Mobile, Token, Tokenless, Vulnerability

How the Eurograbber attack stole 36 million euros

Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year.
The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process.

The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan.

Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.

With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.


The attack infected both corporate and private banking users, performing automatic transfers that varied from 500€ to 250,000€ each to accounts spread across Europe.

The attack involved 10 stages, starting with an initial infection by a modified version of Zeus:

  • Users’ PCs become infected by a modified Zeus trojan by accidentally visiting an infected web page, or following a link from a phishing email. This opened the door for the attack.
  • Users visit their bank’s webpage and log in to their account to make a transaction.
  • The modified Zeus trojan injects malicious code into the bank webpage, including a request for users to enter their mobile information, including its number and operating system.
  • This information is sent over the Internet to the attacker’s “drop zone” system where it is stored.
  • The attacker’s server sends an SMS message to the user’s mobile device that includes a link to the mobile device-targeting trojan, a version of Zitmo (Zeus in the mobile).
  • User are directed to click on a link in the SMS to ‘upgrade the security of the online banking system’. This installs the mobile Trojan on the mobile device and completes the system.
  • Now, every time the user logs into their bank account, the Trojan initiates an automatic transaction to transfer money out of the victim’s account using their real credentials.
  • To complete the transaction, an SMS message containing the TAN is sent to the victim’s mobile device, and the mobile Trojan delivers the TAN to the attacker’s server.
  • The customized Zeus Trojan Javascript running on the victim’s computer receives the TAN.
  • The Eurograbber attack is complete and the attackers transfer money out of a victim’s account.
Standard
News, Token, Tokenless, Vulnerability

HSBC websites fell in DDoS attack last night, bank admits

Hacktivists blamed for online banking blackout

Updated HSBC has blamed a denial of service attack for the downtime of many of its websites worldwide on Thursday night.

Various Reg readers told us they were unable to reach the HSBC UK and First Direct websites on Thursday, leaving them unable to carry out internet banking services. Problems kicked in just before 20.00 BST and lasted for around seven hours.

Unconfirmed reports suggest that HSBC was targeted by the Izz ad-Din al-Qassam Cyber Fighters as part of a current campaign (see Pastebin post*) to get the controversial Innocence of Muslims video removed from YouTube. The group also took credit for interrupting customer access to the websites of Capital One earlier this week, again without warning, WSJ reports. The same group staged a series of digital sit-in (denial of service) attacks against US banks including Bank of America and Chase last month.

Security researchers analysing the earlier attacks quickly came to the conclusion that they were largely powered by botnet networks of malware-infected PCs.

In a statement, HSBC said that attacks had affected customers worldwide, and reassured clients that sensitive account data was not exposed by the attack.

On 18 October 2012 HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world.This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.

We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running.

We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts.

We apologise for any inconvenience caused to our customers throughout the world.

An updated statement from HSBC says that by 03.00 BST, it had brought all its websites worldwide back into service.

Darren Anstee, EMEA solutions architect team lead at Arbor Networks, said: “Recent attacks have used what we call multi-vector attacks, attacks which utilise a combination of volumetric, and application layer attack vectors. What we are seeing here are TCP, UDP and ICMP packet floods combined HTTP, HTTPS and DNS application layer attacks. Attackers are doing this because they know it makes the attacks more difficult to deal with, but not impossible if we have the right services and solutions in place.” ®

* Has anyone solved for “Panetta” (US Justice Department Secretary) yet?

Standard
News, Token, Tokenless, Vulnerability

They’ve only gone and HACKED the WEATHER

Hackers punch into NOAA, in ‘vengeance for Stuxnet’

Hackers have lifted potentially sensitive data from the US National Weather Service after exploiting a vulnerability in the weather.gov website.

A previously-unknown group called Kosova Hacker’s Security claimed credit for the hack in a lengthy post on pastebin, containing a stream of data lifted as a result of the hack. Leaked data includes a list of partial login credentials, something that might give other hacking crews a head start in attacking the website, as well as numerous system and network configuration files.

The leaked information appears to consist only of system files and the like rather than scientific data, something that strongly distinguishes the breach from the so-called ClimateGate hack against the Climatic Research Unit (CRU) at the University of East Anglia back in November 2009.

The hacking crew said it took advantage of “local file inclusion vulnerability” that allowed it to ransack the weather.gov servers. Kosova Hacker’s Security said the hack was carried out in retaliation for American aggression against Muslim nations, including the Flame and Stuxnet malware attacks against the Iran nuclear program.

“They hack our nuclear plants using STUXNET and FLAME like malwares, they are bombing us 27*7, we can’t sit silent – hack to payback them,” The Hacker News quotes the hackers as saying.

KHS’ supposed grievance makes weather.gov a bit of of an odd target. However the group threatened to carry out further attacks against US government systems.

The weather.gov website was back up and running at the time of writing on Friday afternoon.

post on Sophos’s Naked Security blog reports that the local file inclusion vulnerability was quickly patched but at least one other vulnerability, a cross site scripting hole, was subsequently discovered on the site. It’s unclear if the XSS vulnerability, which is the sort of thing that’s most useful for those interested in running phishing attacks rather than punching through web servers to hack into back-end databases, has been fixed as yet.

Weather.gov is run by the US National Weather Service, part of the National Oceanic and Atmospheric Administration (NOAA). NOAA is a unit of the US Department of Commerce in charge of providing “weather, water, and climate data, forecasts and warnings for the protection of life and property and enhancement of the national economy”. It’s also well known as custodian as one of the three main databases used to measure global warming: the other two belong to NASA and the British Met Office’s Hadley Centre. ®

Standard
News, Token, Tokenless, Vulnerability

CAPTCHA-busting service relies on CAPTCHA to block bots

Can you use to it to spam itself?

By John Leyden • Get more from this author

Posted in Security16th October 2012 10:14 GMT

An automated CAPTCHA circumvention service has decided to use CAPTCHAs to restrict access to its own contact us services.

It’s unclear whether or not its possible to use bypasscaptcha.com to, err, bypass bypasscaptcha.com“contact us” page CAPTCHA. The automated CAPTCHA solving service is likely to be of interest primarily to those who want to sign up to online forums and set up webmail accounts in preparation for spam runs, or other similar malfeasance.

Asked directly whether it was in the pay of spammers (like most other CAPTCHA-busting services), bypasscaptcha.com quickly responded:

“Sorry that we can not tell you who our customers are.”

Bypasscaptcha.com’s front page explains that “we hire workers to work on our project not only to make money for ourselves, but also to make our workers live better with much better salary than other local workers without any special skills.”

Which is a nice way of saying we’re paying poor folk overseas a pittance to decipher the letters in jumbled up images hundreds of times a day in hi-tech sweat-shops … but it’s better than picking over rubbish dumps.

An advert for the service on ProgrammableWeb explains:

“The service operates through the Bypass CAPTCHA API which can be implemented in third-party software.”

It’s unclear who’s behind the service, which was brought to our attention by Reg reader Christopher P.

“They cannot be English, what with their absolute failure to understand irony,” Christopher notes. ®

Standard