Friday, 12 September 2014

How to Protect Yourself From Big Bank-Card Hacks

With hackers stealing millions of credit and debit card numbers with seeming impunity from Target, Home Depot, and other retailers lately, it might seem as if there’s nothing the average consumer can do to protect themselves.
But you don’t have to rely on the security of Big Box retailers to shield you. With a couple of precautions, you can dramatically reduce the hassle and expense of a bank card breach if you are hit. Though you can’t guard against every scenario, a little op sec goes a long way.
Use Prepaid or Single-Use Cards for Ecommerce
There’s no liability for you when your bank card is ripped off and used fraudulently (as long as you report bogus transactions in a reasonable timeframe). But that doesn’t mean that having your card stolen is hassle-free. If you have automatic card payments set up for Netflix or your gym membership, you’ll have to cancel the card data for each account and update it when the bank issues you new digits.
Avoid the nuisance by using one card for recurring subscription charges, and a prepaid or one-time card number for shopping—especially around the holidays when the risk of a breach is much higher. Although it’s always possible that Netflix will get sprung as well, most high-profile card breaches have involved restaurants, retailers or card processors and the live transmission of unprotected data, as opposed to stored data that is, or should be, encrypted.
Single-use, or disposable, credit card numbers are tied to your real card number, but can prevent that number from being exposed if a site is hacked. Citibank, Bank of America and Discover all offer disposable card numbers. Prepaid cards, on the other hand, are independent of your real credit card account and allow you to feed money into an account at will, to maintain whatever balance you need to meet your shopping needs. If that number gets stolen, the card is easily replaced without affecting your main credit card account.
Never Use Debit Cards Except to Withdraw Funds at Bank ATM
With a credit card, you can always dispute fraudulent charges before you pay them. That’s not the case with a debit card, which is tied directly to your bank account. You can still get reimbursement for fraud on a debit card, but it will probably be well after the fact: hackers can drain your funds before you know the card number has been stolen.
So treat your debit card with extra security. Don’t use it at gas pumps or other spots prone to skimming. In fact, don’t use it for payments at all. Just treat it as an ATM card — and even then, watch out for covert PIN-capturing cameras or skimming devices affixed to a cash machine. Use debt cards only in bank ATM machines, not at in-store and in-casino ATMs where hackers and thieves can more easily tamper with the machines.

Google Responds to Gmail Password Dump

Only a small percentage of the roughly five million password and username combinations recently dumped online would have allowed someone to access Gmail accounts, according to Google. 
The statement comes after a massive collection of passwords were posted online to a Russian Bitcoin forum along with a list of Gmail addresses. The information was published by someone under the username 'Tvskit,' who claimed that approximately 60 percent of the credentials are legitimate and that the majority of accounts belong to English, Spanish and Russian speakers.
However, Google said that less than two percent of the email and password combos could actually be used to access Gmail accounts.

"One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the posting of lists of usernames and passwords on the web," according to a post on Google's security blog. "We’re always monitoring for these dumps so we can respond quickly to protect our users."

"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts," the blog continues. "We’ve protected the affected accounts and have required those users to reset their passwords."

There was no breach of Google's systems, the company stated. Most likely, the leaked usernames and passwords were obtained through a combination of other methods, according to Google.

"For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others," the company noted. "Or attackers can use malware or phishing schemes to capture login credentials."

Security specialist Peter Krause of the CSIS Security in Denmark tweeted that the credentials likely originated from a multitude of sources, and some were more than three years old.

"This is week is definitely a special one," said Dmitry Bestuzhev, head of the global research and analysis team in Latin America at Kaspersky Lab. "On Monday somebody published supposedly leaked passwords from a Yandex email service, next day they did the same but with email service, publishing millions of leaked accounts. In both cases it was about accounts stolen via classic cybercrime schemes - phishing and malware attacks targeting the end point or the victims but not the provider itself. One important thing is that most of accounts are old.

"Today we’re seeing a new leak from Gmail," he continued. "It looks like this is a planned action. Once again it’s likely that all passwords were stolen via classic attacks against the endpoint. One thing people can do to increase their access security is to enable two-factor authentication. So if the password is stolen, the account is not compromised."

Attack Steals Online Banking Credentials From SMBs

The "Peter Pan" phish employs Dridex malware, experts say.
A phishing campaign that appears to have hit UK small and midsized businesses hard in a ploy to pilfer their online banking credentials serves as yet another reminder that a company need not be the size of Target to be a cybercrime target.
The "Peter Pan" attack -- using emails purporting to contain tickets to a theatrical performance of the classic story -- has been blanketing SMBs in the UK. The "ticket" attachment contains a banking Trojan that gathers user credentials to specific websites (many of them online banking sites) and social media accounts. The malware also spreads to other devices on the infected machine's network, sending the stolen information to a server that appears to be located in Eastern Europe.
"It seems this was a deliberate attack targeting small businesses in the UK," says Paul Lipman, CEO at iSheriff, which has been analyzing the attack and the malware. "SMBs for a long time have viewed themselves as impervious. But the reality is cyber criminals know that these guys are not well protected" and thus make easy targets.
The attackers used a real theater performance and a real website to make the phish appear more realistic, Lipman says. The malware uses a Windows executable and appears to behave like a classic banking Trojan. "It looks quite similar to the Zeus banking Trojan… This isn't a new class of malware."
The security firm Comodo has identified the malware as Dridex (a.k.a. Cridex/Feodo/Bugat) and says a similar campaign hit German companies a couple of months ago. The Peter Pan attack looks for URLs for commercial banking. Egemen Tas, vice president of engineering at Comodo, says the targeted UK banking sites include Bank of Scotland, Barclays, HSBC, and Yorkshire Bank.
"These are not consumer bank websites… It looks specifically for banking websites" used by SMBs, Tas says. "The scene is changing," and SMBs are targets just as large organizations are.
But not everyone believes that the Peter Pan attacks were targeting SMBs. According to Sophos, the attack was more of a typical mass phishing spam campaign, and SMBs are among the casualties.
"I completely disagree" that the attack was targeting SMBs, says Chester Wisniewski, senior security adviser at Sophos. "This is another spam campaign just like we've seen" before. "There's nothing particularly unique about this."
Sophos first detected the attacks landing in its spam traps on Sunday evening, and there were Peter Pan emails going, not only to UK targets, but also to targets in Asia, Canada, and the US. "There's a preponderance of British addresses," Wisniewski says, but it's just another "spray and pay" phishing attack commonly used by cyber criminals.
SMBs are juicy targets mainly because many don't have email security tools in place to detect the attacks, and they rely mainly on endpoint antivirus. "No victim is too small," he says. "The bottom line is not every criminal has the skills to breach Home Depot and Target." Most would prefer casting a wider net and easily snaring the local hair salon or flower shop. And there's always the chance that a Target or other large company endpoint will end up in the net, as well.
Wisniewski says he and his team see cyber criminals regularly divvying up compromised machines by category, selling off consumer bundles while keeping the business victims for their own use. "They can sit there and wait, because the accounting machine at a small business is worth" a lot. The criminals await payroll processing and then siphon $50,000 or more from the SMBs' bank accounts.
Targeting SMBs specifically takes a lot of effort, he says, so any attackers that are willing to do that and have the skills to do so are more likely to go "upscale" and go after the big businesses.

Security lapse by Diamond Computing exposed Diatherix patients’ information on the Internet for 22 months

Diatherix Laboratories in Alabama  posted this notice on their site about a breach involving Diamond Computing Company:
On August 7, 2014, the Compliance Officer of Diatherix Laboratories, Inc. notified 7,016 individuals across the United States that their protected health information (PHI) may have been accessed in connection with a security lapse.
Background Information
Diatherix provides clinical laboratory testing services. Diatherix contracted with a software company, Diamond Computing Company, to provide billing-related services. On July 10, 2014, Diatherix discovered a security lapse by Diamond Computing Company that allowed one of its computer servers to be made accessible through the Internet. The server contained billing-related documents, such as health insurance claim forms and billing and payment-related letters. With assistance from an outside data security firm, Diatherix concluded that the server became unsecure on September 24, 2011 and was first accessed on October 16, 2011, but no PHI was viewed at this time. Diatherix’s investigation indicated that documents containing PHI were first viewed on March 7, 2014.
As soon as the lapse was discovered, Diatherix took immediate steps to secure the PHI. As requested by Diatherix, Diamond Computing Company terminated access to the server on July 10, 2014. Diatherix also began an investigation to determine how the incident occurred and to determine which data and individuals were involved, and engaged an outside data security firm to assist in this investigation.
Diatherix determined that the types of information in the documents that were accessible through the Internet included patient name, patient account number, address, date of test, insurance information, and guarantor/insured information. Some of the documents also included social security numbers, dates of birth, diagnosis codes and the type of test ordered for the patient. The documents did not include laboratory test results, banking information or credit card information.
In addition to conducting an investigation to determine how the incident occurred and which data and individuals were involved, Diatherix has implemented security measures in an effort to minimize risk of any similar incident in the future. These measures include:
  • Confirming that Diamond Computing Company has destroyed or secured all information of Diatherix patients that was stored on the server;
  • Contacting Google and other search engines known to have accessed documents containing PHI and requesting that all PHI be removed from their files; and
  • Initiating a security review of other, similar Diatherix vendors who have access to PHI to confirm their security procedures.
Diatherix noted that they are offering affected patients one year of credit monitoring through Experian.  You can access their full notification here (pdf).

5 Nigerian gangs dominate Craigslist buyer scams

Just five Nigerian criminal gangs are behind a widespread type of fraud targeting sellers on Craigslist.
The Lads from Lagos are going to considerable lengths of investing time and money in order to make their scams more plausible, according to a study by George Mason University researchers Damon McCoy and Jackie Jones.
The researchers discovered that Nigerian scammers have enlisted the help of US-based accomplices as well as getting their hands on professional cheque-creating kit.
The two researchers put up "honeypot" ads for laptops priced, on average, at a 10 per cent premium over similar kit on Amazon in a bid to discourage legitimate buyers. Only one legitimate purchaser tried to purchase the overpriced equipment.
Many less savoury buyers approached the researchers by email. In response, the researchers sent images of the products. Opening these images revealed info on the IP addresses of scammers. More than half came from Nigeria from what the researchers identified as just five groups of fraudsters.
The Craigslist scam kicks into effect when these "buyers" offer to pay for the advertised kit with a certified cheque. The scammers further claim that they couldn't pick up the goods in person and are using a US-based "mover agent". The "cheque" is higher than the purchase price and intended marks are asked to send the difference - minus their expenses for shipping the kit - via Western Union.
This overpayment scam works because banks are likely to initially accept the cheque and might even "float" funds from a cheque before it has cleared. Once the cheque is discovered to be fraudulent, banks attempt to claw funds back as well as imposing a surcharge, levying even more pain on defrauded sellers.
If successful, sellers will not only fail to receive any money for the goods that they were intending to sell, but will be even further out of pocket because of the money they have transferred under false pretence. In this way the scam is even more lucrative than listing frauds, which attempt to trick sellers into thinking they will be paid from an escrow account held by PayPal once they ship their computer kit.
Analysis of the return addresses on envelopes used to send out the fraudulent cheques as well as the signatures on the cheques were used to categorise the originators of frauds.
Overpayment scams have been around for years and are not particular to Craiglist. The listings site has a variety of defences against fraudulent sellers but bogus buyers remain a problem. Work by the two researchers show that these scams are getting more sophisticated.
"Some of the phoney checks were generated using VersaCheck software on legitimate check paper, with watermarks and other security features," IT World reports. "Most of the checks listed real businesses that were geographically close to the bank".
Bank routing numbers used in the scam are legitimate.
Victims may well not know that the "buyer" of the kit is actually located in Nigeria thanks, in part, to the use of a US-based middleman.
McCoy and Jones are due to present their research (PDF) at the IEEE-backed APWG Symposium on Electronic Crime Research in Birmingham, Alabama later this month (24 September). An abstract for their paper, entitled The Check is in the Mail: Monetization of Craigslist Buyer Scams, (PDF) explains that a better understanding of how the scam worked gives the potential for law enforcement on others to crack down on the scam, in particular by identifying and targeting US-based affiliates.
To grow our understanding of scammer methods and how they monetize these scams, we utilize a data collection system posting ”honeypot advertisements” on Craigslist offering products for sale and interact with scammers gathering information on their payment methods. We then conduct an analysis of 75 days worth of data to better understand the scammer’s patterns, supporting agents, geolocations, and methods used to perpetuate fraudulent payments. Our analysis shows that five groups are responsible for over 50 per cent of the scam payments received. These groups operate primarily out of Nigeria, but use the services of agents within the United States to facilitate the sending and receiving of payments and shipping of products to addresses both in Nigeria and the United States.
This small number of scammer organizations combined with the necessity of support agents within the United States indicate areas for potential targeting and disruption of the key scammer groups.
More comment on the ins and outs of the Craiglist scam and overpayment scams in general can be found in a blog post on Sophos's Naked Security blog here.

Hacker publishes tech support phone scammer slammer

Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers.
Weeks' day job is director at Root9b, but he's taken time to detail a zero-day flaw in Ammyy Admin he hopes will be used to fight back against tech support scammers.
This one is personal: Weeks says he became keen on a countermeasure after he "" ... discovered one of these groups had managed to scam my grandparents and leave their computer an infected mess for me to clean up. So I set out to find out if I could counter an attempted scam with a full fledged remote exploit, and turn the tables on the scammers."
Matthew Weeks
The resulting tool is explained in a detailed technical post in which Weeks explains "I put together a Metasploit module that will generate a plaintext transcript to send to the remote end via the injected DLL into a running Ammyy instance that will exploit the remote end trying to take over your computer."
"I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims ... hopefully, it will be a deterrent to those who would attempt to compromise and take advantage of innocent victims."
The hack works from the end-user, meaning victims can send scammers the hijacking exploit when they request access to their machines. Victims should provide scammers with their external IP addresses rather than their Ammyy identity numbers as the exploit was not yet built to run over the Ammyy cloud, according to the exploit readme.
Exploiting Ammyy Exploiting Ammyy. Matthew Weeks
Weeks wrote an executable to automate processes required to pull of the hack targeted at the latest version 3.5 and a module for the popular Metasploit security tool.
The Black Hat speaker, Metasploit developer and former US Air Force reverse engineer said he had not exploited a scammer with the hack since none have called lately.
Ammyy Admin is used by tens of millions of users. Neither Weeks nor Vulture South have consulted legal eagles over use of the exploit. It's likely that doing so, however comedic, would breach some form of broad computer crime laws.