Posts Tagged ‘attackers’
Monday, November 10, 2014 @ 08:11 AM gHale
A new technique is coming into play by attackers which allow them to fool even more users into believing they are entering their information in a legitimate web form.
Instead of replicating a legitimate website like an e-commerce site, the attackers need only to set up a phishing page with a proxy program which will act as a relay to the legitimate site, and create a few fake pages for when users need to enter their personal and financial information, said researchers at Trend Micro.
“So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user,” said Trend Micro Senior Threat Researcher Noriaki Hayashi said in a blog post.
“It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response,” Hayashi said.
In the spotted attack, users end up directed to the malicious site by clicking on a search result they got by entering a product’s name. The attackers used a number of blackhat SEO techniques to make the URL appear in the results. But spam emails and messages also work to lure potential victims to the malicious site.
The actual attack begins when the user clicks on the “Add to Basket” button on the legitimate site. That is where the attacker has re-written the function so the user ends up redirected to a spoofed e-cart page that leads to more fake pages simulating the checkout process.
The first page asks the victims to enter their personal information (name, address, phone number) as well as their email address and password. The second one requests the entry of credit card information (including the card’s security code). The third one asks for additional information sometimes required to authorize a transaction.
Once the victims submitted all this information, they will receive a fake confirmation email for the purchase to the email address submitted. With all that, the attacker completes the task.
“So far, we have only identified this attack targeting one specific online store in Japan. However, if this attack becomes more prominent, it could become a very worrying development: This makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites,” Hayashi said.
This approach makes phishing websites easier to set up, and very difficult for the owners of the legitimate websites to detect.
Friday, January 10, 2014 @ 03:01 PM gHale
As more companies focus on mobility, it is no real surprise the lack of security on devices continues to be low hanging fruit for attackers.
Even in banking, where security experts always say it is among the most secured industries.
But when it comes of mobile apps, is it?
IOActive researcher Ariel Sanchez analyzed 40 mobile banking applications for iOS devices to see if they’re secure or not. The apps belong to the 60 top banks across the globe.
Sanchez found 40 percent of the apps tested are vulnerable to Man-in-the-Middle (MitM) attacks because they don’t validate the authenticity of SSL certificates.
On top of that, 20 percent of them have the Position Independent Executable (PIE) and Stack Smashing Protection disabled, which makes them susceptible to memory corruption attacks, Sanchez said in a blog post.
Ninety percent of the apps don’t have jailbreak detection. The same percentage contain a number of non-SSL links when surfing the app, allowing cybercriminals to intercept traffic and inject arbitrary code for phishing purposes.
When it comes to two-factor authentication, which is a great mechanism to protect against impersonation attacks, the researcher found 70 percent of the iOS banking apps don’t have it.
Meanwhile, 40 percent of the applications expose sensitive information through log files, such as crash reports. The data leaked by the log files can end up used to develop Zero Day exploits.
Thirty percent of the tested programs contain hardcoded credentials in the code.
“By using hardcoded credentials, an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users,” Sanchez said.
One more point of interest for attackers is 20 percent of app activation codes, the ones sent during the initial setup process, send the information in plaintext (HTTP).
To add more salt to the security wounds, the file systems of some programs store sensitive information, including bank account details and transaction history, in unencrypted databases, Sanchez said.
From a defensive perspective, the following recommendations could mitigate the most common flaws:
• Ensure that all connections end up performed using secure transfer protocols
• Enforce SSL certificate checks by the client application
• Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
• Improve additional checks to detect jailbroken devices
• Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
• Remove all debugging statements and symbols
• Remove all development information from the production application
Wednesday, August 21, 2013 @ 05:08 PM gHale
The use of the right-to-left override (RLO) character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or a registry key, is seeing a rebirth.
Malware writers have been using the RLO technique for years, as it’s a simple and effective method for disguising the names of malicious files. Typically, attackers will try to make their malware appear to be something benign, such as a music player or setup file for a popular application. The RLO technique helps then accomplish this goal.
Malware authors give a malicious file a name that is somewhat close to a legitimate file name, and append an extension such .exe. But hidden in the file name will be a Unicode character that will reverse the order of the characters that follow it. So, for example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg” when the Unicode character ends up used after the word “malware.”
Security researchers and malware analysts have known about this technique for quite a while, but it is beginning to surface once again.
Researchers at Microsoft have seen new malware samples attempting to impersonate the Google service that keeps software updated on users’ machines, and the malware is using the RLO technique in order to look like a legitimate registry key.
The malware is Sirefef, which is about a year old. It uses the RLO method to trick users into thinking the entries it puts into the infected machine’s registry are legitimate ones.
“The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation,” said Raymond Roberts of Microsoft.
When the Sirefef malware infects a new machine, it creates a registry entry that looks identical to the legitimate Google Update service. Even clicking on the entry to view its properties will show what appears to be a legitimate entry, aside from some odd-looking characters in the path of the executable. However, looking at the registry entry without Unicode support will reveal the problem. The Sirefef registry entry will show up as “etadpug” and the key will contain a slew of random characters rather than the description of the legitimate Google Update service.
“This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not,” Roberts said. “It may make it difficult for someone doing a cursory check to determine if they are infected.”
Monday, July 8, 2013 @ 03:07 PM gHale
With all the public incidents where hackers attacked various organizations, it is still apparent companies do not prioritize cyber security as a strategic competency.
Corporations must develop a proactive strategy so they do not have to react when there is a threat or security breach, said a group of Iowa State University (ISU) researchers.
The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, companies can no longer considers security a necessary cost of business, said Anthony Townsend, an associate professor of supply chain and information systems in ISU’s College of Business.
“If you have an active and aggressive security team in the organization, you don’t have to get hacked,” Townsend said. “It’s like leaving your door unlocked. If a burglar comes to your house and can just walk through the door, well, that’s easy for him. But if he has to jimmy the lock and there’s good security, he’ll go someplace else.”
Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, said Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cyber security until there is a problem, it’s too late.
“On a more global perspective, there needs to be more IT expertise at the very top of corporations,” DeMarie said. “The way organizations use information technology is critical to the success of a company. If you’re not doing it well, it doesn’t matter how great your product or service is, that can be enough to shut down a business.”
Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, said Brian Mennecke, an associate professor of supply chain and information systems. He expects businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.
“I think increasingly that’s what we’re going to see with organizations moving more of these sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves,” Mennecke said.
On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot stay safe at home.
“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke said.
Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement.
Making cyber security a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie said a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.
“A cyber attack could be devastating to some companies,” DeMarie said. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”
But DeMarie, Townsend and Mennecke see a strong cyber security system as a competitive edge to attract new clients and customers.
“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend said.
Security will increasingly become a greater priority for customers and clients as more business functions end up handled online and digitally. Townsend said the organization with the stronger security presence will have the advantage.
Monday, June 17, 2013 @ 07:06 PM gHale
Security usually ends up being a matter of vigilance, so the longer it takes to understand the system is under attack, the harder it will become to ward off the bad guys.
That is why businesses are vulnerable to security breaches due to their inability to properly analyze or store big data, according to a new report out by security firm, McAfee.
The ability to detect data breaches within minutes is critical in preventing data loss, yet only 35 percent of firms said they have the ability to do this. In fact, 22 percent said they would need a day to identify a breach, and five percent said this process would take up to a week. On average, organizations said it takes 10 hours for a company to recognize a security breach.
“If you’re in a fight, you need to know that while it’s happening, not after the fact,” said Mike Fey, executive vice president and worldwide CTO at McAfee. “This study has shown what we’ve long suspected — that far too few organizations have real-time access to the simple question ‘am I being breached?’ Only by knowing this, can you stop it from happening.”
Nearly three quarters (73 percent) of respondents said they can assess their security status in real-time and they also responded with confidence in their ability to identify in real-time insider threat detection (74 percent), perimeter threats (78 percent), Zero Day malware (72 percent) and compliance controls (80 percent).
However, of the 58 percent of organizations that said they suffered a security breach in the last year, 24 percent found it within minutes. In addition, when it came to actually finding the source of the breach, 14 percent could do so in minutes, while 33 percent said it took a day and 16 percent said a week.
This false confidence highlights a disconnect between the IT department and security professionals within organizations.
The study of 855 incidents showed 63 percent took weeks or months for security professional to find them. On the other side, the stolen data was out the door from these organizations within seconds or minutes in 46 percent of the cases.
On average, companies are storing 11-15 terabytes of security data a week, a figure that Gartner Group predicts will double annually through 2016. To put that in perspective, 10 terabytes is the equivalent of the printed collection of the Library of Congress.
Despite storing such large volumes of data, 58 percent of firms admitted to only holding on to it for less than three months.
Wednesday, June 12, 2013 @ 02:06 PM gHale
Vietnam, India, China, and Taiwan users were a part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, researchers said.
The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims, said researchers from security firm Rapid7. The goal of these documents was to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.
One of the malicious documents found by Rapid7 researchers is in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests the targets of attacks were part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday.
A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe this document targeted people working in the telecommunications industry in India or local government representatives.
When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010. Microsoft patched these vulnerabilities in 2012 as part of the MS12-027 and MS12-060 security bulletins.
Like a fine wine, these exploits age well as they consistently end up exploited by attackers, especially CVE-2012-0158. Two examples of targeted attacks where CVE-2012-0158 saw use include the NetTraveler and Hangover cyber espionage campaigns.
The malicious documents install a backdoor program called KeyBoy, after a text string found in one of the samples, said Rapid7 researchers. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.
The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, Rapid7 researchers said.
In addition, the malware can open a Windows command shell on the infected computers that can remotely to execute Windows commands, they said.
The backdoor samples collected by the Rapid7 researchers ended up compiled on April 1, suggesting the attacks are recent. The domain names used for the command-and-control servers contacted by the malware registered during April and May.
These attackers are definitely targeting users in several different countries, Guarnieri said. Rapid7 found evidence users in Taiwan, members of minority populations in China and possibly Western diplomats are targets of this campaign, he said.
“The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple,” Guarnieri said. “However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity.”
Antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. “For some reason this group didn’t receive particular attention (at least not publicly) so we expect detection to improve in the next days.”