionally plagued the financial sector because it’s easy to commercialize and sell financial credentials, attackers are now branching out to target mobile and gaming platforms, as well as airlines’ frequent flier mile programs.
Perhaps most disturbing of all, healthcare is emerging as a target because the value of medical data is slowly increasing on the underground market. “The vast majority of attacks, however, still target financial institutions,” Cohen said.
One factor behind the expansion of phishing attacks is that, thanks to underground sites on the dark Web, fraudsters from all over the globe have a way to connect and collaborate anonymously. They frequently solicit partners with social-engineering skills, as shown in the figure below, to help fill in the missing pieces of identities, which they can then turn around and either use or sell.
Social engineer wanted Screenshot of an underground “help wanted ad” offering a social engineer $500 to call a French Canadian victim and get him to reveal the answer to his security question about “street of birth.”read more