Banking malware 'Luuuk' might have stolen $682K in one week

A European bank may have lost as much as $682,000 in a week earlier this year, according to Kaspersky Lab, which analyzed data on a server used in attacks against online banking users in Italy and Turkey.

In a blog post Wednesday, the Russian security company didn't identify the bank or why it chose to reveal the possible theft six months later. The financial institution has been notified of the discovery, and Kaspersky said is in contact with law enforcement.

On Jan. 20, Kaspersky analysts discovered a command-and-control server for a piece of malware that executed so-called man-in-the-browser attacks on victims' computers. In that type of attack, malware intervenes during an online banking session and can manipulate or steal data.

Two days later, the fraudsters removed all of the "sensitive components" from the server, Kaspersky wrote. That indicates the cyber criminals may have known someone else was looking at it.

The fraud campaign was nicknamed "Luuuk" by Kaspersky after that name appeared in a file path of the server's administrator control panel. It appears the server managed the theft of funds from victims' accounts, automatically transferring the money to the accounts of "mules," or people who agree to receive the funds for a cut and transfer the bulk of the funds onward.

Server logs indicated that as much as $682,000 may have been transferred in a single week, wrote Kaspersky's Global Research and Analysis Team. The data indicated around 190 victims. Analysts also saw on the server descriptions of fraudulent transfers and the IBAN (international bank account number) numbers for victims and money mules.

Kaspersky hasn't seen a sample of the actual malware that was on victims' computers. But data on the server indicated it is similar in functionality to the infamous Zeus banking malware.

The Luuuk malware collected the logins and passwords of victims and one-time passcodes. Since one-time passcodes typically expire in a few minutes, this type of banking malware will use the code to quickly log into the victim's account.

The attackers checked the victim's balance and then conducted several fraudulent transactions automatically, likely "in the background of a legitimate banking session," the company wrote.

There are other indicators that the group is still very active, Kaspersky wrote, although it did not give further details.

Chinese smart phone Xiaomi can steal bank card data using NFC

A Chinese news agency Nanjing-based Yangtse Evening News states that smart phones produced by Chinese Xiaomi are able to steal bank card data from wireless connections. Already there are rumors that a woman from Nanjing has revealed to the newspaper that her new Xiaomi smartphone managed to pick up private account details from a bank card stored in very closely.

The woman, was surprised by noticing that the data was displayed directly on the display of her device, the data sent to the smartphone included the card number stored in close range and the account’s last 10 transactions with related amounts and locations.

“Feng, who said she had not accessed her bank account on her phone or entered her password, initially thought it may have been the work of spyware, though she soon realized it was an automatic function because her bank card could still be read even after she closed all running applications.” states theWChina Times.

“Near field communication (NFC) is a set of standards for Smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity. The standard describes a radio technology that allows two devices to communicate at a short distance, no more than a few centimeters, allowing the exchange of information quickly and safely.” I reported in a previous post in NFC standards.

The disconcerting discovery made by the experts in charge of the Yangtse Evening News newspaper is that the Feng’s phone could retrieve details from a microchip bank card automatically in two seconds from within a range of about 10 centimeters.

Now when an attacker pass very close to your wallet in a crowded place, he can steal personal information from bank cards without the victim’s knowledge.

Feng declared to be shocked by the behavior of the Xiaomi smartphone and she believed the company should have warned its customers of this potentially serious security flaw that could expose them to the theft of personal information from bank cards.

“She said when she called customer support she was told that she could simply switch off the NFC function if she had concerns.”

This is really worrying, let’s hope Xiaomi and other manufacturers will consider seriously the NFC security issues.

Hackers are not satisfied with payment data

Last year, Trustwave company saw a 33% increase in the data theft of sensitive and confidential information, such as financial credentials, internal communications, personally identifiable information and various customer records. In all, 45% of thefts involved non-payment data, according to the “2014 Trustwave Global Security Report.”

Payment card data the main target for data compromises, but increasingly thieves are starting to go after other types of personal and sensitive data to steal, according to a new report from security firm Trustwave.

Trustwave based the findings in the 123-page report on an analysis of 691 data-breach investigations conducted last year (a 54% increase from 2012), along with threat intelligence from its global security operations, telemetry from security technologies and research.

Without a strong defense mechanism set up almost universally, data thieves will continue to thrive, Trustwave contents.

“A global, thriving underground provides for quick monetization of stolen data no matter where the victim or attacker resides,” the company said in the report. “As long as criminals can make money by stealing data and selling that sensitive information on the black market, we don’t expect data compromises to subside.”

Weak passwords contributed to 31 percent of compromises Trustwave investigated. More than half, 59%, of compromised victims resided in the U.S., 14 percent in the United Kingdom and 11 percent in Australia.

In 2013, eCommerce accounted for 54% of assets targeted by hackers, and point-of-sale breaches accounted for 33 percent of Trustwave’s investigations.

Retail was the top industry compromised, accounting for 35 percent of the attacks investigated. Food and beverage ranked second at 18 percent, hospitality ranked third at 11 percent, and finance ranked fourth at 9 percent.

The median number of days from initial intrusion to detection was 87. Some 71% of all compromised victims did not know they were compromised, though self-detection can shorten to one day from 14 days the timeline from detection to containment when detected by a third party, Trustwave noted in its report. The median number of days from detection to containment was seven.

“Victims that identify a breach on their own detect it sooner and reduce clean-up time by two weeks,” Trustwave said. “A plan will help make your organization aware of a compromise sooner, limit its repercussions and shorten its duration.”

Among the exploits detected, 85% involved third-party plug-ins, including Java applets, Adobe Flash and Adobe Acrobat/Reader. “78% of exploits we detected took advantage of Java vulnerabilities,” Trustwave said in its report.

At 49%, Blackhole topped the list of most prevalent exploit kits. “However, the arrest of its creator and a lack of updates to the kit spurred a 15% decline in Blackhole’s prevalence,” Trustwave said. “We expect the second-most prevalent kit, Magnitude at 31%, to fill the gap.”

Moreover, 96% of applications, and 100% of mobile applications, Trustwave scanned harbored one of more serious security vulnerabilities. Based on attack-source IP addresses, the top three hosting countries for malware last year were the U.S., at 42%; Russia, at 13%; and Germany, at 9%t.

“This may be a result of foreign attackers adapting to businesses blocking connections from foreign IP addresses by compromising other assets within the target country and using them as “jump servers” to launch attacks against primary targets,” Trustwave said.

In the report, Trustwave suggested a few ways to counter breach attacks, including educating staff and employees on the best security practices, enforcing strong authentication policies and practices, assessing data protections across all assets, testing system resilience to attacks, and developing and rehearsing incident response plans.

“Secure all of your data, and don’t lull yourself into a false sense of security just because you think your payment card data is protected,” Trustwave advised. “Assess your entire set of assets from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data.”

Many of the multi-site breaches centered on franchise business models. As such, the information technology used must be strong, Trustwave advised. “Franchisees are often required to deploy information technology defined by the franchisor for efficiency purposes and to simplify management of those environments,” the company noted. “While a well-designed technology template can help to improve security, a poor design can result in a vulnerability present across potentially thousands of locations. If an attacker discovers and takes advantage of a flaw at one franchise, they can replicate the exploit at other locations.”

Windows XP can get updates till today!

Microsoft stopped its support for Windows XP officially on April 8, 2014. This move made a large number of users to switch to the latest version of Windows, but still a wide range of users are using Microsoft oldest and most widely used operating system XP despite not receiving security updates from Microsoft.

But some companies and organizations who were not able to migrate their operating system’s running Windows XP to another operating system before the support phase ended, are still receiving updates by paying Microsoft for the security patches and updates. Now a relatively simple method has emerged as a trick for the XP users which makes it possible to receive Windows XP security updates for the next five years i.e. until April 2019.

It makes use of updates for Windows Embedded POSReady 2009 based on Windows XP Service Pack 3, because the security updates which are being released for POSReady 2009 are the same updates Microsoft would have rolled out for its Windows XP, if it was still supporting XP Operating System.

Windows Embedded POSReady 2009 is the operating system installed in "point-of-sale" (POS) systems such as restaurant machine, ticket machines or other customized version of Windows Embedded systems. POS machine most likely uses the XP operating system, therefore receives the same updates that are delivered by Microsoft for the officially unsupported version of Windows XP.

You are not allowed to directly install these Windows updates for your OS. In order to download new security updates for your Windows XP, you just need to perform a simple intervention into the Windows registration database.

FOLLOW THESE STEPS:

1. Open Notepad and create a new file.
2. Add Below given code to it:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

3. Save file as .reg (test.reg) extension and run it by double clicks.
4. Once executed, you will find lots of pending updates in your Windows Action Center.

Because the extended support for Windows Embedded POSReady 2009 systems ends after 5 years, Microsoft will continue to deliver new security updates and patches for this version of its embedded operating system till April 9th, 2019, so users can use this trick to get security updates of Windows XP for another five years.

Despite receiving security updates for Windows XP by using such tricks, it is not possible to secure the complete system appropriately. So all of you to upgrade your operating system to the latest versions, i.e. Windows 7 or 8 or any Linux OS.