Saturday, 21 March 2015

Bank of America phishing attack hits customers

Phishers are once again targeting Bank of America customers, warns Malwarebytes' Chris Boyd.

He doesn't say it, but it's likely that the potential victims are directed to the phishing site via spam email impersonating the bank and telling them their online banking option has been deactivated due to suspicious activity.

The link leads to a page containing instructions on how to verify account information:

More knowledgeable users might find if suspicious that the page's URL has nothing to do with BoA, but many will surely download and open the offered verification file.

When they do, they will be taken to the actually phishing site (at Alertfb(dot)pw/site/IrregularActivityFile(dot)html), where they will be asked to fill out a few forms with personal information (name, date of birth, address, phone number, social security number, mother's maiden name, driver license number), email address information (email address, password), and payment card information (number, expire [sic] date, CVV). The phishers also ask for the answers to the three security questions the users set up during their initial registration with the bank.

Once again, the URL has nothing to fo with BoA, and some of the images on the site are broken, but unfortunately there are always some users that will not notice things like that and believe the request to be legitimate.

If you fall for a scheme like this, contact your bank as soon as possible and inform them of the matter, so that they can block any unauthorized transactions as soon as possible, change the information that can be changed (security questions), and issue you a new payment card.

You should also immediately go change your email password (and enable the 2-step verification feature, if possible), and be aware that, without all that personal information the phishers managed to get out of you, you can be easily become a victim of identity theft in the future, or be targeted by skillful scammers.

British Judo in deep shido after cyber attack

Hack possibly bared members’ credit card details

President Putin doing judo The British Judo Association has temporarily shut down its online membership application system after an illegal intrusion snagged some members' details.
The association is grappling with an information breach that has possibly tossed members' credit card info right into the clutches of online criminals.
The BJA has warned its members to "remain vigilant and to monitor your credit cards, account statements and similar reports. Please report any unauthorised or suspicious activity and contact your credit or debit card supplier with any inquiries."
Talking to El Reg, a spokesperson declined to specify how many members may be affected.
"It's a small number. British Judo has approximately thirty thousand members, but only our online membership application and renewal system has been compromised, not our main database."
In a statement emailed to members and posted on the website, British Judo told martial artists: "Although we are still investigating the breach, we are aware that an unauthorised person has illegally gained access to a small and limited number of British Judo members’ personal details, despite the system being PCI compliant."
The intrusion was discovered on Wednesday.
The body immediately contacted the police and shut down its online membership and renewal system, and has hired a forensic investigator to assist in the analysis of the breach.

Rocket Kittens target defence and IT bods from Europe & Israel

Hacker cats scratch folk gazing hungrily at Iran

A seemingly state-sponsored hacking crew has compromised systems in several organisations in Israel and Europe, according to new research by Trend Micro.
The so-called Rocket Kitten group has targeted defence and IT industries, government entities and academic institutions.
Victims include civilian and academic organisations in Israel, German-speaking government organisations and a European company, among others.
Rocket Kitten has launched two campaigns so far: "Operation Woollen-GoldFish" and “GHOLE”.
The earlier GHOLE campaign featured embedded macros in Microsoft Office files that victims were tricked into opening, before becoming infected. All this required user interaction, as Trend explains.
"Once the file is opened, it asks the user to allow macros to see the content. If the user does so, he is shown a decoy file while his computer is silently being infected by the GHOLE malware, allowing the attackers to have a remote access to that machine and bounce inside the corporate network of the target entity," Trend said.
The same group recently launched a more sophisticated attack. Woollen-GoldFish combines social engineering techniques and abuse of Microsoft OneDrive cloud storage.
The spear phishing content itself has improved. We have seen this group usurp the identities of high-profile personalities from Israel and use exclusive content made by one of these profiles as a decoy file.
The infection scheme has also changed: the spear-phishing email contains a link to a file stored on a free online storage service. The stored file is an archive file containing an executable file pretending to be a PowerPoint document.
Once clicked, this binary infects the target with a brand new malware, TSPY_WOOLERG.A, developed by one of the threat group members known as wool3n.h4t, who was already active in the first campaign.
"This campaign, like the previous one from the group, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran," Cedric Pernet, a threat researcher at Trend Micro, concludes.
A blog post featuring a graphic to illustrate the Woollen-GoldFish campaign can be found here.
A more detailed white paper by Trend Micro on Rocket Kitten can be found here (PDF).