Search This Blog

Showing posts with label Bank Credentials. Show all posts

Why Must You Secure Your Bank Accounts With 2FA Verification?


Technological advancement and the internet have made a revolutionary transformation in helping users conveniently handle their personal finances. One can do anything sitting on a couch, as long as he has a phone or laptop handy. However, along with the positive aspects, bank accounts are the most vulnerable to cybercrimes, marking a major drawback of this change. 

Two-factor authentication (2FA) is one of the most robust solutions to this problem. While the finest smart home security systems are excellent for ensuring household security, 2FA (Two-Factor Authentication) is what you need for online security. 

Although many people are aware of 2FA, a considerable number of them are still oblivious to its utility. The few minutes required to set up this cyber shield are totally worth it. 

What is Two-Factor Authentication? 

2FA is a security tool that acts as an additional layer of verification, along with the username and password. You can consider it a more reliable login. Even though 2FA is more secure than a standard login, once it is set up, it does not take much longer. 

One can categorize 2FA verification into three main types - something you are, something you have, or something you know. 

A 2FA login might as well use a user’s fingerprint or retinal scan in order to verify him. An instance of the “something you have” 2FA would be a user receiving a code on his phone. To fulfill the "something you know" requirement of 2FA, you might be asked a few short security questions that you have already confirmed previously. All forms of 2FA increase the security of your login. 

Why must we use 2FA? 

The most legitimate and prominent reason to use 2FA on all your financial accounts is to protect your finances. Cybercrimes in modern days revolve around acquiring access to accounts via username and password information. A hacker gaining unauthorized access to your bank account is worse than someone stealing your credit or debit card since there are more techniques already in place for the stolen card. 

For the same reasons, most banks have now started offering 2FA or making it mandatory for users for any online banking procedures. Since not all banks possess 2FA, it is better if a user checks if their banks offer 2FA for logging in to their bank accounts. 

Keep Your Financial Accounts Secure 

The added security that 2FA creates is worth the short setup time and extra login step, for cybercrime is particularly likely to attack bank accounts. This security measure is a potent deterrent against intruders and must not be overlooked.  

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data

 

Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Dridex Banking Malware is Now Being Installed Using a Log4j Vulnerability

 

The Log4j vulnerability is presently being leveraged to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter, according to Cryptolaemus, a cybersecurity research firm. Dridex, also known as Bugat and Cridex, is a type of malware that specializes in obtaining bank credentials through a system that uses Microsoft Word macros. This malware targets Windows users who open an email attachment in Word or Excel, enabling macros to activate and download Dridex, infecting the computer and potentially exposing the victim to banking theft.

The major objective of this software is to steal banking information from users of infected PCs in order to conduct fraudulent transactions. Bank information is used by the software to install a keyboard listener and conduct injection attacks. The theft perpetrated by this software was estimated to be worth £20 million in the United Kingdom and $10 million in the United States in 2015. Dridex infections have been linked to ransomware assaults carried out by the Evil Corp hacker gang. 

Log4j, an open-source logging library widely used by apps and services on the internet, was revealed to have a vulnerability. Attackers can breach into systems, steal passwords and logins, extract data, and infect networks with harmful software if they are not fixed. Log4j is widely used in software applications and internet services around the world, and exploiting the vulnerability needs no technical knowledge. As a result, Log4shell may be the most serious computer vulnerability in years. 

Threat actors use the Log4j RMI (Remote Method Invocation) exploit version, according to Joseph Roosen, to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. When the Java class is launched, it will first attempt to download and launch an HTA file from several URLs, which will install the Dridex trojan, according to BleepingComputer. If the Windows instructions cannot be executed, the device will be assumed to be running Linux/Unix and a Python script to install Meterpreter will be downloaded and executed. 

On Windows, the Java class will download and open an HTA file, resulting in the creation of a VBS file in the C:ProgramData folder. This VBS program is the primary downloader for Dridex and has previously been spotted in Dridex email campaigns. When run, the VBS code will examine numerous environment variables to determine whether or not the user is a member of a Windows domain. If the user is a domain member, the VBS code will download and run the Dridex DLL with Rundll32.exe.

Android App Enacting as a Housekeeping Service Steal Malaysian Individuals Bank Credentials

 

A bogus Android software poses as a housekeeping service to obtain online banking passwords from clients of eight Malaysian banks. To market the fraudulent APK, 'Cleaning Service Malaysia,' the software is promoted through multiple false or duplicated websites and social media profiles. 

This software was discovered by MalwareHunterTeam last week and was then investigated by Cyble researchers, who provided thorough information on the app's dangerous activity. 

When customers install the app, they are asked to authorize at least 24 permissions, including the hazardous 'RECEIVE SMS,' that allows the program to observe and read any SMS texts received on the phone. 

This privilege is misused by intercepting SMS messages to collect one-time passwords and MFA codes for e-banking services, that are subsequently forwarded to the attacker's server. When the infected app is launched, it will display a form asking the user to schedule a house cleaning service. The user is asked to select a payment option after entering their cleaning service details (name, address, phone number) into the bogus app. 

This phase displays a list of Malaysian banks and internet banking alternatives, and if the victim clicks on one, they are directed to a phony login page designed to seem like the actual one. 

Every login page is hosted on the actor's server, however, the victim seems to have no means of knowing from within the app's interface. Any banking information entered in this phase is given straight to the attackers, who can use them in conjunction with an acquired SMS code to get access to the victim's e-banking account.

The low follower count and recent creation date of the social media profiles that promote these APKs are apparent indicators of fraud. 

An additional problem is a mismatch in the contact information provided. Because the majority of the decoy sites chose legitimate cleaning services to impersonate, variations in phone numbers or email addresses are a major red flag. The requested privileges also signal that something is wrong because a cleaning service software has no logical reason to request access to a device's texts. 

To reduce the possibility of falling prey to this type of phishing attempt, one must only download Android apps from the authorized Google Play Store. 

Moreover, one should always carefully evaluate the permissions asked and must not download an app that requests more permissions than it should for its functionality. 

Finally, keep the device up to date by installing the most recent security updates and employing a trusted vendor's mobile security solution.