Wednesday, 21 August 2013

Android Apps That Track Your Every Move

GPS-enabled phones have revolutionized how we travel, how we buy things, and how we stay connected to the people we care about. But location aware devices also made where you are at any given moment potentially accessible to other people.
This week, we look at four apps that all can access your location information. For all but one, it makes sense for the app to know where you are, but the way they handle that information isn't fantastic. Unfortunately, Android permissions don't have the fine-grain approach of iOS for location data—it's all or nothing. So consider what you want shared (and how) before downloading an app that knows where you are.
Not quite a dating app, Tinder says that it will pair you people nearby with (allegedly) similar interests. The location is a key aspect of the app, since you can only see (and can only be seen) by people who are nearby. The idea is that physical distance will give you some level of anonymity, but apparently it can be circumvented.
Appthority told SecurityWatch that other Tinder users can see the last time you updated your location and an "approximate" distance between you any other Tinder users viewing your profile. You'd think that this approximation is handled on Tinder's servers, but when you look at someone's Tinder profile the exact distance between you and them is sent to your phone and then obfuscated.
"For a technically savvy Tinder user, they can view this information and use a geolocation tracking technique to determine the exact geolocation with just the exact distance away number," said Appthority. "This involves spoofing their current geolocation, looking again to see how far away the target Tinder user is, then repeatedly spoofing their geolocation until they get closer to the target and the target Tinder user shows 0.0 miles away." Note that this spoofing technique also allows users to view any profile they like, by pretending to be in different locations.
Beyond your location data, Appthority says that Tinder also shares your birthday; which in itself is not too scary but could be combined with other information to steal your identity. Tinder also shares your Facebook ID, which someone could use to pull down more information from Facebook.
Similar to Tinder, Skout is designed to connect you with people nearby. Unfortunately, Appthority says that it has many of the same privacy issues as Tinder.
As with Tinder, with Skout you can see the last time a user updated their location, but you can also see their exact distance from your current position without having to dig around in the app. Using the same spoofing method described above, you could potentially figure out the exact location for any Skout user.
Also troubling is that geolocation information for images (including profile pictures) is also transmitted by Skout, giving you even more information about a Skout user and their movements.
Most troubling is that Skout sends users' exact geolocation information to not one, but several ad networks. According to Appthority, this information is transmitted unencrypted. While ad networks make it possible for developers to give away apps for free, the amount of information transmitted can be unsettling to say the least.
As for Skout and Tinder, Flirt (or Cheeky Lovers, another app which is effectively identical to Flirt) lets you see people nearby and, well, flirt with them. Flirt, however, seems even more cavalier with your information.
Appthority reports that Flirt is tied to "aggressive spamware" and transmits private information from your phone to several ad networks. It also harvests information like exact geolocation and email address from your device and transmits it via an unencrypted connection.
While Skout and Tinder required complex tricks to figure out a user's exact location, Flirt doesn't bother. Appthority says that the Flirt "shares the specific latitudinal and longitudinal geolocation of all users with public profile seen by potential matches."
Kids Memory Game
A bonus app this week from Bitdefender, Kids Memory Game is a cheaply thrown-together tile-matching game featuring the (no doubt illegal) visage of Woody Woodpecker. It's included here because even though it's not a dating app, it can see your location while the app is running. Unfortunately, it's not the only app targeted at kids we've seen with these kinds of risky behaviors.
It can also access your browser history and connect to the Internet, which is especially odd since the app has no online functions.

Brits want Google taken to task over privacy breaches

An angry man shouting at a laptop
Google executives need to be taught that they are not above British privacy laws, according to riled V3 readers.
Earlier this week, the search giant claimed it does not need to abide by UK privacy laws, after law firm Olswang brought a High Court case accusing Google of bypassing the Apple iPhone's built-in security settings to monitor and collect users' personal information through the Safari browser.

But V3 readers responded angrily to Google's claims, and called on the UK government to take action against the firm to ensure it follows national privacy law.
One reader said he found the comments slightly racist, showing Google to view Brits as second-class citizens. "[Google is] far too big for its boots in my opinion and needs taking down to reality. First, if it affects a British citizen then you can be tried in a court of law, American or not. Second, as a British citizen I find Google's remark offensive and racially slurring. It should be prosecuted for that alone," he wrote.
The sentiment was mirrored by V3 reader Archie Lukas, who called for a boycott of Google's services in protest. "As a British citizen, I too am offended by Google's racist attitude and disregard of basic human rights to privacy," he wrote. "I opt out of every Google privacy option, I encourage all others to do the same. Starve the buggers."
Outside of a boycott of Google's services, a multitude of readers reiterated law firm Olswang's argument that fines alone are not sufficient punishment for privacy breaches. Another reader went so far as to say that Google executives should be held personally accountable for privacy breaches.
"Fines do not work. What is needed is a form of criminal probation of the senior management of the company after the company has been fined a few times, which will put them on probation for five years. If the company breaches the law again then they should go to jail for up to three years depending on the gravity of the breach of law," he commented.
"A minimum jail sentence of six months would be adequate to focus their attention on observing values, ethics and standards common around the world."
Fellow commenter Ian Moyse added that punishment alone will not fully solve the problem, arguing that the scenario proves the need for more non-US based competition. "The giant vendors will consider themselves above the law and that customers won't have much choice, but where there is choice customers may choose to quickly switch to alternative providers and in a cloud world this is easier than we have seen before," he said.
"Many USA firms only host in the USA and do not even make this visible to clients unless they push to ask. Cloud needs more openness, more understanding of customers' concerns and vendors to be more appreciative of the choice customers have."
Google's claim that British laws do not apply to it is one of many controversial statements to come from the search giant in recent weeks. Google also claimed last week that Gmail users should not expect privacy in a US court case.

Microsoft re-releases critical Exchange Server 2013 security fix

Microsoft logo
Microsoft has released a fixed version of the Microsoft Exchange Server 2013 security update, which originally arrived last week during patch Tuesday and was then swiftly pulled.
The company released the fixed version of the patch recommending that businesses update their systems to run it as soon as possible. "Microsoft re-released this bulletin to announce the reoffering of the 2843638 update for Active Directory Federation Services 2.0 on Windows Server 2008 and Windows Server 2008 R2," read the update.
"For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service."
The update was originally released last week as a part of Microsoft's regular Patch Tuesday. But Microsoft pulled the update days later, following reports it was blocking users from searching their email inboxes. The pull was doubly complex as many companies had already installed the patch, but Microsoft said the new patch will still work for those who installed the original.
"Customers who already installed the original updates will be reoffered the 2843638 update and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates," said the Microsoft update.
The pull had caused concern within the security community that criminals may use the downtime to exploit the server vulnerability. Independent security expert Graham Cluley has said it is unlikely that criminals will have had time to target the vulnerability.
"As the vulnerability it was attempting to fix had only been privately reported, and was not believed to be being exploited in the wild, it's possible that the fix had actually turned into a bigger problem than the one it was attempting to solve – on Windows Server 2008 systems at least. The good news is that Microsoft has now reissued MS13-066 and appears to be confident that it has done a better job this time," he said.
Cluley added that the patch is not the first dodgy one released by Microsoft, calling for the firm to be more careful when releasing security fixes.
"This isn't the first time that Microsoft has been forced to re-release a security patch after problems were found in the original version, and it surely won't be the last. I'm sure the company is hopeful, however, that it can keep such incidents to a minimum because of the disruption and downtime that buggy security patches can cause its customers," he said.
For a look at all the security fixes in the Microsoft latest Patch Tuesday, read V3's roundup here.

Apple App Store vulnerable to hidden malware that can bypass iPhone and iPad security

Apple logo
Researchers have revealed a way to sneak malware past the Apple App Store's security features, highlighting a theoretical weakness in Apple's walled garden approach.
The Georgia Institute of Technology researchers announced the claim when presenting their Jekyll on iOS: When Benign Apps Become Evil [PDF] paper at the Usenix Conference. The exploit works by loading malicious code into a seemingly innocent app and activating it after the app has cleared Apple's securing vetting.
"Apple adopts the mandatory app review and code-signing mechanisms to ensure that only approved apps can run on iOS devices. We present a novel attack method that fundamentally defeats both mechanisms. Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process," read the paper.
"Once the app passes the review and is installed on an end user's device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple's approval."
The researchers claim they have already successfully tested the exploit, proving it is possible to sneak a variety of malware onto Apple's iOS platform.
"We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll apps can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities," read the report.
Whether Apple is aware of the claims is currently unclear, and at the time of publishing the iPhone maker had not responded to V3's request for comment on the white paper.
Apple has so far managed to keep its iOS operating system malware free by maintaining it as a closed ecosystem. This means developers can only sell their wares on Apple's official App Store, which scans and vets all applications before allowing them into the marketplace. Earlier this year F-Secure security expert Mikko Hypponen praised Apple for its robust security, listing the App Store as one of the security community's greatest achievements.
F-Secure analyst Sean Sullivan told V3 that Apple security is still maintained despite the findings from the Georgia Institute of Technology, noting that the research has limited real-world implications.

“It’s interesting in theory, but not a big deal practically speaking. Apple’s App Store is a monopoly. And that makes it more secure – not because of technology – but because of economics,” he said.

“Anybody that is actually able to get their app ranked (or even noticed) and downloaded in any kind of significant numbers will not waste their time producing a Jekyll app. At least not for financial gain. If you can get noticed in the App Store, you can make much more money selling a legit app than you can a malware scheme. In theory, maybe you’d try a Jekyll app if you had some kind of political agenda.”

Amazon outage: US and Canada service fail takes down 82 domains

Amazon's US and Canadian sites were knocked offline for nearly half an hour last night, leaving millions of web users unable to access their accounts.
The outage was first flagged by the Reddit community. Visitors attempting to access the US and Candian sites were greeted with "Oops! We're very sorry", alongside a "500 Service Unavailable Error" report. The reason for the outage remains unknown, and at the time of publishing Amazon had not responded to V3's request for comment.
The incident is the second major disruption suffered by Amazon in the past 12 months. The company admitted suffering an outage that temporarily took down some of its Web Services platforms in October 2012. The outage last year had a knock-on effect, taking down scores of popular websites, including Reddit and Instagram, with it.

Compuware director of Application Performance Management, Michael Allen, said the firm's web analytics show the outage overnight had a similar impact.
"When you consider that the site makes thousands of pounds a second, this outage will clearly have had an impact on Amazon's revenues. However, it's not just Amazon that will have been affected. If you look at the Outage Analyzer service, at least 82 other domains were impacted; although the actual number is likely to be much higher," he said.
Amazon is one of many big-name tech companies to suffer unexplained service outages over the last week. Google suffered a similar outage where key services including Search, Gmail, Drive, Calendar and Talk went dark for five minutes. Despite the short duration of the outage, internet analytics firm GoSquared reported detecting a massive 40 percent dip in global web traffic.

Greenwald v. the UK: Anonymous strikes back

Anonymous hackers behind the @OpLastResort twitter account have hacked UK and Chinese government websites in response to the nine-hour detention of Brazilian national David Miranda, partner of Guardian journalist Glenn Greenwald, at London’s Heathrow Airport.
Miranda was held by British authorities under a counterterrorism law after visiting documentary filmmaker Laura Poitras in Berlin. Poitras and Greenwald are both involved with publishing classified information leaked by former NSA contractor Edward Snowden.
The hackers gained access, a site used by the local government district in Surrey, a county in southeastern England.
In an effort to satirize Miranda's detention under counterterrorism law, the Anons described the "d0x," or leaked personal information, of US military and diplomatic personnel they then posted as containing “vital, anti-terror surveillance information.” Declaring their outrage over the targeting of Greenwald’s loved ones, the hackers also posted what appears to be personal information belonging to the officials’ family members.
After several hours, the hacked domain was taken down, presumably by the system’s administrators. The d0x was then reposted to, the top-level domain for mainland China. The .cn domain is managed through a branch of the Chinese Ministry of Information Industry.
The @OpLastResort Twitter account wrote:
“…site down, now rehosted at because the chinese govt are [sic] more cool on sharing things from their sites.”
The @OpLastResort account had remained dormant for several months before the publishing of classified information leaked by Edward Snowden. OpLastResort is responsible for a number of high-profile hacks against the US government, the Federal Reserve and financial institutions that took place earlier this year.
“We expect there to be many pointed questions asked in the coming days, both domestically and internationally as to how and why an already ridiculously broad and draconian act of law was ripped of its last remaining shred of legitimacy in what cannot be described as anything other than an act of pure spite and intimidation, an act intended to exert a chilling effect on a stream of high-quality journalistic reporting whose historic importance cannot possibly be overstated,” read a message posted to the domain by OpLastResort Anons.
“We encourage anyone who is interested in preventing terror attacks to fully investigate these spouses and siblings and mothers and fathers and son and daughters, before they too are embroidered [sic] in terrible terror plots of the most heinous variety,” read the message.
The personal information includes addresses, dates of birth and email addresses hosted at various US government domains including and The information also includes work and personal phone numbers and ZIP codes of spouses, siblings and children.
Before Miranda was released on Monday, UK authorities seized a number of his personal effects, including his laptop, cellphone, various video game consoles, DVDs and portable USB drives.
“This was obviously designed to send a message of intimidation to those of us working journalistically on reporting on the NSA and its British counterpart, the GCHQ,” wroteGreenwald following Miranda’s detention.
“But the last thing it will do is intimidate or deter us in any way from doing our job as journalists. Quite the contrary: it will only embolden us more to continue to report aggressively."

ZMap: Fast Internet-wide Scanning and Its Security Applications

Internet-wide network scanning has numerous security applications, including exposing new vulnerabilities and tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is both difficult and slow.
Introducing ZMap, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet.
We present the scanner architecture, experimentally characterize its performance and accuracy, and explore the security implications of high speed Internet-scale network surveys, both offensive and defensive.
We also discuss best practices for good Internet citizenship when performing Internet-wide surveys, informed by our own experiences conducting a long-term research survey over the past year.
Read Paper in PDF

Mauritania Attacker Hijacked credentials for every Twitter account.Leaked Data

Mauritania Attacker leaked thousand of twitter Accounts credentials today, which was hijacked from twitter.
The Account leaked are up for download on file sharing service of Zippyshare. all the account leaks are in plain text format.
The leaked data contains twitter id, twitter nick name, oauth_token, oauth_token secret codes. which can be used to login into the victims account. Hacker also added how to use oauth_token to login into the Account -which can be done easily with the use of tamper data.
As of now Mauritania Attacker have leaked about 15167 account details. but in a conversation with Techworm he confirmed that he have access to entire database of users on twitter and no account is safe from him, may be he will leak unlimited accounts credentials in the coming future.
Now the big question that arises to every twitter account holder is that are they safe on twitter any more, i guess they aren't not any more.
Download link to leaked data

Google and Amazon Drop Offline in the Same Week

In life, there are many things that we all take for granted. These are everyday things that always just seem to be there and are only conspicuous when they are absent. In the last week two of these items have shown that they are not as enduring as many might have thought.
Google and Amazon have both had major outages to their services that impacted internet traffic. These two mysterious outages have caused some concern about the reliability of both companies as well as the possibility of a larger issue (perhaps a potential attack). However, neither Google nor Amazon are coming clean about these incidents making many even more nervous.
The rash of outages kicked off on Saturday the 17th at about 4:47PM (Pacific Time) with Google Apps disappearing from the internet. Although the entire outage did not last more than about 5 minutes the effects were pretty staggering. At the height of the incident worldwide internet traffic dropped by an estimated 40%. Yes you read that right almost half of the global internet traffic was affected by a five minute outage at Google.
This number seems pretty large (and it is) however, we have a feeling that the majority of that traffic was spam heading to Gmail. Many companies that rely on Google were at a standstill for the unusual outage with many companies at a loss for what to do or even who to report it to. I know that I have already been contacted about contingency plans for cloud service outages as a result of this brief, unplanned down time for Google.
Now, while Google’s outage was shocking and left many stunned and confused; Amazon’s outage appeared to be more “business as usual” even though it was highly annoying to many Amazon users. Here the outage was just the latest in a string of them over the last 12 months. Amazon’s hiccup lasted a little longer than Google’s with the total outage time around one hour (11:50 am to 12:44PM PST).
During the time of the outage the Amazon Web Services was unavailable and even Amazon’s own site was offline (trace routes dropped off en-route to their datacenter). Twitter was abuzz with comments and complaints about the problem, but nothing ever showed up on the AWS dashboard. There was no attempt to identify what percentage of internet traffic the Amazon outage impacted which is interesting considering how many were eager to see how much of an impact Google had. Our guess it that Amazon has these issues far too often to be really big news anymore.
Internet and service outages are nothing new and will continue, but when you look at the impact they can have (as in the case of Google’s outage) it is not hard to see just what a target companies like Google, Amazon and Microsoft are. We are not talking about from the average hacker or even Anonymous; we are talking about the much larger concern of state sponsored attacks.
How many companies would be dead in the water if they could no longer reach Google, Amazon, Microsoft or any number of cloud services? Sure a 5 minute outage out of an entire year is very small (about 0.00095%), but it shows that even Google’s services are not invulnerable.
As for Amazon, well there are still a large number of companies that rely on their services that continue to be impacted by their frequent outages, but many of these do not have the resources to bring all of their systems back in house without an even larger impact to their business. It makes me wonder just what these businesses were told to get them to sign up in the first place.

Concerns Over Cyber Security Risks Outweigh Traditional Risks

Cyber security risks have become more worrisome to large organizations than traditional natural catastrophe risks, according to a new study.
The study, titled “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” and conducted by Experian Data Breach Resolution and the Ponemon Institute, reported that 41 percent of large businesses (those with 500-plus employees) believe cyber security risks are greater than other insurable business risks such as natural disasters, business interruption and fires. Another 35 percent of respondents in the survey reported that cyber security risks are equal to other insurable business risks.
Despite growing concerns over cyber security, the study also found that less than one-third of respondents (31 percent) have purchased cyber insurance coverage.
However, those firms that do not currently have insurance coverage – more than half of all survey respondents (57 percent) – indicated they plan to purchase cyber security coverage in the near future.
The survey predicts 50 percent growth in policies purchased in the next year, with more than 100 percent growth within the next two years.
“We are reaching a tipping point where the majority of companies we surveyed now rank cyber security risks as high as other major insurable business risks,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “We anticipate that demand for cyber security insurance is likely to increase in response to evolving breach response policies.”
Potential Cost of Breach
The cost potential of a future data breach is a primary driver when it comes to purchasing cyber insurance, according to the survey. Many companies realize that security incidents create significant financial risks that must be managed like other major business risks.
Among those companies that had an incident in the past 24 months, 70 percent of respondents said the experience increased their interest in these policies.
Of the 56 percent of respondents that had breaches, the average cost of these incidents was reported at $9.4 million in the last 24 months.
However, those costs are only a fraction of the average maximum financial exposure that the companies surveyed (breached or not) believe they could suffer because of cyber incidents. Respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages.
Thirty percent noted they do not plan on purchasing cyber insurance. For those firms that chose to go without coverage, 43 percent indicated that it is because of the cost and too many exclusions, restrictions and uninsurable risks.
Of those with the insurance, 62 percent believe the premiums are fair given the nature of the risk.
Coverage Satisfaction
The study also found that those organizations with cyber insurance felt largely satisfied by the protection the coverage provides. They also indicated satisfaction with the added benefits that come with securing the coverage.
“Going through the process of evaluating cyber insurance for their company, 62 percent of the people said that they felt like their company was in a better state of readiness because of going through the process of evaluating cyber insurance, which means that just the preparation and awareness help to improve their level of capability for an incident response for a data breach,” Bruemmer told Insurance Journal.
Of those with a policy, 30 percent have experienced an exploit or a data breach and submitted a claim. Nearly all were happy with their providers’ responses to the claim (95 percent good to excellent).
Access to other resources that often are provided by the cyber insurer (forensics, notification, etc.) helped manage the overall security risk, the respondents said.
Most policies provide benefits for forensics and investigative costs (64 percent), notification costs to data breach victims (86 percent) and legal defense costs (73 percent).
The interest and adoption of cyber insurance policies as a means to mitigate cyber security risk will grow, researchers say.
“Companies worry about the financial impact following a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“Cyber insurance could be an important part of a risk management strategy to protect against potentially severe financial losses.”
To access the full report, “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age”, visit

al-Qassam DDoS Attack hit three US Banks

JPMorgan Chase (JPM) and Citigroup (C) both said they suffered system issues on Thursday as a group of cyber criminals was said to launch a new round of attacks against U.S. banks.
JP Morgan Chase's consumer website was hit with intermittent accessibility issues on Thursday that stopped some customers from accessing the page.
A JP Morgan spokesperson said "experienced some issues" on Thursday morning. He said the biggest U.S. bank by assets believed the problems were resolved by noon. However, tests by FOX Business Network on multiple networks timed out on several occasions after that, and yielded an error message saying "504 Gateway Time-out: The web server is not responding."
The spokesperson declined to comment on what caused the issue.
Meanwhile, Citibank tweeted on its verified account at 1:25 p.m. ET that it is "aware of system issues" and working to resolve them. A tweet at 3:09 p.m. told customers "most online access issues have been resolved."
A Citi official told FOX Business the problem that caused some of the bank’s sites to go down “for a short time” was an "internal issue." The official declined to elaborate on the glitch except to say it has since been corrected and the sites have been restored.
This latest round of online troubles comes as the Cyber Fighters of Izz ad-Din al-Qassam have threatened to hit U.S. banks with cyber attacks. Radware, a company that specializes in thwarting such attacks, told FOX Business Thursday the threats appear to be coming to fruition.
Radware, through its spokesperson, said the attacks were “sophisticated” and contain “multiple complicated attack vectors.” However, the company wouldn't comment on specifically which websites were getting hit, or whether these attacks directly impacted Chase or Citigroup.
The Citi official said the No. 3 U.S. bank by assets is aware of the threats, but hasn't seen any impact from them.
Many of the largest American banks were hit in a string of so-called distributed denial-of-service attacks last year by al-Qassam that snarled access to their websites. The impact of those attacks had until recently subsided.
In an apparently separate incident, the Washington Post said it was the victim of a cyber attack Thursday by the Syrian Electronic Army.

Emergency 112 number hit by DDoS Attack, warns EU cyber agency

Millions of people across Europe have faced disrupted communications in dozens of major outages, with many incidents affecting access to the 112 emergency phone service, the EU's cyber security agency has warned.
ENISA, the European Union Agency for Network and Information Security, said countries had reported 79 major outage incidents during 2012, almost 40 per cent of which had affected the possibility of dialling 112.
The incidents, which featured in the agency's annual report, were caused by a range of factors, including Distributed Denial of Service (DDoS) cyber attacks, faulty upgrades, cable theft, and faulty software.
A range of telecommunications were affected by the outages, but mobile phones and mobile internet faced the most significant impact.
Professor Udo Helmbrecht, executive director of ENISA said: "The EU collaboration behind this report is key to improving the security and resilience of electronic communications networks in the EU, as well as for security in other critical sectors.
"Reporting major incidents helps us understand what went wrong, why, and how to prevent similar incidents from happening again."

DDoS diverts attention during Payment Switch takeover

DDoS attacks are an increasingly popular method for criminals to divert bank security staff attention while defrauding bank systems.
Until recently, most illegal money transfers were accomplished via account takeover of either customer or employee accounts when the fraudsters moved money from customer accounts to their mules and eventually their own accounts.
A new much more ominous attack type has emerged over the past few months – and uses DDoS as its cover. Once the DDoS is underway, this attack involves takeover of the payment switch (e.g. wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.
Considerable financial damage has resulted from these attacks. One rule that banks should institute is to slow down the money transfer system while under a DDoS attack.
More generally, a layered fraud prevention and security approach is warranted. See our research on the Seven Dimensions of Context Aware Security and the Five Layers of Fraud Prevention.