Search This Blog

Showing posts with label Banking Data. Show all posts

Thousands of Users Impacted in Revolut Data Breach

 

Financial technology firm Revolut has suffered a massive data breach that may have allowed hackers to access the private details of over 50,000 users. 

The fintech giant, which has a banking license in Lithuania, described the assault as “highly targeted” and stated the hacker only had access to 0.16% of customers’ data for a “short period” of time. 

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut spokesperson Michael Bodansky explained. To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”  

However, according to Revolut’s breach disclosure to the authorities in Lithuania, the firm says nearly 50,150 global customers, including 20,687 in the European Economic Area (EEA) and 379 Lithuanian citizens, may have been impacted by the data breach. The leaked data includes names, postal and email addresses, telephone numbers, partial card details, and bank account information.  

Soon after the attack, multiple Revolut users complained regarding obscene texts received via the application’s chat feature. Some customers also reported getting text messages directed to a Revolut phishing website. It’s unclear if these events are related to the breach. 

In its data breach notification to affected users, Revolut warned impacted users to be on high alert for follow-on phishing and fraud scams using leaked details. 

“Cyber-criminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation,” the company warned users. 

“Malicious persons and fraudsters may try, using the publicized information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.” 

According to Forbes, London-based Revolut is UK’s most valuable fintech startup currently valued at $33 billion. It has over 20 million customers in 200 nations but is most popular in Europe and the UK. The app-based bank was established in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.

Cybercriminals Employ Malicious Shopping Apps to Exfiltrate Banking Data of Malaysian Users

 

Cyber criminals have been distributing malicious applications disguised as legitimate shopping apps to steal customers’ financial data belonging to eight Malaysian banks. Earlier this week on Wednesday, researchers at Slovak security firm ESET shared new research reporting three separate apps targeting Malaysian customers. 

First discovered in November 2021, the malicious campaign began by distributing a fraudulent app pretending to be Maid4u, a legitimate-looking cleaning service brand. The cybercriminals responsible designed a website with an identical name -- a methodology known as typosquatting -- and attempted to trick users into downloading the malicious Maid4u app. To make the website appear legitimate, the attackers even used paid Facebook ads. 

Earlier this year in January, MalwareHunterTeam found three other malicious websites employing the same technique, and the campaign is still ongoing. ESET has since spotted another four malicious websites that mimic legitimate cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. 

The malicious websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons redirect users to rogue servers under the attackers’ control. To succeed, this malicious campaign requires the intended victims to enable the non-default “Install unknown apps” option on their devices. 

Subsequently, the victims are presented with payment options, such as credit cards or transferring the required amount from their bank accounts. After choosing the direct transfer option, victims are presented with a fake FPX payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. 

When users submit their bank credentials, they are sent to the attacker's command-and-control (C2) server. The victim is then shown an error message. "To make sure the threat actors can get into their victims' bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank," the ESET researcher Lukáš Štefanko explained. 

"While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on," Štefanko added. "At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future."

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Mekotio Banking Trojan Resurfaces with Tweaked Code

 

On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."