You are on page 1of 22







One in Three Ex-employees Can Access Corporate Networks

Unauthorized access to corporate networks and resources by ex-employees is a documented issue,
but an emerging endemic insider threat problem is coming into focus: new research has revealed that
one out of three companies in the US and UK are neglecting to deploy vigilant post-termination
processes, allowing ex-employees continued access to systems and data after they have left their
The report from IS Decisions also showed that more than a third (36%) of desk-based workers in the UK
and US are aware of having continued access to a former employers systems or data, with nearly one in
10 actually accessing it.
As for awareness of the access, the report shows that it differs wildly across age groups, with a much
larger 58% of 16- to 24-year-olds and 48% of 25- to 34-year-olds stating awareness of having had
continued access to a former employers systems or data. This continues to decrease for older age groups,
averaging just 21% for those aged over 55, which could be attributed to younger age groups moving jobs
more frequently, but the results do suggest that the issue is a growing one.
Of the 36% that were aware of their continued access, 9% actually chose to use it. Once again, this tended
to be higher for younger age groups, averaging 13% for all those aged 16 to 34.
The worst industry sectors for allowing ex-employees continued access to systems are surprising, with
HR/recruitment and IT sharing double billing as the worst offenders. Arts and culture came in second, at
Also, the most likely job role for an ex-employee with continued systems or data access is marketing, with
a huge 68% of the study sample. The next highest is potentially even more worrying, with 56% of those
working in legal roles continuing to have access after leaving an employer, all the while potentially
handling sensitive company data.

As the number of disparate systems and networks we use in our everyday working lives increases, its
natural that access management is becoming a more difficult problem to address for organizations, said
Franois Amigorena, CEO of IS Decisions, in a statement. Marketing departments apparently suffer from
this worst of all; between email, social media, CRM systems and everything else there is a lot to cover.
He added, The fact is though, that an ex-employee is more likely to have incentive than anyone to put
this access to malicious use. Former employees are probably the greatest insider threat, yet they are the
easiest to address; just make changing passwords and deactivating accounts a part of the termination
process. Yet businesses are failing to do this, and worse still businesses in the industries you would most
expect this to be standard procedure, IT and HR, are failing even more than the rest.


Chinese Hackers Use APTs to Target Gaming Companies

Researchers at Dell SecureWorks have uncovered what they believe to be a Chinese hacking group
specifically focused on stealing source code from video game companies, either in order to crack or cheat
at particular games or to use in competing products.
The firms Counter Threat Unit said in a lengthy reportthat it believed the Threat Group (TG) 3279 had
been in operation since 2009, judging by domain name registration, message board activity and other
It pointed to strong links between TG-3279 and two personas, Laurentiu Moon and Sincoder, as well as the
China Cracking Group.
It appears that TG-3279 uses uses a port scanning tool named s and an RDP brute force tool named
rdp_crk, which may be used to scan and exploit targets, the report claimed.
As of this publication, CTU researchers have not discovered packaged exploits used by TG-3279 and
that the threat actors rely on active hands-on-keyboard techniques to exploit targets.
These techniques include leveraging optionally loaded DLLs to establish persistence for the Conpee
plugin framework. Conpee is a plug-in based Remote Access Trojan (RAT).
Another method was to load legitimate DLL imports with malicious Conpee files.
The idea is to compromise the account credentials of targets with admin privileges working at video game
companies, in order to install these malicious tools, said Dell.
Once inside an organization, TG-3279 maintains a long-lived foothold, updating its malicious tools with
newer versions and even with versions that have been signed with valid certificates, in order to fly under
the radar of traditional defenses.
Although video game companies are common targets for the Chinese cracking community, the CTU report
is slightly unusual in highlighting a persistent targeted attack group from the Middle Kingdom which does
not appear to be state-sponsored or focused on stealing defense, energy or political secrets.

Due to information gathered from targeted hosts, CTU researchers believe with medium confidence that
TG-3279 focuses on the collection of video game source code to crack those games for free use, to develop
tools to cheat at the games, or to use the source code for competing products, noted the report.
The best method for detecting TG-3279 activity is to look for modifications to system files, invalidly
signed executables, and repeated non-existent domain (NXDomain) DNS replies.


US Fears a Second Snowden May be Leaking Secrets

US officials believe there is now another whistleblower leaking sensitive documents, following high
profile disclosures by former NSA contractor Edward Snowden, according to reports.
A federal government source confirmed the conclusion to CNN, after Glenn Greenwald site The
Intercept published a new story on Tuesday based partly on freshly leaked national security
The article in question claims that 40% of people on a government terrorist watch list of 680,000
names actually have no recognized terrorist group affiliation, raising the question of why they are
still on the list.
It also reveals that a no-fly list preventing people in the US from travelling has now grown to
47,000 names, the highest number since the list was created 13 years ago.
Both lists are part of a bigger database, known as the Terrorist Identities Datamart Environment
(TIDE), which agencies including the CIA, NSA and FBI have access to and which includes biometric
data from over 700,000 suspects.
Unsurprisingly, the report refused to name the leaker but referred instead to a rather generic
source in the intelligence community.
However, Greenwald has hinted recently that another Snowden exists in the intelligence
In response to a Tweet by Bruce Schneier on July 4 which read I think theres a second [NSA] leaker
out there, he wrote Seems clear at this point.
Its still unclear how many documents the new leaker if there is one has shared and what impact
they might have on the Obama administration and Americas standing in the world.
It is only known that they are "Secret" and "NOFORN" ie not to be shared with foreign governments
although this is actually one level down from the docs leaked by Snowden, according to CNN.
The US has paid a heavy price already for the revelations emanating from Snowdens leaks, not least
in its relationship with China.

They were a shot in the arm for Beijing so often on the back foot after countless US claims of cyber
espionage from its operatives and have lent credibility to its oft-played argument that China is a
victim, not a perpetrator, of cyber attacks.
It seems even to have led to a clampdown on US made technology products.
First Windows 8 government sales were banned and then more recently it was claimed by the
Peoples Daily that Symantec and Kaspersky Lab products would not be allowed to be sold into
central government customers.


NSAs MonsterMind Defense System Could Launch Cyber Counterattacks Against Hackers
A new cyber defense system being developed by the NSA could automatically launch counter-strikes
against attackers who target the US, whistleblower Edward Snowden has claimed.
The MonsterMind project, still under development at the spy agency, features algorithms which
would automatically scan vast chunks of metadata with the aim of picking out malicious traffic.
With that intelligence the NSA system could then neutralize the threat and even theoretically launch
a retaliatory strike autonomously, Snowden told Wired.
However, such a capability could end up targeting the innocent compromised computers being used
by an attacker as a botnet to launch the initial threat, the whistleblower cautioned.
These attacks can be spoofed, Snowden told the site.
You could have someone sitting in China, for example, making it appear that one of these attacks is
originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?
The second issue is that for the system to work effectively, the NSA would have to gain access to all
communications traffic coming into the US. Seizing private comms without a warrant and with no
suspicion of wrongdoing would violate the Fourth Amendment, Snowden added.
Sean Sullivan, security consultant at F-Secure, agreed that the MonsterMind may end up counterattacking botnets comprised of compromised computers belonging to US citizens or allies of the
Counterattack options are only useful if the adversary has something to lose. Take North Korea as
an example, he continued.
It might attempt to launch an attack from comprised resources. But even if it used its own servers to
attack US infrastructure what besides those servers is there to counterattack? North Korea isnt
wired it basically has nothing to lose.
Sullivan labelled it an overly complicated defense strategy.

A fraction of the money used by MonsterMind could be spend on bug hunting and eliminating
vulnerabilities to achieve greater results, he told Infosecurity.


SSL Vulnerabilities Found in 68% of Most Popular Android Apps

Man-in-the-middle (MITM) attacks are wreaking havoc on Android users because over two-thirds
of the most popular apps on Google Play contain SSL vulnerabilities, according to new research from
After being notified by the security vendor, the developers of said apps have now addressed the
vulnerabilities, but the study nevertheless highlights the ongoing security problems with the Google
MITM attacks occur when hackers intercept data sent by an app to a server or vice versa, either to
look at the data itself; to replace it with malicious data which injects itself into the app; or redirect
traffic to a new destination controlled by the attacker.
FireEye mobile threat researchers Adrian Mettler, Vishwanath Raman and Yulong Zhang explained in
a blog post that they examined the 1,000 most downloaded free apps on Google Play only to find 674
(68%) had at last one of three particular SSL vulnerabilities.
Of the 614 apps that use SSL/TLS to communicate with a remote server, 73% didnt check server
certificates at all, exposing any data they exchange with those servers to potential theft.
In addition, around 8% of those 614 used their own hostname verifiers which dont check hostnames,
implying they are incapable of detecting redirection attacks where the attacker redirects the server
request to a malicious webserver controlled by the attacker.
Finally, 77% ignored SSL errors generated when they use Webkit to render server pages, which
means they could be missing MITM attacks that exploit vulnerabilities like Javascript Binding Over
HTTP (JBOH), FireEye said.
The researchers carried out a similar study on a random sample of 10,000 free Android apps available
on Google Play and found 40% used trust managers that dont check server certs; 7% used hostname
verifiers that dont check hostnames; and 13% didnt check SSL errors when using Webkit.
Among the apps found wanting were Camera360 Ultimate, which has 250 million downloads
Besides inheriting SSL vulnerabilities from the ad libraries used by the application, none of the
applications trust managers uses check server certificates, FireEye noted.
In another proof-of-concept for an MITM attack that exploits these vulnerabilities, we intercepted
all HTTPS traffic between the application and the remote servers it used, allowing us to potentially:
Steal or inject photos/albums at random; steal users login local key to the Camera360 cloud, and

many other local device/user specifications; and intercept user credentials or inject fake login
pages/malicious Javascript to steal any account credentials.
According to Trend Micro, malicious Android apps hit the two million milestone in March this year
just six months after passing the one million mark.


Sony PlayStation Back Online After DDoS Attack

A distributed denial of service attack (DDoS) by the nebulous hacking collective known as the Lizard
Squad knocked out the Sony PlayStation Network (SPN) on Sunday, stranding many gamers with
useless Sony PS devices for a few hours. The network is back online, but the perpetrators say that
Xbox Live will be the next target.
The group, which appears to support ISIS, also sent a tweet to American Airlines this
weekendclaiming that there was a bomb on board a flight carrying Sony Online Entertainment president
John Smedley. The flight, which had 179 passengers, was on its way to San Diego, but made an unplanned
landing in Phoenix after the tweet went out. After being checked and cleared by bomb dogs, the flight got
back on its way.
Sony confirmed the DDoS attack on Monday and said that there is no evidence of any personal data
having been accessedunlike in the case of the 2011 DDoS attack-and-hack that lasted for 24 days and
resulted in millions of records of individual users being breached, including credit card information.
That incident affected 77 million PlayStation users with accounts on PlayStation Network, the Qriocity
service and Sony Online Entertainment. The breach prompted a class-action suit brought by victims
seeking financial recompense for what they alleged was Sony's negligence in data security, firewall
readiness and data encryptionalthough it was dismissed after a US District judge found that the named
plaintiffs in the suit were getting PSN services without a subscription, "and thus received the PSN services
free of cost.
This time, the networks were taken offline due to a distributed denial of service attack. We have seen no
evidence of any intrusion to the network and no evidence of any unauthorized access to users personal
information, Sony said. The PlayStation Network and Sony Entertainment Network are back online and
people can now enjoy the services on their PlayStation devices.
Meanwhile, Lizard Squad has been making a lot of noise via Twitter, including making some bold claims
against other organizations (example: Just took Vatican City offline, all kuffar shall die. #ISIS #Jihad #ISIL
#IS.). It also said in a series of taunting tweets that its working to bring down Xbox Live as its next target,
though so far no service interruptions have been noted. One example: Sup XBL Login, just performing
Whether the threat is real or simply saber-rattling remains to be seen, but its clear that DDoS gambits are
increasing in traffic volume and frequency.
"DDoS attacks have become the weapon of choice for the modern hacker, said Marc Gaffan, co-founder
and chief business officer at Incapsula, in an emailed comment. Our own research supports this, finding

that DDoS attacks just like the one that recently hit the PlayStation Network are up 240% in 2014. Attacks
like this will continue to plague big name companies, thanks to the greater availability of resources for
While this event was relatively short in duration, tha may not be the case for the next big targeting effort.
Persistent DDoS attacks can sometimes last for weeks, Gaffan said. And in a time when anyone can
Google up a 'botnet for hire' and use it to execute a 20-40Gbps attack, from several thousands of sources,
organizations across the world need to re-evaluate their DDoS protection, or risk the consequences.


Apple CEO: iCloud Nude Photo Hack Wasn't Our Fault

With the celebrity nude photo leak still making waves, Apple CEO Tim Cook has announced that the
company will extend two-factor authentication to mobile logins for the iCloud service, when iOS 8.0
comes out later this month. And, it will start sending push notifications to users when changes are
made to iCloud accounts.
He also downplayed any security oversight on Apples part for the leak.
While 2FA has been available from the web, sers will soon be able to enable it from iPhones and
iPads as wella notable hole in the security option menu until now, given the near-ubiquity of Apple
devices in some markets, like the United States. So, in addition to an Apple ID and password, users
will have the option of requiring a PIN code sent to the device through SMS or a key generated at the
time of sign-up.
Also, in about two weeks, Apple will begin alerting users via email and push notifications when a new
device tries to log into an iCloud account for the first time, and anyone attempts to restore iCloud
data to a new endpoint. It will also send a push notification when a password change is attempted or
Apple has been the subject of negative publicity in the wake of the photo leak. The theft, which
affected about 100 unsuspecting celebs, was originally thought to be a brute-force attack that used a
set of 500 or so common-ish passwords to randomly attempt to break into accounts. The implication
is that Apple had set no limit on the number of times that account credentials could be tried before
locking the user out.
However, speaking to the Wall Street Journal, Cook said that celebrities fell victim to hacking of their
iCloud accounts because the perpetrators were able to successfully phish the credentials, or were
able to answer security questions correctlythus placing the blame squarely back on the shoulders
of the celebrities themselves.
"When I step back from this terrible scenario that happened and say what more could we have done,
I think about the awareness piece," he said. "I think we have a responsibility to ratchet that up. That's
not really an engineering thing."

The Apple IDs and passwords were not, he stressed, leaked or lifted from the company's servers.
And, he pointed out the companys pioneering position with biometrics, with the Touch ID fingerprint
sensor in its iPhone 5S.


Five Million Gmail Credentials Leaked to Russian Forum

As many as five million Gmail user IDs and password combos have been reportedly leaked and
posted to a Russian Bitcoin forum. The story is still developingand Google has yet to make an
official statement on the report.
According to Freedom Hacker, a .txt file of Gmail usernames, primarily from Russian users, has been
made public on the Bitcoin Security Forum (the link is now not working)and Reddit subreddit
called netsec is now the home of a link that shows the lifted email names and passwords. While much
of the Reddit information appears to be old, at least 60% of the compromised accounts are said to be
active, according to reports.
The event is illustrative of follow-on dangers as well. Scenting an obvious opportunity, several
malicious phishing sites have appeared, offering to check whether someones email is secure. This is
believed to be, of course, a ploy to pick up additional username/password credentials. Users should
instead simply change their passwords (including for other services where the same credentials are
used), and enable two-factor authentication.
No one knows yet whos behind this, how big the leak actually is or whether Googles servers were
compromised. Its entirely possible that the information was phished or gleaned from third-party
websitesand it could even be recycled information from previous leaks.
Catalogues of previously leaked credentials serve as a database for password crackers, explained
Yiannis Chrysanthou, security researcher in KPMGs cybersecurity team, in an emailed comment.
This then makes future hacks even easier and quicker, with many passwords cracked in zero time.
Password cracking research is moving towards intelligent, efficient and content-aware attack
techniques designed to crack the bulk of passwords fast. Every large scale credential leak makes
cracking passwords easier for the next one, and organizations adding password complexity to their
policies only slightly delays this process instead of stopping it.
He also stressed the multifactor aspect. The alternative is to use multi factor authentication, as it
improves security by combining multiple forms of identification data, he said. Passwords on their
own are just one authentication factor because they rely on something the user knows. By adding
an additional factor such as a smartcard (something a user has) or a fingerprint (something the user
is), credential theft and impersonation becomes harder. Multi-factor authentication will block
traditional attacks relying on guessing or stealing a users password because the password itself will
no longer be sufficient. Of course this extra security comes with increased investment but the
improved customer protection makes it viable and valuable.


Move Over, Apple Pay: Samsung Gains Steam on Biometric M-Commerce

As the future of payments becomes increasingly mobile and digital, moving away from simple, static
password-based authentication and towards more advanced methods that will improve security, as
well as enable frictionless commerce, has become a stretch goal for the commerce sector. Samsung
and Alipay, the largest third-party online payment provider in China, are gearing up to do their part
with the launch the first Fast IDentification Online (FIDO)-Ready authentication ecosystem in the Far
Alipay offers payment and escrow services for transactions on Alibaba Groups marketplaces as well
as to third parties in China. It plans to enable secure online payments via the fingerprint sensor
(FPS)/biometric technology on the Samsung Galaxy S5 smartphone. The end result is that customers
who make purchases and transfers in Alipays mobile application, Alipay Wallet, no longer need to
enter a password.
Samsung had announced back in April that it would use the S3 Authentication Suite from Nok Nok
Labs to make the Galaxy S5 smartphone FIDO-enabled. The FIDO set of specifications will support a
full range of authentication technologies, including biometrics such as fingerprint, eye and iris
scanners, voice and facial recognition, as well as further enabling existing solutions and
communications standards, such as trusted platform modules (TPM), USB security tokens, embedded
secure elements (eSE), smart cards, Bluetooth low energy (BLE) and near field communication (NFC).
The open specifications are being designed to be extensible and to accommodate future innovation,
as well as protect existing investments.
Alipay will use the technology from Nok Nok, a founding member of the FIDO Alliance, to support the
secure mobile shopping experience with an authentication infrastructure that communicates
securely with the client present on the Galaxy S5.
The Nok Nok solution was delivered in partnership with Lenovo Group, another founding member of
the FIDO Alliance.
Working with Alipay, a major player in the global online commerce, to provide an easy, secure
experience for their customers is tremendous validation for the FIDO movement, said Phillip
Dunkelberger, president and CEO at Nok Nok Labs, in a statement. As a global leader in delivering
internet-scale services to their customers, they needed a solution that can scale to meet future
authentication requirements, while ensuring that consumers get a secure, yet easy-to-use solution
PayPal also recently announced that it too would deploy FIDO standards using Nok Nok and support
for the Galaxy 5 in the mobile payments market.
Its expected that other device manufacturers will embrace FIDO standards as well, although
fragmentation is already happening: Apple last week announced its own strong authentication
gambit, Apple Pay, which will be proprietary to the iPhone.


Apples New iPhone 6 TouchID Hacked, as Usual

Apple fans expecting their new iPhone 6 to be secured from the kind of vulnerabilities which,
theoretically, could let a stranger access their device, were left disappointed this week as researchers
claimed the smartphone giant had done little to remove a security blind spot.
Marc Rogers, a security researcher from mobile security vendor Lookout, claimed in a blog post that
he was able to use exactly the same technique that cracked the iPhone 5s TouchIDfingerprint sensor a
year ago to access the iPhone 6.
Sadly there has been little in the way of measurable improvement in the sensor between these two
devices, he said. Fake fingerprints created using my previous technique were able to readily fool
both devices.
It must be said that the to carry out such a hack requires a convoluted process whereby the
attacker must use a laser-printed image of the enrolled fingerprint, create a mould of the fingerprint
using pink latex milk or white woodglue, and then apply it to the sensor.
Such a long, drawn-out affair will probably deter most cash-hungry cyber-criminals.
However, Lookouts Rogers said he was disappointed that no attempt had been made to improve
IDTouch security, including the ability to set a timeout for TouchID after which a passcode must be
In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive,
which is made possible by a higher resolution scanning part, he added.
How do I know this? Well, during my testing I noticed that I got far less false negatives with the
iPhone 6 (false negatives are where the device rejects your legitimate fingerprint). However, its
likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your
fingerprint to improve reliability.
Rogers admitted that to subvert TouchID would require skill, patience, and a really good copy of
someones fingerprint.
However, he expressed disappointment that the Cupertino giant hadnt taken this chance to improve
TouchID security given the increasingly expansive uses of the smartphone.
Especially when you consider their clear intention to widen its usage beyond simply unlocking your
phone into the realm of payments, Rogers said. Convenient authentication for transactions is a
great thing that could both improve user experience and security.



CA: Using Machine Learning to Combat Card Fraud

When it comes to retail payments, point-of-sale data breaches have been grabbing all the headlines.
But good old-fashioned credit card fraud is still alive and well, and are increasingly requiring new
approaches to authentication. To that end, CA Technologies has released a set of self-learning
authentication technologies to help reduce friction for consumers during online checkout and boost
security for card issuers.
Whenever credit card information is exchanged over the internet, phone or by mail, it is considered a
card-not-present (CNP) transaction. Unsurprisingly, CNP situations tend to be where the majority of
fraudulent activity occurs. Thats why things like the card verification code, billing address and other
data points are required in many transactions. The problem of course is that these are indeed data
pointsand vulnerable to thieves just like the card number itself.
The latest version of CA Risk Analytics incorporates patent-pending behavioral neural network
authentication models for assessing risk of online CNP transactions. These are powered by machinelearning techniques that capture data about individual user actions, to better understand and
distinguish legitimate behavior from fraudulent activity.
Card issuers can instantly change score thresholds and policies at their discretion, to adapt to market
conditions, better handle staff fluctuations or deal with current events that may demand examining a
higher or lower volume of transactions while still ranking the most risky first.
There is an increase in market demand for a more advanced CNP fraud detection strategy that goes
beyond just comparing the current transaction to established fraud indicators, said Revathi
Subramanian, senior vice president of data science, CA Technologies, in a statement. CA Risk
Analytics considers both fraud patterns and legitimate transaction behavior and tracks the pivotal
players in a transaction: card or device, for example. It estimates the risk of fraud using advanced
machine learning techniques to understand normal behavior for these pivotal players as well as the
fraud risk related to deviation from past behaviors. This results in a more accurate assessment of
which transaction to authenticate and helps stop fraud in CNP transactions.
In card-present scenarios, chip-and-PIN technology is standard in much of the world, and is rolling
out in the United States more rapidly in the wake of breaches like those at Home Depot and eBay.
They have an embedded microprocessor chip that contains the information needed to use the card
for payment, and is protected by various security features, so theyre more difficult to counterfeit
and are a more secure alternative to traditional magnetic stripe payment cards. But perversely, that
greater in-store security means that criminals will look for easier routes for fraud, like e-commerce.
History shows that the continued global rollout of the EMV standard and the increasing distribution
of chip and PIN cards will result in an increase of CNP fraud attempts, said Doc Vaidhyanathan, vice
president of product management at CA Technologies.
At the same time, retailers dont want to add friction to the checkout process and challenge the
consumer with additional authentication to prove their identityits a proven deterrent to legitimate

CA thinks it may have the answer in neural networking. Card issuers and merchants want a solution
that improves fraud detection without increasing cardholder friction, Vaidhyanathan said. CA Risk
Analytics and its behavioral neural network models will result in zero touch authentication that will
instill a level of confidence and streamline the online checkout process.
The technology potentially has implications for in-store buying as well, by enabling secure, easy-touse cardless transactions, such as those made via mobile wallets.


Malware Attack on Global ATMs Has Stolen Millions

A two-stage financial attack has been discovered that targets multiple ATMs around the world,
including Latin America, Europe and Asia, allowing attackers to remove money via direct
manipulation and steal millions of dollars.
According to Kaspersky Lab, the criminals work in two stages. First, they gain physical access to the
ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the
infected ATM is now under their control and the malware runs in an infinite loop waiting for a
Over the last few years, we have observed a major upswing in ATM attacks using skimming devices
and malicious software, said Vicente Diaz, principal security researcher at Kaspersky Lab. Now we
are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting
financial institutions directly.
This is done by infecting ATMs themselves or launching direct APT-style attacks against banks.
In an analysis, the firm found that the adversaries have made the scam harder to spot by only
accepting commands at specific times on Sunday and Monday nights. During those hours, the
attackers are able to steal money from the infected machine. And, the cyber-criminals only infected
ATMs that had no security alarm installed.
But the perps didnt count on a classic security strategy: video surveillance. Footage obtained from
security cameras of the infected ATMs clearly shows the methodology used to access the cash from
the machines.
From the footage, Kaspersky was able to uncover that a unique digit combination based on random
numbers is newly generated for every session. This ensures that no person outside the gang could
accidentally profit from the fraud. Then, the malicious operator receives instructions by phone from
another member of the gang who knows the algorithm and is able to generate a session key based
on the number shown.
This ensures that the mules collecting the cash do not try to go it alone, Kaspersky explained.

When the key is entered correctly, the ATM displays details of how much money is available in each
cash cassette, inviting the operator to choose which cassette to rob. The ATM then dispenses 40
banknotes at a time from the chosen cassette.
The firm noted that the malware has evolved over time as well: the first infections were seen in
March. In its last variant, (version .d), the malware implements anti-debug and anti-emulation
techniques, and also disables McAfee Solidcore from the infected system.
INTERPOL has alerted the affected member countries and is assisting ongoing investigations, and
warns that the public should be careful when using public ATMs.
Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and
it is essential that we keep law enforcement in our member countries involved and informed about
current trends and modus operandi, said Sanjay Virmani, director of theINTERPOL Digital Crime
Kaspersky Lab recommends that banks first review the physical security of their ATMs and network
infrastructure, and replace all locks and master keys on the upper hood of the ATM machines, and
change the default BIOS password.


The Russian Epicenter of Cybercrime Ramps Up the Sophistication

The Russian high-tech crime market for 2014 is showing ever-increasing sophistication, with criminals
creating shadow worlds of illegal activity, exploiting new financial theft techniques and incorporating
mobile attacks more often.
Group-IBs computer forensics lab and its CERT-GIB unit, in its annual report on the Russian
cybercrime scene, noted that a top trend to stand out is the fact that the Russian market for stolen
credit card informationarguably the epicenter of the data breach trendhas become much more
structured in the last year, complete with wholesalers and online trading platforms. Revenue is
increasing accordingly; the company estimates the carding market to be at about $680 million.
Criminals can easily browse and purchase stolen credit-card information as if they were shopping on
any mainstream e-commerce site, the company said. A study of the online card market site
SWIPED found that the most active card supplier is a criminal individual called Rescator, who
uploaded details of over 5 million cards to the online marketplace.
In investigating a test sample, Group-IB found that all sampled cards were originally stolen from the
retail chain Target, which famously suffered a security breach in the past year.
Group-IB also found that 80% of payments on SWIPED are made using Bitcoin, with other
cryptocurrencies also playing a role as convenient tools for illegal transactions.
Shadow Internet shops selling goods such as stolen information, weapons and drugs have switched
to using cryptocurrencies as their primary payment methods, the report explained. The use

of malware-based botnets to mine Bitcoins has also become so developed that botnet renting through
services like SkyShare has become a reality. Stealing from cryptocurrency wallets using trojans has
also become more sophisticated and common.
Speaking of trojans, on the banking front, mobile banking threats experienced strong growth.
This year, five criminal groups emerged that specialize in mobile banking theft using trojans, Group
IB noted. These groups infect Android phones and steal information via SMS banking and the use of
phishing sites. The scale of these thefts is limited only by the manual nature of the activity.
Mobile espionage has also become a thing, where malware allows criminals to read texts, listen to
phone conversations and even pinpoint a victims location with the GPS on their phone.
More classic targeted attacks on financial institutions are continuing too: Groups targeting financial
institutions have stolen about $40 million during the report period, using techniques including
trojans, phishing sites and even assistance from personnel inside the banks. Criminals are also using
sophisticated processes to evade policies barring bank workers from opening executable files, hiding
malware inside of harmless-looking document files.
Russian hackers are also becoming more adept at reprogramming ATM machines to hand out the big
bills: Either by physical access or infection of local networks, hackers are able to introduce malicious
scripts to ATM software.
In some cases the purpose is to record any ATM card numbers and PINs used on the compromised
machines and to make cash withdrawals from those accounts, the firm said. Other scripts can
reprogram an ATM to pay out larger-value notes than they should, for example issuing 5,000-ruble
notes when 100-ruble notes ought to be issued. The total amount stolen from one group via this
method exceeded 50 million rubles.
In a lone bright spot, online banking fraud is down: Of eight criminal groups active in Russian online
banking theft last year, two have switched to foreign targets, and one was broken up following the
2014 arrest of one of its leaders. This has resulted in a decrease in the total online banking fraud
market, Group-IB said, from an estimated $615 million in 2012 to $425 million in 2013-2014.


Google Improves Log-In Security with 2FA USB Key

Google has announced support for a new standards-based USB log-in key designed to improve access
security via two factor authentication and guard against phishing threats.
The Security Key improves on existing 2-Step Verification for Google accounts which uses a
smartphone plus one-time passcode system as it requires no signal or batteries and can be carried
easily on a keychain, the web giant said.

It also provides better protection against phishing because it only works after verifying the login site
is truly a Google website, not a fake site pretending to be Google, product manager Nishit Shah said
in a blog post.
Rather than typing a code, just insert Security Key into your computers USB port and tap it when
prompted in Chrome, he added. When you sign into your Google Account using Chrome and
Security Key, you can be sure that the cryptographic signature cannot be phished.
Security Key and Chrome support the open Universal 2nd Factor (U2F) protocol from the FIDO
Alliance, so other websites can theoretically use it to authenticate users, although its only
compatible with the most recent version (38) of the Google browser.
Its our hope that other browsers will add FIDO U2F support, too, said Shah.
As more sites and browsers come on board, security-sensitive users can carry a single Security Key
that works everywhere FIDO U2F is supported.
Chrome users wanting to access their Google accounts using the USB will have to buy it first. They are
currently on sale on Amazon ranging from $5.99 to $60.
Two-factor authentication is gaining momentum, especially after high profile incidents such as the
recent celebrity iCloud hacks which experts say could have been prevented by using the secure log-in
Rob Lay, solutions architect for enterprise and cyber security at Fujitsu UK & Ireland, argued that
while the announcement is a step in the right direction, enterprises cant afford to be complacent.
It is crucial that they keep working to ensure that their company is adequately prepared to manage
threats, he added. Furthermore, employees should also be educated so everyone understands
their individual responsibility in keeping the business secure.


Facebook Embraces Tor with an Onion Addy

Tor, the onion router, is a method of preserving privacy by allowing users to surf the web
anonymously. But by its very raison detre it has never played well with social networks, which like to
know who their users are. Facebook is breaking new ground by implementing a Tor address that
privacy hounds can use to update their statuses, share cat videos and do everything else that
Facebookers enjoy doing.
Facebook's security infrastructure has sometimes led to unnecessary hurdles for people who
connect to Facebook using Tor, the company said, so it set out to make their experience more
consistent with our goals of accessibility and security.
Tor challenges some assumptions of Facebook's security mechanisms for example its design
means that from the perspective of our systems, a person who appears to be connecting from

Australia at one moment may the next appear to be in Sweden or Canada, explained Alec Muffett, a
software engineer for security infrastructure at Facebook London, in a post. In other contexts, such
behavior might suggest that a hacked account is being accessed through a botnet, but for Tor this is
Tor-enabled browsers can now connect to the social network using Facebook's onion address, which
provides a way to access Facebook through Tor without losing the cryptographic protections
provided by the Tor cloud.
The idea is that the Facebook onion address connects you to Facebook's Core WWW
infrastructure, Muffett said. It provides end-to-end communication from your browser directly into
a Facebook data center.
The company used SSL in making the Tor support happen, and provides an SSL certificate.
The certificate cites our onion address; this mechanism removes the Tor Browser's SSL Certificate
Warning for that onion address and increases confidence that this service really is run by Facebook,
Muffett noted. Issuing an SSL certificate for a Tor implementation is in the Tor world a novel
solution to attribute ownership of an onion address; other solutions for attribution are ripe for
consideration, but we believe that this one provides an appropriate starting point for such
Facebook is planning to continue to scale and deploy services via the Facebook onion address;
Muffett said that a medium-term goal will be to support Facebook's mobile-friendly website via an
onion address.


Playing for Keeps: How Cyber-Criminals are Following the Money to Video Games
The global video game market just topped $100bn in value, and cyber-criminals want a piece of it.
Danny Bradbury finds out how they operate
The video game has come a long way since the home hobbyist days of the BBC Micro and the ZX
Spectrum. Eight-bit follies developed in the bedroom have given way to 32-bit masterpieces and
the games themselves arent the only thing to have evolved. Criminal activity in the video game
market has grown, and changed.
What was a cottage industry is now a global one. Gartner puts the size of the global video game
market at $101.6bn in 2014, up from $79bn in 2012. By 2015, it will top $111bn, the analyst firm
says. But where revenues are high, cybercrime will surely follow.
Pirates Drop Anchor
Piracy is often mentioned by those exploring cybercrime in the games industry, because it has been a
traditional problem. In the early days of computing, video games were almost entirely distributed on
magnetic or optical media that was then cracked by pirate groups.

These cracker teams evolved from pre-internet BBS hobby groups, who would disassemble game
code to remove software copy protection, before uploading it to elite back-room sections of piracy
BBSs and web chat rooms, or distributing it physically.
One of the earliest cracker groups was Razor 1911, which is still cracking games today. These days,
cracked games are distributed mostly via peer-to-peer networks.
Game piracy is still a healthy criminal industry online, although less so than some industry groups
would have us believe, according to researchers at MIT. They surveyed networks using the BitTorrent
protocol, and found that 12.6 million unique networked peers from 250 geographical areas were
sharing games.
There is a heavy concentration of titles and geography. Just over 40% of piracy focused on ten titles,
and three quarters of piracy came from just 20 countries.
This game code often gets stolen from the source, rather than cracked after release. In July
2014, Dell SecureWorks identified TG3279, a Chinese group that it said has been infiltrating
videogame development companies since 2009.
TG3279 used traditionally well-understood penetration techniques, including the use of network
scanning to profile its targets, and the installation of remote access tools (RATs) to gain access to
specific machines. SecureWorks said that the group could be stealing the source code for several
reasons, including piracy, or in order to use the source code in competing products.
A Changing Industry
In spite of these traditional thefts, the industry is changing, according to Greg Boyd, partner and
chairman of the Interactive Entertainment Group at legal firm Frankfurt Kurnit. Boyd has spent over
ten years advising companies about the licensing and distribution of video games.
Tomorrows industry wont look like todays, he says.
It used to be the case that bricks and mortar stores were the way to go, but thats a dying business,
Boyd argues, suggesting that these retailers are chasing fading revenues, much as their counterparts
did in the music business.
There are still billions to be made from the end of the boxed goods market, but as digital
distribution grows as mobile devices become more powerful the box stores become less
The biggest threat now is to consumer information Greg Boyd, Frankfurt Kurnit
Instead, he notes something that the MIT research paper also identified: game distribution is already
shifting to direct online downloads. Companies such as Valve have emerged, with a business model
of games that can be purchased or rented online and downloaded to a PC.
Boyd predicts the disappearance of disks altogether by the time the next generation of consoles
emerges. That iteration is just a decade away.
Different Data Theft

Consequently, the goals for attackers have shifted. Increasingly, attackers are going after other kinds
of data.
The biggest threat now is to consumer information, Boyd says. The personal information threat is
the largest, particularly when related to cross-border issues.
The most notable attack was the Sony PlayStation Network hack of April 2011, in which the
unencrypted personal details of 77 million customers were compromised, including names,
passwords, addresses, and birth dates.
In November that year, Valve announced that its Steam network had been hacked, and that credit
card information may have been compromised.
Follow the Money
In many cases, online networks can be used as tools by cyber-criminals, rather than exploited directly
for data. In June 2013, the United Nations Office on Drugs and Crime (UNODC), issued a report
reviewing cyber-criminals methods for money laundering.
The report identified online gaming as a key avenue for online money laundering, thanks to the rise
of virtual economies in video gaming sites. Multi-player games use in-game currencies such as World
of Warcraft gold that can be exchanged for real money.
Typically, a criminal will establish several accounts on various online games to move money around.
These virtual players are used to obfuscate real identities. Money can be exchanged between them,
and then cashed out, often in different countries, without the collusion or knowledge of the
company running the game.
Criminals can become invisible on these sites, warns Raj Samani, CTO EMEA at McAfee.

Its due to the vast amount of traffic that they have, but also that its outside the purview of law
enforcement, he says.
This is also a problem for online gambling sites, he argues. Money launderers can send each other
money through gambling sites that unwittingly play host to the exchange of illegal funds. The money
can be sent in various ways, either directly between accounts, or as winnings.
The online gambling market alone is expected to reach 28.2bn ($37.6bn) by 2015, according to
research from Odobo/H2 Gambling Capital. But the unlicensed sector of the market is far greater.
As of November 2013 there were approximately 104 international jurisdictions that regulated a total
of 2,734 internet gambling sites, Samani told Infosecurity, which he calls a drop in the ocean.
Those unlicensed sites are unlikely to report their transactions to the authorities, and will often take
deposits through alternative channels to traditional financial institutions, or in crypto-currency
payments such as Bitcoin.
To get those types of tools you need a level of skill that is either financed by organized crime or
behind a state actor Robert Morton, PLXsert
Online gambling sites themselves can also be attacked for their own money.

Michael Hadjuk, an entrepreneur from Calgary, Canada, had to take his video poker site Infiniti Poker
offline after an attack. Players had siphoned funds from his system using multiple accounts and
player collusion.
One of the dangers lies in sites that offer no-deposit credit to attract new players. Typically, theyll
put a few dollars in a new players account, on the condition that they must accrue a certain amount
of winnings to withdraw it.
If you have 20 people and they each take out the no-deposit credit account, and then they all go to
the table together, they can do whats called chip dumping, he explains.
The players would collude, all deliberately losing to one person, who then cashes out their winnings
including the free credit that other players had lost to them. Multi-accounting works the same
way, he says. In this scenario, no collusion is needed. A single attacker creates several fake accounts,
and loses their no-credit deposit to a single account.
Online sites are supposed to block that, but his software failed. The biggest problem is that admin
tools didnt block people quickly enough, Hadjuk complains. He is now re-crafting his back-end
system for a relaunch in Q4 2014.
DDoS Chaos
Multi-account and collusion attacks arent the only ways to attack an online gambling site.
Distributed denial of service attacks are similarly damaging, say experts. Rod Soto is a senior security
researcher at PLXsert, a response team operated by Akamai company Prolexic. He gathers
intelligence on DDoS attacks around the world.
One case is where you see extortion. So the criminals force the site to pay them or they take them
down, he says.
He alleges that some DDoS attacks on gambling sites may be carried out by competitors. There have
also been cases where online gambling activity is forbidden by the law, where there might be signs of
participation by governments, he says.
Sometimes the attack sources, along with the quality of the tools used, suggest more capable
attackers. To get those types of tools you need a level of skill that is either financed by organized
crime or behind a state actor, says Sotos colleague, Robert Morton. But with all of these cases,
attribution is almost impossible.
DDoS attacks using online video game sites are also common, and can be launched for various
reasons, explains Soto. In the simplest cases, rival gamers will seek to take each other offline to gain
the upper hand in a gaming scenario. These DDoS attacks target other players IP addresses directly,
uncovered using network analysis tools such as Wireshark or Cain and Abel.
The DDoS attacks can be run from an attackers own computer, or can be accessed as services
running on third party servers.
Alternate attacks using reflection DDoS attacks are often targeted at other, non-gaming institutions,
but use the online gaming servers as attack sources.

These attacks use services that aggregate IP addresses for online game servers. The lists are swept
for vulnerable servers, explains a report on the attack from Prolexic. Vulnerable servers are then
used to reflect traffic from gamer clients to the attackers target, overwhelming it with packets.
The range of attacks is as broad as the reasons for the attacks and the evolution of cybercrime
online will only continue. With mobile gaming already constituting 16% of the global market, we can
expect to see an increase in malware-ridden games that steal personal data or control the phone
platform directly.
Innovation has driven amazing advances in the video gaming world, fuelling quantum leaps in
graphics and gameplay. But there is a dark side to innovation, too. Whenever there is a new
development in online entertainment, there will always be someone willing to exploit it.


Proxy Using Phishers Make Attacks Harder to Spot

Security researchers have discovered a new type of phishing attack using proxy programs to make
the malicious site harder to detect.
Trend Micro senior threat researcher Noriaki Hayashi warned in a blog post last week that the new
techniques observed here may significantly change the threat landscape for phishing sites.

He explained:
This technique we found allows for the creation of nearly perfect copies because the attacker no longer
needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which
acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any
pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against
their customers.

The attack works on any device and with any browser, as the hacker proxies all parts of the victims
HTTP request and all parts of the legitimate servers response, Hayashi added.
Dubbed Operation Huyao (Monstrous Fox in Chinese), the attacks are thought to have emanated from
China and have been observed thus far targeting a Japanese shopping site.
Blackhat SEO techniques are initially used to get victims to click on the malicious site.
Only when the victim is about to buy a product does it display different information crafted by the
attacker. This apparently starts with new Add to Basket functionality, after which all the pages have
been purpose-built to carry out information theft.
They even include a bogus 3D Secure verification page designed so that the phishers can circumvent
this in future with the stolen credentials, Trend Micro claimed.
Although it has only been observed so far targeting one site in Japan, the implications of this new
method of phishing are potentially serious, Hayashi argued.

If this attack becomes more prominent, it could become a very worrying development: this makes
phishing harder to detect by end users, as the phishing sites will be nearly identical to the original
sites, he concluded.
In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites.
They will only have to duplicate the payment pages, which is an easier task.


Amazon phishing attacks pick up for holiday shopping season

Hackers are gearing up for the big holiday shipping season with a new collection of email that are just
too good not to click on.
"We see an uptake in things posing as Amazon and eBay receipts -- and airline flight confirmations,
based around the fact that people are traveling more and are expecting these confirmations to come
in," said Troy Gill, senior security analyst at AppRiver, a Florida-based email service provider.
Some users refuse to believe that the emails are malicious, Gill told CSO Online.
"They'll actually try to go into quarantine and try to release the email," he said.
"Even to me, as a trained professional, seeing these all the time, some look identical to the ones you
get from the actual vendor. However, I don't think any common transactions from Amazon would
ever have attachments at all. As a customer, I've never seen it, and I make purchases from them all
the time."
Gill recommended that companies warn their employees not to open attachments from major
shopping or travel sites.
"If you get an email with a Word attachment, don't open it, just go to the site, log into your account,
and all the transaction history is right there readily available." he said. "It's always a good idea to go
right to the horse's mouth."
So far this month, AppRiver has quarantined more than 600,000 email messages with the subject
line "Your Amazon Order Has Dispatched (#3digits-7digits-7digits)" and a return address of
The attached Word document has a macro that installs a Trojan dropper that creates a process
named "SUVCKSGZTGK.exe" and the dropper then installs a keylogger that harvests banking
information, email logins, and social media accounts.
"Hopefully, by default, macros are disabled in Word but many people do have them enabled," Gill

Another email campaign, with nearly 160,000 messages quarantined over the past few days, has the
subject "Your order on" and a return address of "" and a very realistic look,
with actual Amazon graphics.
[How to spot a phishing email]
This campaign attempts to get users to click on links that to go compromised WordPress sites that
download a file named "invoice1104.pdf[dot]scr" which is also a Trojan dropper.
"As we commonly see with this these types of campaigns, the payload can be changed out by the
malware distributors so this dropper could pull down some other form of malware in the future,"
said Gill.
Gill also recommended that companies train employees to immediately report suspicious emails.
"I feel that a lot of people are just, 'out of sight out of mind'," he said. "If they don't see any
immediate impact from it, it's really not a concern, or maybe they don't want to mention to their
employer that they actually opened an attachment. That kid of mentality, I think, is far to common."
This is a particular problem because, according to a recent security report by Google, about 20
percent of hijacked accounts are accessed within 30 minutes of a hacker getting the login info.
After getting in, the hackers often change the password to lock out the legitimate user, search for
information about other accounts they can hijack, and use their access to send personalized phishing
emails to the victim's friends and colleagues, said Elie Bursztein, Google's Anti-Abuse Research Lead,
in the report.
"I've seen malware spread that way on numerous occasions," said AppRiver's Gill. "Of course I'll be
more likely to open an email from my friend Scott rather than some random made-up name."