Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Financial Data. Show all posts

Microsoft Copilot for Finance: Transforming Financial Workflows with AI Precision

 

In a groundbreaking move, Microsoft has unveiled the public preview for Microsoft Copilot for Finance, a specialized AI assistant catering to the unique needs of finance professionals. This revolutionary AI-powered tool not only automates tedious data tasks but also assists finance teams in navigating the ever-expanding pool of financial data efficiently. 

Microsoft’s Corporate Vice President of Business Applications Marketing, highlighted the significance of Copilot for Finance, emphasizing that despite the popularity of Enterprise Resource Planning (ERP) systems, Excel remains the go-to platform for many finance professionals. Copilot for Finance is strategically designed to leverage the Excel calculation engine and ERP data, streamlining tasks and enhancing efficiency for finance teams. 

Building upon the foundation laid by Microsoft's Copilot technology released last year, Copilot for Finance takes a leap forward by integrating seamlessly with Microsoft 365 apps like Excel and Outlook. This powerful AI assistant focuses on three critical finance scenarios: audits, collections, and variance analysis. Charles Lamanna, Microsoft’s Corporate Vice President of Business Applications & Platforms, explained that Copilot for Finance represents a paradigm shift in the development of AI assistants. 

Unlike its predecessor, Copilot for Finance is finely tuned to understand the nuances of finance roles, offering targeted recommendations within the Excel environment. The specialization of Copilot for Finance sets it apart from the general Copilot assistant, as it caters specifically to the needs of finance professionals. This focused approach allows the AI assistant to pull data from financial systems, analyze variances, automate collections workflows, and assist with audits—all without requiring users to leave the Excel application. 

Microsoft's strategic move towards role-based AI reflects a broader initiative to gain a competitive edge over rivals. Copilot for Finance has the potential to accelerate impact and reduce financial operation costs for finance professionals across organizations of all sizes. By enabling interoperability between Microsoft 365 and existing data sources, Microsoft aims to provide customers with seamless access to business data in their everyday applications. 

Despite promising significant efficiency gains, the introduction of AI-driven systems like Copilot for Finance raises valid concerns around data privacy, security, and compliance. Microsoft assures users that they have implemented measures to address these concerns, such as leveraging data access permissions and avoiding direct training of models on customer data. 

As Copilot for Finance moves into general availability later this year, Microsoft faces the challenge of maintaining data governance measures while expanding the AI assistant's capabilities. The summer launch target for general availability, as suggested by members of the Copilot for Finance launch team, underscores the urgency and anticipation surrounding this transformative AI tool. 

With over 100,000 organizations already benefiting from Copilot, the rapid adoption of Copilot for Finance could usher in a new era of AI in the enterprise. Microsoft's commitment to refining data governance and addressing user feedback will be pivotal in ensuring the success and competitiveness of Copilot for Finance in the dynamic landscape of AI-powered financial assistance.

RBI Issues Warning Against Scam Via KYC trick

 

On February 2, 2024, the Reserve Bank of India (RBI) reiterated its prior warning to the public, offering further suggestions in response to a rising tide of scams involving Know Your Customer (KYC) updates. RBI amplified the cautionary tips issued earlier to the public on September 13, 2021, citing continuing incidents/reports of consumers falling victim to scams being perpetrated in the name of KYC updation. 

Modus operandi 

Customers typically receive unsolicited calls, texts, or emails requesting personal information, account or login credentials, or the installation of unapproved apps via links in the message. 

Frequently, the messages intentionally instil a false feeling of urgency by threatening to freeze or close the customer's account if they don't cooperate. Customers provide fraudsters unauthorised access to their accounts and enable them to commit fraudulent operations when they divulge critical private details or login credentials. 

Quick reporting 

The Reserve Bank of India (RBI) advised victims of financial cyber fraud to report the incident right away on the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) or by calling the cybercrime hotline in 1930. 

Preventive measures 

To prevent people from becoming victims of KYC fraud, the RBI published a list of dos and don'ts. Critical data such as card details, PINs, passwords, OTPs, and account login credentials should never be shared with third parties, the RBI cautions the public. 

Individuals are also advised not to click on dubious or unverified links they receive via email or mobile devices, nor share KYC documents with unrecognised or unknown parties. "Do not share any sensitive information through unverified/unauthorised websites or applications," the central bank advised.

For confirmation and help, get in touch with the bank or financial institution immediately when you get a request for KYC updates. Get phone numbers for customer service or contact information exclusively from the official website or other sources. Report any incidents of cyber fraud to the bank right away. Ask the bank about the possible ways to update your KYC information.

Hackers Threaten to Leak South Africa’s Private Financial Data, Demand R1.1 Billion Ransom


In a recent cyber threat, hackers have threatened to release all of South Africa’s private financial data unless TransUnion and Experian, the two biggest consumer credit reporting companies in the country, agree to pay ransom of R1.1 billion.  

The companies – TransUnion and Experian – were the ones that were hit by the cybercrime attack. 

According to Times Live, the hackers, the Brazil-based N4ughtySecTU Group, who had previously breached TransUnion's security and firewalls, claimed to have successfully evaded the safeguards of the company once again, following which they stole the data.  

Apparently, the hackers have demanded $30m [about R565m] from TransUnion and $30m from Experian.

The hackers, in a message sent to the managers and directors of the impacted companies, stated: “Ensure your response teams contact us on Session [a private communication platform] for payment instructions.”

While acknowledging the demands, TransUnion and Experian refuted the group's allegations of an ongoing hack on their systems.

“Following recent media coverage, TransUnion South Africa confirms it is aware of a financial demand from a threat actor asserting they have accessed TransUnion South Africa’s data. We have found no evidence that our systems have been inappropriately accessed or that any data has been exfiltrated,” TransUnion said.

“We’ve likewise seen no change to our operations and systems in South Africa related in any way to this claim. We are continuing to monitor closely. We treat matters regarding our information security seriously, and data security remains our top priority,” they continued. 

Not the First Attempt to Hack

Previously, in March 2022, N4ughtysecTU claimed responsibility for targeting TransUnion in their ransomware campaign. 

TransUnion South Africa later confirmed the hack, confirming that at least 3 million individuals were affected.  

Apparently, the threat actors gained access to the personal data of over 54 million people, which included information about their dates of birth, ID numbers, gender, marital status, and other sensitive facts. 

Experian also suffered a data breach in August 2020, reported by the South African Banking Risk Centre (SABRIC). The data breach compromised the personal information of around 24 million individuals and several business entities to a fraudster. 

Karabo Phungula, an Experian data fraudster, was given a 15-year prison sentence in March by the Specialized Commercial Crimes Court for obtaining the dataset under false pretence.   

Australia's Cyber Strategy: No Ransomware Payment Ban

Australia has recently unveiled its new Cyber Security Strategy for 2023-2030, and amidst the comprehensive plan, one notable aspect stands out – the absence of a ban on ransomware payments. In a world grappling with increasing cyber threats, this decision has sparked discussions about the efficacy of such a strategy and its potential implications.

The strategy, detailed by the Australian government, outlines a sweeping resilience plan aimed at bolstering the nation's defenses against cyber threats. However, the decision not to ban ransomware payments raises eyebrows and prompts a closer examination of the government's rationale.

According to reports, the Australian government aims to adopt a pragmatic approach to ransomware, acknowledging the complex nature of these attacks. Instead of an outright ban, the strategy focuses on improving cybersecurity, enhancing incident response capabilities, and fostering collaboration between government agencies, businesses, and the wider community.

Critics argue that allowing ransom payments may incentivize cybercriminals, fueling a vicious cycle of attacks. The concern is that paying ransoms may encourage hackers to continue their activities, targeting organizations with the expectation of financial gain. In contrast, proponents of the strategy contend that banning payments may leave victims with limited options, especially in cases where critical data is at stake.

Australia's decision aligns with a growing trend in some parts of the world where governments are grappling with finding a balance between protecting national security and providing victims with avenues for recovery. The approach reflects an understanding that rigid and one-size-fits-all policies may not be effective in the ever-evolving landscape of cyber threats.

The new Cyber Security Strategy also emphasizes the importance of international cooperation to combat cyber threats. Australia aims to actively engage with international partners to share threat intelligence, collaborate on investigations, and collectively strengthen global cybersecurity.

Australia's experiment with a more nuanced approach to ransomware payments is being watched by the whole world, and the results will probably have an impact on how other countries formulate their cybersecurity laws. The continuous fight against cyber dangers will depend on finding the ideal balance between deterring illegal activity and helping victims.

In contrast to other nations that have taken more restrictive measures, Australia has decided not to outlaw ransomware payments in its new Cyber Security Strategy. In light of the always-changing cybersecurity landscapes, it underscores the significance of a comprehensive, cooperative, and flexible approach and demonstrates a practical recognition of the difficulties presented by cyber attacks. The future course of international cybersecurity regulations will surely be influenced by this strategy's success.

Ransomware Shakes ICBC: Global Financial Markets on High Alert

In a startling turn of events, Wall Street was rocked by a devastating ransomware attack that affected China's Industrial and Commercial Bank of China (ICBC), the country's biggest lender. The attack disrupted trade and brought attention to the growing threat of cybercrime in the financial sector.

The attack, which targeted ICBC, was not only a significant blow to the bank but also had far-reaching implications on the global financial landscape. Wall Street, closely intertwined with international markets, experienced a temporary halt in trade as the news of the cyber assault reverberated across financial news outlets.

The ransomware attack on ICBC serves as a stark reminder of the vulnerability of even the most robust financial institutions to sophisticated cyber threats. The attackers, exploiting weaknesses in ICBC's cybersecurity infrastructure, managed to compromise critical systems, causing widespread disruptions and raising concerns about the broader implications for the global financial ecosystem.

As information about the attack unfolded, reports indicated that ICBC struggled to contain the breach promptly. The incident prompted regulatory bodies and financial institutions worldwide to reevaluate their cybersecurity measures, recognizing the urgent need for robust defenses against evolving cyber threats.

The consequences of such attacks extend beyond financial disruptions. They underscore the importance of collaborative efforts among nations and private enterprises to strengthen global cybersecurity frameworks. The interconnected nature of the modern financial system demands a united front against cyber threats, with a focus on information sharing, technological innovation, and proactive defense strategies.

In the aftermath of the ICBC attack, financial markets witnessed increased scrutiny from regulators, urging institutions to fortify their cybersecurity postures. This incident serves as a wake-up call for the industry, emphasizing the need for continuous investment in cybersecurity measures, employee training, and the adoption of cutting-edge technologies to stay ahead of evolving threats.

The broader implications of the ICBC ransomware attack are not limited to the financial sector alone. They underscore the need for a collective and proactive approach to cybersecurity across industries, as cyber threats continue to grow in scale and sophistication. As nations and businesses grapple with the aftermath of this attack, it becomes increasingly evident that cybersecurity is a shared responsibility that transcends borders and industries.

Taking Measures to Prevent Card Skimming and Shimming

Protecting your financial information is crucial in the digital era we live in today. Credit card skimming and shimming have grown to be serious risks to customers all around the world with the emergence of sophisticated cybercrime techniques. Maintaining your financial stability depends on your ability to recognize and resist these approaches.

Credit card skimmers, according to PCMag, are deceptive gadgets installed on legal card readers, such as ATMs or petrol pumps, with the purpose of capturing and storing your card information. Cybercriminals have adapted by utilizing shimmers, which are extremely thin devices inserted into the card reader slot, according to KrebsOnSecurity, which cautions that even with the switch to chip-based cards, they have done so. These shimmers allow them to intercept the data from the chip.

The Royal Canadian Mounted Police (RCMP) provides valuable insights into how criminals install skimmers. They often work quickly and discreetly, making it hard for victims to notice. They may place a fake card reader on top of the legitimate one or install a small camera nearby to capture PIN numbers.

To protect yourself, it's important to be vigilant. MakeUseOf suggests a few key steps:

  • Inspect the Card Reader: Before using an ATM or a card reader at a gas pump, take a moment to examine the card slot. Look for any unusual devices or loose parts.
  • Cover Your PIN: Use your hand or body to shield the keypad as you enter your PIN. This simple step can prevent criminals from capturing this crucial piece of information.
  • Monitor Your Accounts: Regularly review your bank and credit card statements for any unauthorized transactions. Report any suspicious activity to your bank immediately.
  • Choose ATMs Wisely: Whenever possible, use ATMs located in well-lit, high-traffic areas. Avoid standalone ATMs in secluded or poorly monitored locations.
  • Stay Informed: Keep up-to-date with the latest scams and techniques used by cybercriminals. Knowledge is your best defense.
Remaining vigilant and well-informed is your primary defense against credit card skimmers and shimmers. By adopting these practices and staying aware of your surroundings, you can significantly reduce the risk of falling victim to these insidious forms of cybercrime. Remember, your financial security is well worth the extra effort.


McLaren Health Data Breach

McLaren Health Care, a major healthcare provider, was hit by a ransomware attack. This type of cyberattack encrypts a victim's data and demands a ransom to decrypt it. The hackers stole sensitive patient data and threatened to release it if McLaren didn't pay them. This incident highlights the need for strong cybersecurity measures in the healthcare industry.

Residents received messages from McLaren Health Care on October 6, 2023, alerting them to the cyber threat that had put patient data confidentiality at risk. This incident serves as a sobering reminder of the growing cyber threats facing healthcare organizations around the world.

Ransomware attacks involve cybercriminals encrypting an organization's data and demanding a ransom for its release. In this case, McLaren Health Care's patient data is at stake. The attackers aim to exploit the highly sensitive nature of healthcare information, which includes medical histories, personal identification details, and potentially even financial data.

The implications of this breach are far-reaching. Patient trust, a cornerstone of healthcare, is at risk. Individuals rely on healthcare providers to safeguard their private information, and breaches like this erode that trust. Furthermore, the exposure of personal medical records can have severe consequences for individuals, leading to identity theft, insurance fraud, and emotional distress.

This incident emphasizes the urgency for healthcare organizations to invest in state-of-the-art cybersecurity measures. Robust firewalls, up-to-date antivirus software, regular security audits, and employee training are just a few of the essential components of a comprehensive cybersecurity strategy.

Additionally, there should be a renewed emphasis on data encryption and secure communication channels within the healthcare industry. This not only protects patient information but also ensures that in the event of a breach, the data remains unintelligible to unauthorized parties.

Regulatory bodies and governments must also play a role in strengthening cybersecurity in the healthcare sector. Strict compliance standards and hefty penalties for negligence can serve as powerful deterrents against lax security practices.

As McLaren Health Care grapples with the aftermath of this attack, it serves as a powerful warning to all healthcare providers. The threat of cyberattacks is real and pervasive, and the consequences of a breach can be devastating. It is imperative that the industry acts collectively to fortify its defenses and safeguard the trust of patients worldwide. The time to prioritize cybersecurity in healthcare is now.


Key Group Ransomware: Free Decryptor Released

A free decryptor to tackle the infamous Key Group ransomware has been launched, making a huge contribution to the fight against cybercrime. This finding represents a win for cybersecurity professionals and victims alike, offering some hope to those who have been affected by this harmful program.

The ransomware known as Key Group has been making news for all the wrong reasons by encrypting data and demanding large ransom payments from victims. However, a recent development has provided some solace. Organizations and security professionals have teamed up to create a decryptor that can free users from the grip of this digital threat.

The Key Group ransomware, like many others of its kind, infiltrates computer systems, encrypts data, and demands a ransom for the decryption key. These attacks have wreaked havoc on individuals and organizations, causing data loss and financial distress. Victims were left with two grim choices: pay the ransom and hope for a decryption key, or suffer the loss of valuable data.

The release of this free decryptor is a game-changer in the battle against cybercriminals. It allows victims to regain access to their data without succumbing to the demands of the attackers. This development underscores the importance of collaboration within the cybersecurity community. Researchers, analysts, and organizations came together to reverse-engineer the ransomware and develop a tool capable of undoing its malicious work.

Notably, this free decryptor is a testament to the relentless efforts of cybersecurity professionals who work tirelessly to protect individuals and businesses from the perils of the digital world. Their commitment to innovation and the pursuit of solutions to emerging threats is commendable.

While the release of a free decryptor is undoubtedly a significant step forward, it should also serve as a reminder of the importance of proactive cybersecurity measures. Prevention is often the best defense against ransomware attacks. Regularly updating software, implementing robust security protocols, and educating users about phishing and malware are crucial steps in reducing the risk of falling victim to such attacks.


Carding: What is it and how can you Safeguard Yourself ?

 

Carding has attracted a lot of attention recently, but not everyone understands what it includes. Carding is a type of credit card fraud that occurs when a stolen bank card is used to make purchases. It is a criminal act that affects both consumers and merchants. So, what exactly is carding, how do cybercriminals do it, and what are the risks? 

Carding is the illegal acquisition of goods or services through the use of another person's credit card information. This can be accomplished by stealing someone's credit card information or purchasing stolen financial data on the internet. Cybercriminals target online stores because they can purchase goods like electronics and other high-value items anonymously.

In some cases, criminals may sell or exchange stolen credit card information with others in underground forums. However apart from that, since such transactions are difficult to track, many cybercriminals buy gift cards or other types of prepaid cards. 

Many malicious hackers buy items with stolen cards and then sell them for a lower price for cash, earning money illegally. The main danger of carding is identity theft, as criminals can use stolen credit card information to buy items with someone else's money. If a credit card is used fraudulently and the user is unaware, financial losses or even criminal charges may result. 

Carding is carried out in a variety of ways by lawbreakers. They can use a variety of software tools to scan and find vulnerable websites, as well as brute-force password, cracking. Here are some other popular methods of carding used by cybercriminals:

  • Phishing: One of the most common methods is "phishing," in which criminals send emails or messages posing as legitimate companies and requesting credit card information.
  • Skimming: Skimmers, which are devices attached to ATMs and card readers, can also be used by criminals. Without the user's knowledge, the device collects credit card information.
  • PoS Malware: PoS malware is a type of malicious software that is designed to steal credit card information from retail stores and restaurants. This is a more advanced method of carding because it necessitates specialised knowledge and resources.
  • Zero-day vulnerabilities: Some criminals also use zero-day vulnerabilities, which are security flaws in software applications and operating systems that vendors have not yet discovered. To gain access to private data stored in databases, zero-day vulnerabilities can be exploited.
What is the process of carding?

Carding is usually implemented in the following steps.

Step 1: Card information has been stolen.
The first step in carding is to obtain credit card information. This can be accomplished through one of the aforementioned methods, such as phishing, skimming, and so on.

Step 2: Card information is validated.
Once the credit card information has been obtained, it must be verified to ensure that it is valid. Criminals typically carry out this step by making a small purchase on one or more websites and then watching to see if it is successful. It could be as little as $1, for example.

Step 3: Card information is used for purchases.
Criminals are now using substantiated card details to buy products or services from various websites. This enables them to profit by reselling the purchased items for cash (or they might just enjoy the products themselves).

Step 4: The transfer of funds
Finally, criminals transfer their illegally obtained cash using money laundering methods. They might also sell stolen credit card information on underground forums and dark web markets.

How to guard against carding attacks?

The best way to avoid carding is to take preventive measures and be cautious when using or sharing your credit card information.

The most obvious piece of advice is to be cautious with your information. Don't give out your credit card information to anyone, and be especially cautious when providing it online, as criminals may use phishing techniques to gain access to your information. Check your credit card statements on a regular basis to ensure that all transactions are legitimate. If you notice any suspicious activity, contact your bank right away. Use strong passwords for all of your online accounts. This will prevent criminals from accessing your financial information.

How to Prevent Online Credit Card Frauds ?

 

Approximately 80% of Americans shop online. That's more than 263 million people, and the number is expected to grow by 31.2 million by 2025. (via Statista). E-commerce is popular because it is convenient, but the unforeseen result is cybercrime. 

According to a 2020 report by the FBI's Internet Crime Complaint Center (IC3), US citizens lost more than $1.8 billion to online skimming and related crimes that year. Shady characters continue to devise inventive methods to steal money from connected accounts by lifting or scraping unsuspecting victims' credit card information. Credit card fraud schemes vary — sometimes fraudsters create spoof websites and phish credit card information from the checkout page, and you will, of course, not receive the items you paid for.

Other times, they may send you text messages or emails claiming you are eligible for a refund for an item or service you never purchased, then demand your credit card information to "credit" you.
According to The Ascent research, approximately 35% of American consumers have been victims of credit card fraudsters. Because the likelihood of falling for these schemes increases with age, we'll share a few tips to help you avoid becoming a statistic. But first, let's go over the fundamentals.

Online credit card skimming:

Skimming is not a recent concept. Physical card skimming began with physical card skimming, which you may have viewed in movies: a scammers attaches a small device known as a skimmer to a card reader at a gas station, ATM, or other point of sale terminal. The skimmer steals unsuspecting customers' credit card information, which the fraudster then recovers and uses to make online purchases.

However, online skimming is not the same. Magecart attacks are a combination of Magento — the Adobe-owned e-commerce platform that was the original target of fraudsters — and cart. This is how it works: Instead of using physical hardware, hackers place malicious Javascript code called sniffers on websites, and those sniffers lift payment card numbers.

Malicious actors could also insert malicious fields into payment forms or create redirect links to steal customers' credit card information. Magecart skimmers typically sell the information they collect on the dark web for as little as $5. (via PCMag).

Magecart malware is difficult to detect on websites. Everything works and looks the same for the most part. However, being cautious can help you detect when something is amiss, such as being redirected to a website that does not appear secure. There are several ways to determine this.

To begin, click on the lock in the address bar to ensure the security of the website. If the lock is not closed, the connection is not secure, and the site may not be genuine. You could also look at the website's copyright date at the bottom. 

To protect visitors from compromise, secure websites frequently update the interface and protocols, ensuring that the copyright is always up-to-date or at least recent. If a website's copyright is out of date, this is a red flag (via Norton). Finally, avoid clicking on links or downloading attachments from text messages or emails. Unfortunately, being cautious will not completely protect you from skimming.

Magecart attackers steal the payment application infrastructure, which is typically provided to e-commerce merchants by third-party service providers, so even completely secure websites may contain skimming malware (via SISA). However, there is a better line of defence.  

As the number of skimming attacks grows, banks and other financial institutions are taking steps to safeguard their customers from fraud, and virtual cards are one of those solutions. They are linked to your credit card, but they can generate one-time use account numbers, security codes, expiration dates, and CVV codes for online transactions while protecting your actual credit card information.

It's also a good idea to use only one credit card for online shopping so that you can keep track of it easily. Also, contact your bank and request that international purchases on your credit card be disabled. The majority of skimming scams are card-not-present (CNP) transactions, which means that the fraudsters will use a compromised card to make a purchase in a location other than the card owner's. The victim could be in Milwaukee and receive strange debit alerts for purchases made in Miami.  

Countering Financial Data Leak in the Era of Digital Payments

 

Over the past five years, there has been a huge surge in the usage of financial services technologies and with that, the risk of a financial data breach has also increased. Multiple financial services technologies use screen scraping to access the private banking data of consumers.

 Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TTP). The TTP then sends a software robot to the bank’s app or website to log in on behalf of the user and access data.

“The way consumers traditionally connect to their bank accounts is facilitated through screen scraping, where providers require internet banking login information,” explained Joe Pettersson, Chief Technology Officer at Banked. 

One safer alternative to screen scraping is APIs, which let two systems work together. Here are the three benefits of using API: 

Easier for developers 

APIs come with inbuilt documentation, which helps developers code between two systems with a common language. So, they don’t have to learn the details of a full fraud prevention engine’s code, they only need to look at the documentation to understand exactly how quickly they can access certain functions. Once again, this saves time and effort for the whole IT team and helps in making the fraud system more cost-effective. 

Good for Scaling

 Regardless of how efficient a person is, there’s simply no way to review all the user data manually. This is where APIs play an important role by offering fast queries and responses for hundreds of thousands of user logins, transactions, or signups. 

Automates everything 

Because APIs are linked to web apps, there’s no need to regularly tweak them or wait for IT updates. All the fixes and improvements are made from the server side, so individuals can focus on their business instead. It’s not only cheaper in terms of IT resources, but also much more efficient and faster.

Conclusion 

To mitigate fraud risk, propagating knowledge and awareness of new payment technologies, channels, and products, and the risks involved — to both customers and employees — is a crucial part of a fraud prevention strategy. Embedding the fraud management process into overall customer engagement and experience should be the first step forward.

10K Victims Infested via Google Play 2FA App Loaded with Banking Trojan

 

The Vultur trojan obtains bank credentials but then requests authorization to inflict even more damage later. 

A fraudulent two-factor authentication (2FA) software has been deleted from Google Play after being available for more than two weeks — but not before it was downloaded more than 10,000 times. The Vultur stealer malware, which targets and swoops down on financial information, is put into the app, which is completely functioning as a 2FA authenticator. 

Researchers at Pradeo warn users who have the malicious app, just named "2FA Authenticator," to delete it straight away since they are still at risk — both from banking-login theft and other assaults made possible by the app's broad over permissions. 

Using open-source Aegis authentication code combined with malicious add-ons, the threat actors constructed an operable and convincing app to mask the malware dropper. According to a Pradeo analysis issued, this enabled it to proliferate unnoticed via Google Play. 

“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added. 

The Vultur banking trojan is installed once the software is downloaded, and it harvests financial and banking data from the affected smartphone, among other things. The Vultur remote access trojan (RAT) malware, initially discovered by ThreatFabric investigators in March, was the first of its type to employ keylogging and screen recording as its main approach for stealing banking data, allowing the organisation to systematize and expand the process of stealing credentials. 

“The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” ThreatFabric said at the time. 

According to the Pradeo team, the fake 2FA authenticator also requests device rights that aren't shown in the Google Play profile. The attackers can use those tricksy, enhanced privileges to do things like access user location data so attacks can be aimed at specific regions, disable device lock and password security, download third-party apps, and take control of the device even if the app is shut down, according to the report. 

Once the device is fully hacked, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information,” the report said. 

Pradeo discovered another sneaky tactic used by the malicious 2FA by acquiring the SYSTEM ALERT WINDOW permission, which allows the application to modify the interfaces of other mobile apps. 

"Very few apps should use this permission; these windows are intended for system-level interaction with the OS," Google stated. 

Despite the fact that the researchers reported their disclosure to Google Play, the malicious 2FA Authenticator app loaded with the banking malware remained accessible for 15 days, according to the Pradeo team.

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.

Cyber Attacks Are A Threat To The Energy Sector

 

According to a senior industry source, concern over cyber-attacks on power plants and electricity grids is "off the scale" in the UK energy sector. It just takes one component to fail for the entire chain to be disrupted, resulting in a cascade effect that affects our daily life. 

As winter approaches, the supply chain that serves the UK's crucial demand for gas and power is experiencing a broad energy crisis. The global gas crisis, the UK's electricity system, has already forced numerous elderly nuclear power facilities to take unplanned maintenance outages, while persistent energy shortages are expected to force further industry shutdowns. 

"The United Kingdom stands out in terms of cyber threats. Our energy system's cyber threats are over the charts," Steve Holliday stated. The UK parliament is reeling from a "sustained and aggressive" cyber-attack that has rendered MPs' email inaccessible.

So, why is the energy sector a target for cyber-attacks and why is it vulnerable? 

Any effect on the energy sector can have far-reaching consequences for entire towns and even countries. An attack on a power plant or a pipeline can result in widespread blackouts, disrupting transportation, heating, and other important economic functions. According to Mohammed AlMohtadi, the chief information security officer at Abu Dhabi's Injazat, the risk in the energy business derives from the usage of old industrial control systems that haven't been modernized in years and aren't properly linked across systems. 

So, how can big energy and utility businesses fall victim to cyber-attacks? 

Typically, ransomware attacks are used to steal commercial secrets, confidential data, and intellectual property. "The energy sector is classified as vital infrastructure. The nation's financial and physical infrastructure might be crippled if it is infiltrated," warned Avinash Advani, founder, and CEO of CyberKnight, a Dubai-based cybersecurity firm. Potential targets include oil and gas infrastructure, nuclear power plants, electricity grids, water corporations, and utility companies that provide power, water, and sewage treatment to the population. 

The Covid-19 epidemic has revealed the dark side of the energy sector. As more people work from home to stop the spread of the coronavirus, they unknowingly expose a company to cyber-attacks. The energy business should not underestimate groups who target facilities, given the devastating consequences of cyber attacks, they should focus on reinforcing their cybersecurity technology to guarantee that their firewall is safe and that any outdated, archaic computer systems and software they are employing are adequately protected.

Anubis Trojan Targeted 400 Banks’ Customers

 

A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by fr.orange.serviceapp, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

Watch out for Christmas 2021 Credential Stuffing Attacks!

 

As per Arkose Labs' research, there were over two billion credential stuffing attacks (2,831,028,247) in the last 12 months, with the number increasing exponentially between October 2020 to September 2021. 

This form of online fraud has increased by 98 percent over the previous year, and it is projected to spike during the Christmas shopping season. Credential stuffing attacks in 2021 accounted for 5% of all web traffic in the first half of 2021. 

Credential stuffing is the most recent cyber-attack technique used by online criminals to obtain unauthorized access to users' financial and personal accounts. Cybercriminals take control of real user accounts and monetize them in a variety of ways. These include draining money from compromised accounts, collecting and reselling personal information, selling databases of the known verified username and password combinations, and exploiting compromised accounts to launder money obtained from other illegal sources. People who reuse the same username/password combination across various sites are frequently targeted by cybercriminals. 

The anti-fraud community has highlighted credential stuffing as an increasing problem in recent years. However, due to the jump in internet activity in the pandemic and the growth of online purchasing, it has risen in recent months. Credential stuffing increased 56 percent during the Christmas and New Year shopping season last year, according to research analysts, with forecasts that the same period in 2021 will witness up to eight million attacks on consumers every day. 

The Arkose Labs network detected and blocked 285 million credential stuffing assaults in the first half of 2021, with spikes of up to 80 million in a single week. In just one week, one intensively targeted social media organization experienced 1.5 million credential stuffing attacks. 

Kevin Gosschalk, CEO at Arkose Labs stated, “The global e-commerce landscape is more connected than ever before and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well-known attack tactics, such as ransomware, as THE cyber attack to watch out for.” 

“Fraudsters are compelled to this type of cybercrime as the low barrier to entry makes it easy to deploy and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.” 

Other key information 

According to the research team's newest findings, 
  • The top attacked industries by sector include gaming, digital and social media, and financial services. 
  • Credential stuffing assaults accounted for over half of all attacks aimed at the gaming industry. 
  • The United Kingdom was also named as one of the top three regions that carried out the most credential stuffing attacks against the rest of the world. 
  • Alongside, Asia and North America, both demonstrated massive amounts of fraudulent activity emanating from their respective regions.
  • During the first half of 2021, mobile-based attacks accounted for approximately one-quarter of all attacks.

Diebold Nixdorf ATM Bugs Allowed Attackers to Alter Firmware & Steal Cash

 

Security researchers at Positive Technologies have disclosed information on several vulnerabilities in Diebold Nixdorf ATMs that could have permitted an intruder to change the system's firmware and take cash. 

The vulnerabilities, known as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs' CMD-V5 and RM3/CRS dispensers – one in each device – and were patched a few years ago. In 2016, Diebold acquired Wincor Nixdorf, and the two firms eventually merged. 

During research approved by the vendor, Positive Technologies found that, while the ATMs had a range of security mechanisms in place to combat blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually easy to get past them.

The researchers found out the command encryption between the ATM computer and the cash dispenser, bypassed it, swapped the ATM firmware with an older version, and abused the flaws to direct the device to distribute cash. 

While encryption is utilized to protect against blackbox attacks, the researchers observed that an attacker might steal the encryption keys and then spoof their own firmware to load on the compromised ATM. The researchers were able to determine the elements involved in the check process in the code responsible for confirming the firmware signature and in the firmware, particularly the public key and the signed data itself. 

Positive Technologies explained, “As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length.” 

An attacker requires to discover a means to transmit orders to the dispenser and define the amount of money in each cassette before withdrawing money from the ATM. Diebold Nixdorf, which published fixes for these vulnerabilities in 2019, suggests activating physical authentication when an operator conducts firmware installation to further prevent unauthorised access. The firm warned earlier this year that jackpotting assaults against RM3-based Cineo systems in Europe were on the surge.

Mekotio Banking Trojan Resurfaces with Tweaked Code

 

On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."

CDSL Suffered a Data Breach, Exposing the Details of 43.9 Million Investors

 

According to cyber security consultancy company CyberX9, a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL), exposed personal and financial data of over 4 crore Indian investors twice in ten days. CDSL Ventures Ltd is a KYC registering agency independently registered with the Securities and Exchange Board of India (SEBI), and Central Depository Services (India) Limited (CDSL) is a SEBI registered depository. 

CVL has taken swift action, according to CDSL, and the vulnerability has now been mitigated. According to CyberX9, the vulnerability was disclosed to CDSL on October 19, and the securities depository took roughly 7 days to address it, despite the fact that it could have been fixed instantly.

The vulnerability, according to CyberX9, a Chandigarh-based consultancy firm, was not very difficult, and it was detected for the second time by the firm. “CDSL was exposing extremely sensitive personal and financial data of about 43.9 million ( about 4.39 crore) investors in India. The data being exposed belonged to those who did their market securities KYC. In India, you have to go through a KYC process for investing in securities like stocks, mutual funds, bonds,” it said.

The information exposed by CDSL, according to the Chandigarh-based cyber security start-up, could be a virtual gold mine for phishers and scammers engaged in the so-called business of e-mail compromise, who frequently impersonate brokers, banks, and businesses in an attempt to dupe individuals and businesses into transferring funds to fraudsters. 

“We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. CERT-In and NCIIPC also accepted our vulnerability report,” CyberX9 said on its blog. According to CyberX9, the exposed data includes the investor's name, phone number, email address, PAN, salary range, father's name, and date of birth.

Phishers and scammers would have an unending supply of compelling scamming templates for calls and emails if they had access to CDSL KYC data. According to CyberX9, a database like this would provide fraudsters with a constant stream of new investors undergoing KYC, allowing them to target them. Financial fraud, identity theft, and exposing people to things like extortion, targeted assaults on people, and so on can all result from sensitive personal and financial data being exposed to large groups of people.

Ransomware Ranzy Locker Infected at Least 30 US Organizations

 

The FBI announced on Monday that the Ranzy Locker ransomware has infected at least 30 US firms across a variety of industries this year. “Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” reads the flash alert. 

The flash alert was issued in collaboration with CISA and is intended to provide information to security professionals to aid in the detection and prevention of ransomware attacks. The majority of Ranzy Locker victims who reported intrusions told the FBI that the attackers broke into their networks by brute-forcing RDP credentials. 

Others have recently revealed that the attackers utilized credentials acquired in phishing operations or targeted insecure Microsoft Exchange servers.

Ranzy Locker operators will steal unencrypted documents while within a victim's network before encrypting systems on their victims' corporate networks, a method utilized by most other ransomware gangs. These exfiltrated files, which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records, are used as leverage to force victims to pay a ransom in order to regain access to their files and prevent the data from being leaked online. 

In several cases, the gang used a double model of extortion, threatening victims with leaking stolen data if they did not pay the ransom. Indicators of compromise (IOCs) connected with Ranzy Locker operations and Yara rules to identify the threat are also included in the flash warning. 

Victims will get a 'Locked by Ranzy Locker' notice and a live chat screen to negotiate with the threat actors when they visit the group's Tor payment site. The ransomware operators also offer their victims to decrypt three files for free as part of this "service" to demonstrate that the decryptor can restore their files. 

Implement regular backups of all data to be stored as air-gapped, password-protected copies offline, implement network segmentation so that no machine on your network is accessible from any other machine, install and regularly update antivirus software on all hosts, and enable real-time detection, and install updates/patches to operating systems, software, and firmware as soon as updates/patches become available, are some of the recommended mitigations that were included in the alert.