Aunt Sally Returns to Finovate Tomorrow!

For those of you who have wondered what has happened to our favorite fraud victim, fictional Aunt Sally, I am happy to say that she will be making an appearance tomorrow at the Finovate Spring 2012 conference. If you’ve missed hearing about how the criminals have targeted Aunt Sally, tomorrow is your chance to hear about the newest threat that is live in the wild: malware that performs parameter injection.

It’s guaranteed to be fascinating to see the latest way the criminals are targeting banking users. If you’re going to be at Finovate, it would be great to get together, so please come find me!

May 7, 2012 Posted by Laura Mather | risk management | Finovate, malware, security | Leave a Comment

Microsoft: Takedown of 153 CnCs Out of 156 is a Great Start

In an article yesterday, FireEye talks about how the recent Zeus takedown by Microsoft resulted in only 153 command-and-control domains being disabled instead of the full 156 domains. While it would be great to have all domains shut down, I applaud Microsoft and the other collaborators who put the effort into getting these domains shut down.

That effort and the one by Kaspersky to shut down the Kelihos system are remarkable in that it is the first time we have seen real impact on large botnets. Of course the first few attempts at this aren’t going to be perfect. But at least people are taking a step in the right direction!

April 5, 2012 Posted by Laura Mather | Detection, Zeus | malware | Leave a Comment

Android Malware Poses as Second Factor App

McAfee has identified a new android app that is actually malware posing as second factor authentication for financial institutions. The app supposedly generates a one time password token on your phone that you can use on the banking website. The tokens that are generated, though, are merely random numbers. The app takes several malicious actions. First, it gathers information about the phone and sends that to the criminal. Second, it obtains the online password for the victim’s bank account and sends that to the criminal. Finally, it steals the contact list (names and phone numbers) from the phone.

I find the stealing of the contact list especially devious. It seems likely the criminals will use this to send SMSs or other messages to the phones of the people in the contact list in an attempt to get them to install the malware as well. It’s similar to someone accessing your Facebook account and sending an infected link to all of your friends. Given that functionality, this malware can very possibly “go viral.”

March 23, 2012 Posted by Laura Mather | information security | malware, man-in-the-mobile | Leave a Comment

Anonymous: A Modern Day Robin Hood?

According to SC Magazine’s Dan Raywood, the “hacktivist group Anonymous has announced its intention to steal from banks and ‘bring happiness and gratitude to families around the globe’ with a new campaign called ‘DestructiveSec.’”

This is a classic Robin Hood scenario – stealing from the rich and giving to the poor – but the fact that this campaign is being called ‘DestructiveSec’ is a clear indication that this isn’t a heroic action by any means. As we’ve seen from the data breaches in 2011, it’s apparent that attacks will become more prevalent as time goes on and organizations need a better way to protect themselves and their counterparts. Various hacking groups around the world are infiltrating computer networks and web properties to expose data, which is ultimately a sign of poor security compliance. This is quite scary and even unacceptable for any institution, particularly as many attacks have not been all that sophisticated – they were easily preventable.

With hacking and malware acknowledged as the most prominent types of data security attacks, no longer are all web-based attacks targeting sign-on and transactions. Instead, we’re seeing attacks against almost every website function. The only way to stop the impact of cyber criminals is to know immediately that abnormal behavior is occurring, and web session intelligence is key to doing just that.

The actions that are carried out via the web server are defined as the Navigation Layer of a website. Visibility into the Navigation Layer enables organizations to determine whether or not they need to report a potential risk or attack, and ideally limit the exposure to the attack. As the availability of data and functionality continue to be moved to web servers (whether for traditional web browser use or mobile application use) it is critical to monitor this portion of the infrastructure to determine if events are occurring and where appropriate, alert as close to the first occurrence of the event as possible. Using the Navigation Layer to garner true web intelligence is the surest way to ensure you are monitoring and protecting this critical layer of your infrastructure.

Cybercrime is a growing problem that will continue to increase if organizations don’t begin to take necessary security precautions and this concept is a critical component to corporate security strategy.

December 20, 2011 Posted by Jesse McKenna | information security, Online Fraud, risk management | Fraud, information security, malware | Leave a Comment

Mobile Platform Risk on the Rise in 2012

Each year, Cisco releases a security report about some of the biggest trends of the year, and one of the key findings that most aligns with what we’ve found at Silver Tail Systems is that cybercrimes seem to be much more targeted than in years past. Cybercriminals aren’t producing mass spam nearly as much as they used to and unfortunately it’s the targeted attacks that are even more worrisome because they are much harder for traditional security solutions to detect.

One of the threat areas we (and Cisco) are seeing on the rise is mobile, and this will likely continue in 2012 – particularly as we see commerce and business soar across mobile platforms. According to another recent report, more than $1 million was stolen from Android users in 2011, the annual likelihood of an Android user encountering malware today has increased to 4% from 1% in early 2011, and Android users now have a 36% chance of clicking on an unsafe link – up 6% since July.

Last March we discussed security issues across the Android platform, and as it remains the most popular mobile operating system, it will likely continue to be the most heavily targeted by cybercriminals moving forward. As we know, bad actors are looking for the most return with the least effort, and the mobile platform presents them with a large opportunity as it simply widens the playing field. I know the industry is working toward better mobile security for 2012, and my hope is that the reports that come out a year from now reflect the efforts that so many of us are making.

December 15, 2011 Posted by Laz | risk management | Detection, malware, man-in-the-mobile, security | Leave a Comment

Screen Injection Webinar – All Your Users’ Credentials Belong to Zeus

Update: the link below was going to the wrong place for a while.  It has been updated and should be correct now.

For those of you who have followed the press coverage of the Zeus malware, you might be wondering about the various functions available within Zeus.  In this webinar we’ll get into the details about one particular function: screen injection (aka parameter injection).

The webinar will be February 23 at 10am Pacific time.  If you want to participate, you can register here.   Unfortunately, because of the sensitive nature of some of the things we’re going to show in the webinar, we’re restricting participants to people who work for brands targeted by Zeus and law enforcement.  If your webinar registration is denied and you believe you fall into one of these groups, please let me know.

Abstract:

The financial services industry has responded to the inadequate security provided by username/password authentication with widespread deployment of two-factor authentication. However, criminals behind the leading banking Trojans have been innovating as well. Their latest advance – screen injection – has been successfully integrated into the Zeus, Clampi and URLZone  data theft Trojans. According to the FBI, this new ability to defeat multi-factor authentication has led to more than $40 million in online banking theft from the US alone. Understanding screen injection is critical for everyone concerned with online security.

In this webinar, Laura Mather, Ph.D, Founder of Silver Tail Systems, will give a detailed explanation of screen injection.  She’ll provide a quick overview into the general nature of the “Man in the Browser” data theft banking Trojans and then dive into the operational details of screen injection as it has been weaponized in the Zeus malware.

We will conclude with live demonstrations of screen injection from the victim’s perspective. Using first a clean computer and then an infected computer, you will see screen injection at work on many US banking sites stealing ATM PINs, social security numbers and answers to secret questions. The challenges of detecting this devious attack and possible solutions will be discussed.

If you are concerned about the latest criminal innovations,  this webinar will give you an in-depth understanding of one of the key criminal techniques.  Find out before your organization becomes a victim. 

February 11, 2010 Posted by Laura Mather | Fraud, Man-in-the-Browser, Zeus | malware, Man-in-the-Browser, screen injection, Zeus | Leave a Comment

Blogging Highlights from RSA

The RSA conference 2009 picked up with some great keynotes on Wednesday and stellar sessions on Thursday. It is done, at least for me.

I thought Melissa Hathaway delivered a solid keynote, but everyone wanted more details and especially the 60-day cyber-security assessment due from the White House next week. That let some folks down, but she still delivered with examples, priorities and even some humor. Good to hear the Obama administration considers cyber-security a top priority.

Dave DeWalt from McAfee started off suspect – I thought the weather analogy would get cheeky, but he held true to it and it played well, inserting some gruesome stats and trends. My favorite (or scariest): “…more malware attacks in 2008 than in the previous 5 years combined”. And by the way, what is this malware doing? Abusing business logic, hijacking sessions, and in general driving malicious behavior on web sites – good timing for Silver Tail, in my opinion. The more complex the malware and the attacks, the more important behavior analysis, anomaly detection and real-time disruption will become.

The last keynote, James Bamford, was an eye-opener. One would think the NSA could do anything, but its amazing what it missed – both in terms of trends and specific attacks. Another favorite (or scariest again): After 9/11, President Bush ordered the NSA to eavesdrop domestically, violating the FISA act. Attorney General Ashcroft had to sign a “it’s ok to eavesdrop” form every 90 days. Eventually Ashcroft was convinced it was a bad idea to keep signing this and the entire leadership of the Justice Department nearly resigned over the issue.

I must highlight the Fighting Russian Cybercrime Mobsters session with Dmitri Alperovitch, from McAfee and Keith Mularski from the FBI. They did a fantastic job outlining the history and current threat of Russian organized crime in online fraud, including a summary of the DarkMarket campaign the FBI and 8 other countries ran to arrest many cyber-criminals. Very informative and entertaining. Favorite quote (not so scary): “Q: Are the bad guys far ahead?” Mularski’s Answer, “No, I really don’t think so.” So you’re saying there’s a chance…!

Another highlight – Pat Peterson from Cisco diving into the details of bots and botnets. Fascinating research and data. Essentially, “there is no online criminal activity without bots involved.” The money is pretty staggering.

Trey Ford put together an entertaining session on business logic flaws – always a favorite for me since highlighting the abuse of the business process (e.g. business logic abuse) demonstrates the ROI Silver Tail can bring if you could detect new threats and disrupt them in real time. “The code is not broken, its the business process!”

Good news is I’m done with the RSA conference – its been great, good seeing old friends, fellow bloggers & tweeters and meeting new contacts. We are back in SF next week for FinovateStartup09.

Continue to follow Silver Tail through our blog and now Laura Mather @STSgirl and I @smurdoff are on Twitter.

April 23, 2009 Posted by Sherrick Murdoff | business logic abuse, Business Logic Flaw, Detection, Investigation, Online Fraud | botnets, bots, business logic abuse, cyber-security, cybercrime, FBI, FISA, malware, Melissa Hathaway, NSA | Leave a Comment