Phishing Scam: Hackers Steal $900,000 from County Office

Por Wagas em 28/01/2018 no site HackRead

Another day, another phishing scam – This time Harris County, Texas wired almost $900,000 after falling for a phishing email.

In normal circumstances, cybercriminals take advantage of the lack of knowledge of their victims but in this phishing attack, they have touched new lows by making a profit out of the devastation caused by hurricane Harvey.

Transfer $888,000 “She” Said

It all started on September 21st, 2017 when an estimated 30 percent of Harris County, Texas was submerged due to hurricane Harvey. The auditor’s office of the county received an email from a woman going by the supposed name of Fiona Chambers in which she posed as an accountant for D&W Contractors, Inc.

More: Phishing Scam: Hackers Steal $11 Million from Canadian University

D&W Contractors, Inc. is a legitimate company that happened to be working that day to fix the damage caused by the hurricane in the county. In the email, Chambers asked the office to transfer a sum of $888,000 to the new bank account of the Contractors as part of its contract. 

“If we can get the form and voided check back to you today would it be updated in time for our payment?” according to the email content mentioned by Houston Chronicle.

In return, the county transferred $888,000 to the bank account provided by Chambers without verifying if the bank account actually belonged to D&W Contractors, Inc. or not. The very next day, it turned out that the county has fallen for a tricky phishing scam and that there was no one by the name of Fiona Chambers in the company neither was there a bank account belonging to the contractors.

Now, the incident is being investigated by the FBI (Federal Bureau of Investigation) and their prime suspect is a group that is known for targeting local governments worldwide. On the other hand, the county has learned its lesson and vows to increase its cybersecurity and overhaul and learn from how it handled the situation.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you. I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money” said Harris County Judge Ed Emmett said.

Previous Scam Link Back To China

In June last year, a similar incident took place in which a state Supreme Court judge Lori Sattler, who was in the process of selling her apartment to buy another one received an email she believed came from a legitimate real estate lawyer.

In the email, the supposed lawyer asked her to transfer $1 million to a bank account. Following the instruction, she transferred a sum of $1,057,500 to the bank account, however, the money was sent to a bank in China, reportedly Commerce Bank of China rather than the lawyer.

It is unclear if both cases are related but what is similar in both cases is that attackers know the exact situation of their victims along with their business dealings. Nevertheless, phishing scams are becoming sophisticated and unsuspecting users need to remain vigilant, avoid downloading attachments from unknown emails and always confirm the authenticity of the email before giving away your personal information or wiring funds. 

Here are some useful tips to secure yourself from phishing attacks.

Sophisticated ‘MoneyTaker’ group stole millions from Russian & US banks

By Wagas  em 12/12/2017 no site HackRead

The IT security researchers at Moscow based cybercrime prevention firm Group-IB has identified the presence of a dangerous and sophisticated group of cybercriminals that has so far stolen more than $10 million from banking and financial sectors.

Dubbed MoneyTaker by researchers, the group has in last 18 months conducted 20 successful attacks in Russia, United Kingdom, and the United States. The group targeted card processing systems like AWS CBR (Russian Interbank System) and purportedly SWIFT (SWIFT international bank messaging service in the United States.

On average, MoneyTaker stole a whopping $3 million from three Russian financial institutions while a sum of $500,000 was stolen from banks in the United States. But, the group is not limiting itself to money or banking sector, in fact, MoneyTaker also targeted financial software vendors and law firms.

“Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US,” says the report compiled by Group-IB.

Researchers confirmed that MoneyTaker targeted 20 companies with 1 in the UK, 3 in Russia and 16 in the US. All those attacks went unreported and undetected since the group used publically available tools for the operations.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide, and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” said Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence.

However, MoneyTaker first caught the attention when Group-IB’ researchers tracked the group’s activities after it stole money from a US bank in 2016 by gaining access to First Data’s “STAR” network operator portal.

“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.”

“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”

Furthermore, researchers noted links between all 20 attacks conducted by the group in 2016 and 2017 including using the same tools, similarly distributed infrastructure, one-time-use components in the attack toolkit and spying on the target after a successful attack.

To evade detection, the group uses fileless malware, and SSL certificates generated using names of popular institutions such as Microsoft, Yahoo, Bank of America, Federal Reserve Bank, and Microsoft. Moreover, MoneyTaker uses a distributed infrastructure and delivers payloads to the victim with IP addresses in MoneyTaker’s whitelist.

MoneyTaker takes advantage of borrowed and self-written tools such as it developed an application equipped with keylogging and screenshot capabilities. The app can take screenshots and capture keystrokes from a targeted device and steal content.

To take full control of the operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. The group uses Metasploit to conduct following activities:

1 Network reconnaissance

2. search for vulnerable applications

3. exploit vulnerabilities

4. escalate systems privileges

5. collect information

Another astonishing discovery by Group-IB researchers regarding MoneyTaker is that it uses privilege escalation tools based on codes presented at the Russian cybersecurity conference ZeroNights 2016. In some attacks, the group used Citadel and Kronos banking Trojans. In this case, Kronos was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.

Remember, in August this year, FBI arrested WannaCry hero Marcus Hutchins for “creating and distributing Kronos banking trojan.” Kronos stole banking credentials from around the world but primarily targeted the United Kingdom and North Ameri

O fim da neutralidade da rede e os seus impactos mundiais

Breno Pauli Medeiros em  23/11/2017 no site CEIRI Newspaper

“Neutralidade da rede” é o termo utilizado para se referir às práticas de regulamentação da Internet que garantem que todos os usuários, provedores e serviços possuam as mesmas ofertas de velocidade, abertura e banda larga. As medidas proíbem o bloqueio de conteúdos ou o fornecimento de serviços a preços diferenciados para parcelas distintas de clientes. A neutralidade da rede foi largamente defendida por empresas como Google, Apple e Reddit; organizações como a União de Liberdades Civis Americana (ACLU, na sigla em inglês), jornalistas e personalidades, dentre elas, Barack Obama.

Selo da FCC

A neutralidade da rede é garantida pela Comissão de Comunicações Federais (FCC, na sigla em inglês), órgão que responde diretamente ao Congresso norte-americano e atua cobrando das Provedoras de Serviço de Internet (PSIs) que as mesmas garantam uma Internet igualitária para todos usuários, sejam eles grandes empresas ou indivíduos.

As PSIs são as empresas que oferecem a infraestrutura de rede e ofertam as conexões ao redor do mundo. Porém, apesar de serem dos EUA, elas possuem um alcance global, já que suas ações afetam desde empresas multinacionais até indivíduos pelo mundo inteiro. No entanto, ainda que tenha esta atuação global, elas estão sujeitas às leis do seu país de origem, na sua grande maioria os Estados Unidos. Além disso, muitas PSIs de outros países são propriedades das grandes PSIs norte-americanas.

As regras da neutralidade da rede são amplamente criticadas por alguns membros do Congresso estadunidense, tanto do Partido Republicano quanto do Democrata, por PSIs e pelo atual presidente da FCC, Ajit Pai, o qual anunciou planos para repelir as medidas de neutralidade da rede.

O argumento de Pai é que as ações implementadas no governo Obama “regulavam com mão pesada a Internet” e que “Devemos simplesmente definir regras do caminho que permitem que empresas de todos os tipos em todos os setores compitam e que os consumidores decidam quem ganha e perde”.

Os argumentos contrários ao fim da neutralidade da rede apontam para o favorecimento de corporações com maior poder econômico que poderão pagar por serviços mais rápidos e em “vias expressas” de velocidade diferenciada, em detrimento de outras empresas que estão iniciando suas atividades e não possuem os meios para contratar serviços diferenciados. Um outro argumento é de que alguns conteúdos, por exemplo, propagandas, serão priorizados em detrimento de outros.

Apesar do protesto de milhares de americanos, a proposta de Pai está prevista para ser votada pelo congresso dos EUA em 14 de dezembro de 2017. A Internet Association, grupo que é composto pelos maiores fornecedores de serviço e empresas de Internet, dentre elas, Facebook, Netflix, Amazon, Google, entre outros, declarou que a proposta de Pai “Representa o fim da neutralidade da rede como a conhecemos e desafia a vontade de milhões de americanos. (…). Esta proposta desfaz quase duas décadas de acordo bipartidário sobre os princípios basais de neutralidade da rede que protegem a capacidade dos americanos de acessar toda a internet”.

Vale ressaltar, no entanto, que, como as PSIs norte-americanas são o topo de uma larga cadeia de empresas e provedoras de serviços com alcance global, uma medida decidida no Congresso dos EUA terá impacto no espaço cibernético que permeia diversos países. 

———————————————————————————————–                    

Fontes das Imagens:

Imagem 1 “Presidente da FCC, Ajit Pai” (Fonte Original: By U.S. Federal Communications Commission –https://transition.fcc.gov/commissioners/photos/ppavp.jpg, Public Domain):

https://commons.wikimedia.org/w/index.php?curid=30410351

Imagem 2 “Selo da FCC” (Fonte Original: By U.S. Government):

https://commons.wikimedia.org/w/index.php?curid=2804144

U.S. Believes Russian Spies Used Kaspersky Antivirus to Steal NSA Secrets

Mohit Kumar

Em 06/10/2017 no site The Hacker News

Do you know—United States Government has banned federal agencies from using Kaspersky antivirus software over spying fear?

Though there's no solid evidence yet available, an article published by WSJ claims that the Russian state-sponsored hackers stole highly classified NSA documents from a contractor in 2015 with the help of a security program made by Russia-based security firm Kaspersky Lab.

Currently, there is no way to independently confirm if the claims on the popular security vendor published by the Wall Street Journal is accurate—and the story does not even prove the involvement of Kaspersky.

"As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight," Kaspersky said in a statement.

The NSA contractor working with the American intelligence agency, whose identity has not yet been disclosed, reportedly downloaded a cache of highly classified information from government systems and moved it to a personal computer at home, which is clear violation of known security procedures.

Citing some anonymous sources, the Journal says that the targeted computer was running Kaspersky antivirus—the same app the U.S. Department of Homeland Security (DHS) recently banned from all government computer systems over spying fear.

The classified documents taken to home by the contractor contained details about how the NSA breaks into foreign computer networks for cyber espionage operations as well as defends its systems against cyber attacks.

Although what role Kaspersky played in the breach is not entirely clear, US officials believe antivirus scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information.

In response to the WSJ story, Kaspersky CEO Eugene Kaspersky said his company "has not been provided with any evidence substantiating the company's involvement in the alleged incident. The only conclusion sees to be that Kaspersky Lab is caught in the middle of a geopolitical fight."

Also, it is not clear exactly how the files were stolen, but it has been speculated that the antivirus’ practice of uploading suspicious files (malware executables) on the company's server, located in Russia, may have granted the Russian government access to the data.

Another possibility is that Russian hackers stole the confidential data by exploiting vulnerabilities in Kaspersky Lab software installed on the targeted system, according to the person, who asked not to be identified.

"Now, if we assume that what is reported is true: that Russian hackers exploited a weakness in our products installed on the PC of one of our users, and the government agencies charged with protecting national security knew about that, why didn’t they report it to us?" Kaspersky said.

"We patch the most severe bugs in a matter of hours; so why not make the world a bit more secure by reporting the vulnerability to us? I cannot imagine an ethical justification for not doing so."

This breach of NSA classified files, which is being called "one of the most significant security breaches in recent years," was occurred in 2015, but detected in 2016.

However, it is not clear whether this security incident has any ties to the Shadow Brokers campaign, an ongoing public leak of NSA hacking tools that many officials and experts have linked to the Russian government.

It is another embarrassing breach for the NSA, which has long struggled with contractor security—starting from Edward Snowden to Harold Thomas Martin and Reality Winner.

Hacker chinês é preso sob acusação de atacar redes de empresas nos EUA

Da Redação Computerworld

25 de Agosto de 2017

O Departamento de Justiça dos EUA acusou o chinês Yu Pingan, de 36 anos, de conspirar com outros dois conterrâneos para piratear as redes de três empresas norte-americanas, cujos nome não foram revelados.

Yu foi acusado de usar, entre outras ferramentas de hacking, código malicioso que mais tarde foi usado em um ataque contra a rede de computadores do Escritório de Gestão de Pessoal do governo americano, que abriga informações de todos os funcionários federais e sobre dezenas de milhares de trabalhadores que solicitam autorizações de documentos ultrassecretos. Além disso, ele teria violado uma série de companhias, incluindo a Anthem, uma das maiores empresas de seguro saúde dos EUA.

O caso é a primeira acusação formal contra um chinês, desde que em 2015 o presidente Barack Obama e o presidente Xi Jinping da China firmaram um acordo para troca de informações sobre roubo de segredos comerciais industriais. À época, Obama advertiu Xi Jinping que os Estados Unidos puniriam os criminosos com a aplicação da lei tradicional e poderia recorrer a sanções contra o país asiático.

A ação, impetrada na terça-feira, 22, desta semana em um tribunal federal de San Diego, na Califórnia, não revelou o nome das empresas vítimas do ciberataque, mas disse que elas tinham sede em Los Angeles, São Diego e Massachusetts, segundo o jornal The New York Times.

Yu foi acusado de usar o software malicioso conhecido como Sakula, descoberto em dezembro de 2012. O FBI havia identificado o uso do malware apenas em novembro de 2012, sugerindo que o chinês faz parte de um pequeno grupo de hackers que usam esse código malicioso. O Sakula foi detectado depois em uma série de outros ataques cibernéticos contra computadores do governo dos EUA. A mesma técnica foi usada pelos hackers chineses nos ataques a Anthem e outras seguradoras de saúde.

Yu foi preso segunda-feira, 21, no Aeroporto Internacional de Los Angeles e fez sua primeira aparição pública na terça-feira, 22, no Tribunal Federal de San Diego. O chinês, que mora em Xangai, é especialista em segurança de redes e programação de computadores. Seu advogado disse que ele também era professor de informática.