25th November, 2019 – Purple Post
- 1,2 Billion Records Exposed
- Top 5 Security Projects That Can Help You
- Are you 1-10-60 Compliant?
- Ginp Android Banking Trojan
- Insider Info on How to Avoid Shopping Scams
- Phoenix Key Logger Actively Avoids Detection
- Kazakhstan Hacking Operation
- Docker Vulnerability – Gives Control Over Host
- T-Mobile Prepaid Customers Hacked
- Fixed Android Bug Remains a Threat in Apps
- Russias’s Sandworm Hackers Target Android
- Muti-Platform Malware “ACBackdoor”
- Phishing Attack – ‘Microsoft Download’ installs Ransomware
- Serious gMail Bug Patched
- Android Cameras can be Hacked by Other Apps
- Louisiana State Ransomware Attack
- New RAT Malware
- Disney+ Hacks
- Comments Sought – IoT based DDoS Attacks
- Outlook for Android – Updates
- BIND Advisory
- NSA Advisory: Managing Risk from Transport Layer Security Inspection
This week’s insight from Purple Team
How Business Email Compromise works
Last week, we had talked at length about how to identify a phishing attempt. This week, let us look at how a specific variety of phishing, Business Email Compromise (BEC) targets you. This is also called Whaling, CEO Fraud or Wire-Transfer Fraud.
Lest you underestimate it, please understand that we are talking about an attack that caused $ 26 Billionin losses last year! This type of attack is difficult to detect particularly because, like Jeeves, they work on ‘the psychology of the individual’. This linked article gives a sample of such a scam.
Let us see how the scam works:
Barracuda has published a detailed reporton the various means perpetrators employ to get you to click that link. Key tactics:
- Timing of the Attack
91% of BEC attacks originate during a work day to convince you that the email is indeed from the presumptive originator. They are smart enough to avoid popular holidays; this trips them up sometimes in cultures with which they are not conversant. Conversely, they also increase the frequency during busy holidays like Thanksgiving or Deepavali betting that you would not pay as close attention.
- Convincing Impersonation
Most BEC attacks are very convincing. They target, on average, only 6 people in an organization. This also enables them to monitor the activities of the target better. While the ‘from’ address looks convincing enough, the ‘reply to’ address is a giveaway. And the mail provider of choice is gmail.
The messages are imperative in tone & convey urgency very well. About half the BEC mails have “Request” or “Urgent”. A significant portion have “Follow-up” to imply that it is an ongoing conversation. Most first messages ask for help or check your availability. Once that is established, the rest follows. Again, remember, BEC mails do not have links typically; they get you to do the work for them! For example, you could get a message from your CEO saying:
“Have you got a minute? I need you to complete a task for me discreetly.
p.s. I am in a meeting now and can’t talk so just reply.”
CEO, Acme Corp, <acme url>
Sent from wireless”
There are variations in the ultimate aim of the BEC – it could target HR to change payroll account or dues, or it could impersonate a vendor or supplier with an appropriate story. The thing to remember is that it is extremely believable.
What should you do?
At a transaction level, you need to validate the transaction off-band via , for example, a direct phone call. As a process, you should essure that anyone who does validate is never penalized or chastised for it, ever.
At a technical level, you can implement DMARC to authenticate your emails.
Whatever you choose, please be wary – ’tis the season for scams too!
– Sridhar Parthasarathy, CEO, Purple Team (www.purpleteam.in)
Learning News this Week
Since phishing in general & BEC in particular so rooted in the psychology of the individual, it is very illuminating to look into how a scammer works. The link above has some snippets of an actual romance scam. Please read it; it is worth your time.
Two aspects stood out for me – (1) how easy it is to script an interaction to scam some one and, (2) the extent to which a scammer can push a victim.
We each have this image of a scammer being computer nerd (disheveled may be; but a nerd!). Clearly that is not the case. Set scripts are available and all they need is a bit of seed capital.
What we need to understand is that it is not about how smart we are; a successful scam depends on how human you are.
The article linked above explains how ransomware bypasses security checks, even in organizations that seem to have implemented good security practices. We saw how psychology is at the core of BEC.
The article talks about a few techniques like “Code Signing” or “Privilege Escalation”, etc. These are but the methods how a ransomware hijacks your systems and data. The core problem in ransomware attacks is also rooted in psychology.
The key attack vectors for ransomware are email links & malicious sites. All the techniques listed in the article are useless if nobody clicks those links. And getting you to click on those links is an exercise in applied psychology.
In my opinion, investment in employee education pays extremely high dividends in the security arena.
Data sleuth Bob Diachenko located an unsecured Elastisearch server with 1.2 Billion records leftover from two data aggregation companies – People Data Labs & OxyData.io.
Small and medium enterprises can leverage these open-source projects and gain a head start to start their security initiatives for safeguarding their businesses. Another advantage of open-source projects is that companies can customise it based on their requirements and guard their information.
How long do you need to containg a breach in your organization. The recommendation is: 1 minute to detect, 10 minutes to triage, and 60 minutes to contain. The average company takes 162 hours to detect, triage, and contain a breach.
An Android malware, called Ginp, masquerades as other legitimate android apps like Adobe Flash Player. Once downloaded, it seeks & gets permissions. That provides the springboard for further breaches. The current version targets your banking information.
There’s nothing quite like a major online sale to have us reaching for the credit cards in the hopes of nabbing a bargain (or ten), but with Black Friday and Cyber Monday fast approaching, the need for increased diligence around our online safety is at an all-time high.
The Phoenix Key Logger (it has now morphed into an info-stealer) has gained anti-AV & Anti-VM capabilities. It now actively avoids 80 different security products.