Cyber Security Plus: February 2016

Sunday, February 28, 2016

Google launching “Project Shield” to Protect News Websites from DDoS attacks

Now Google will protect news websites from Distributed Denial of Service (DDoS) attack. Google have launched his new initiative “Project Shield” on Thursday for this. It will be a free service for news websites. This initiative is not a new one, it is available since 2013. But only testers were allowed to use it until now. But now Google have launched it publicly.

Google wants to protect news websites from DDoS attacks and Cyber-attacks, especially those websites which are publishing news about oppressive regimes. By doing this, Google will also test Project Shield against DDoS attacks and Cyber-attacks. Google said, it is still a testing phase of Project Shield therefore we are allowing all small and big news websites to server their content through infrastructure of Google without paying a single penny. According to Google, this will be an open initiative for world’s all news websites.

Why Google is doing this?

According to Google, they are supporting free expressions and access to information. Journalism is the important part of any country and it should be active every time. When news websites faced DDoS attacks and Cyber Attacks, it sounds awkward. Cyber-attacks on news websites often happens, when it is needed most. Google is also thinking about to test Project Shield on Election monitoring websites and Human Rights Websites.

Company post a blog on the website of Project Shield, in which they have wrote that Google is launching this initiative because by doing this company will learn new things to protect websites from DDoS attacks. Company also wrote they have designed a proper infrastructure for this initiative but there are no guarantee, how much security it can provide to the websites. Many third party websites can use this initiative and that’s the reason why a number of human rights and election commission websites are applying for this initiative.
Conditions for Qualified Websites?

There are not any difficult things, which admins and webmasters have to learn to understand it. Only basic technical knowledge is required to understand all the processes of Project Shield. The news websites which will use this initiative, need to provide their access to Google. Because the webmasters of Project Shield will monitor all the traffic to find out the malicious activities. The list of all logs and traffics is required to Project Shield for accurate protection.

Google said, there are now thousands of news websites which are allowed to use this Project Shield. Even small individual websites are allowed to use this Project Shield without the fear of Shut down. CDN (Content Delivery Network) is the technique, which can save the companies from DDoS attacks. So the websites which are not using this CDN process could get benefits from Project Shield.

PortonMail encrypted email service, suffered a major DDoS attack in November 2015. World famous British Broadcasting Corporation’s (BBC) websites was also taken offline on December 31, by some hackers. A major DDoS attack was happened at that time and Servers of BBC were getting packets of 600GB per second.

Therefore Google is doing efforts to protect the Journalism of every country from Cyber Attacks and DDoS attacks.

Saturday, February 27, 2016

List of data breaches and cyber attacks in February 2016

It’s been a rather quiet month in terms of cyber attacks and data breaches. There have been very few cyber attacks at well-known organisations, and no large-scale thefts of payment card information.

Here is the details of Cyber attacks and data breaches in Feb-2016

Beware of LinkedIn frauds

In the recent months I've started noticing something strange too many connection requests from people I do not know. Since I'm working in the cybersecurity industry, I'm very careful with whom I add on LinkedIn. Most of these requests were what I would deem safe, but an alarming number of them started originating from obviously fake profiles.

Most likely for phishing campaigns they are among the most popular means to acquiring a target’s security credentials and personal data. One report revealed a large number of hackers who were speculated to be have operating out of Iran. Creating dozens of fake LinkedIn accounts by posing as corporate headhunters, they sought to snag working professionals in industries such as telecommunications and even government agencies. Once the approach and the trap is laid with successful results, the targets are enticed into giving up information such as business emails.

Acquiring important business emails is key, as this brings hackers the targets that they seek. When a successful phishing campaign is completed, the stolen employees’ sensitive data could be used to engage in more effective phishing campaigns all over again. By gaining access to significant data such as titles, reporting structures and emails, the hackers gain the means to assume the identity of senior management.

Even more-so, communicating through the hacker company emails could see malicious hackers pretend to be a member of the board, the CEO, a senior executive and most times, the CFO. Usually, the communication is made toward an employee who is below the hacker’s assumed position in the corporate hierarchy. There are plenty of instances when an employee is forced to transfer money, at the behest of the faux executive or senior to the hacking impersonator’s account.

Inversely, a hacker could also assume the identity of a supplier to the business, sending in a vendor email that can easily be mistaken as routine communication. Vendor emails are either compromised or spoofed with subtle changes, an extra character here or a removed one there - which would, in essence, make the email appear legitimate. The scale of such an operation only unravels when targeted employees seek to verify the transaction.

Another instance wherein emails are clearly deemed an effective hacking vulnerability is malware-laced attachments that tend to infect targeted computers entirely. The most prominent example of financial malware is that wielded by the Carbanak cyber gang. Altogether, the cybercriminal outfit is speculated to have stolen $1 billion from over 100 financial institutions around the world.

The payload is triggered when banking employees click a phishing email. This particular campaign targeted employees responsible for the handling of the financial institutions’ software and ATM protocols. The malware kicks up a gear with a remote access tool (RAT) that takes snapshots of the targeted computer’s screen before sending it back to an offshore hacker. The credentials displayed on the screen is used to siphon money from the bank accounts to the hackers’ accounts.

All of the above, entirely rendered plausible when hackers and fraudsters are setting up fake LinkedIn profiles.

Significantly, a lot of the fake, fraudster-led profiles have common themes and follow a specific pattern.
They predictably use photos of attractive women from stock images. Several profiles also contain pictures of real professionals, in order to seem more convincing.

The fraudulent accounts assume the identity as a recruiter of a fake firm. Alternatively, they also assume the mantle of being ‘self-employed.’

Lazily, a lot of fake profiles have their content copied from other profiles of real professionals.
The profiles are littered with keywords, so as to ensure that the profile shows up among the top search results.

A lot of LinkedIn users are looking for better employment opportunities or, at the very least, seeking to catch the eye of a recruiter. Posing as a recruiter was the obvious choice for fraudulent users.

The epidemic of fake profiles grew to such an extent that the BBC published a story covering a report by security firm Symantec.

Security researcher Dick O-Brien told the publication: "Most of these fake accounts have been quite successful in gaining a significant network one had 500 contacts. Some even managed to get endorsements from others."

For its part, LinkedIn is usually adept in suspending accounts that are clearly in violation of certain rules set by the company, including one which decries the creation of fake profiles.

Dell’s counter-threat unit identified at least 25 fake profiles which, bemusingly, had links to over 200 legitimate LinkedIn profiles.

Thursday, February 25, 2016

Security Tips To Protect Your Money From Online Fraud

This is the era of internet and everything is available online. Books, outfits, things of daily need and even food is available online. To save their time people prefers online shopping. They are doing payments online using their credit cards. This is an advantage for all. On other hand, it has also invited to cyber crime. Hackers can steal user's credentials by using their highly programmed scripts and many other illegal activities. Online fraud is very easy for cyber criminals because they have no need to physically fit for it, only high level social skills and great programming skills are required to them. Lying on a bed, criminals can release malware, fake websites and phishing to steal the credit card details of any user. To use the credentials of credit card securely, is the responsibility of user.

1. Do not tell anybody about your internet banking login credentials . CVV code and PIN code of your credit card is very sensitive information. If you got any email and message which is demanding for your credit card information, it is a trap set by the criminals. Do not respond it. This technique is called phishing. Criminals may also call you on the behalf of bank manager and may ask about your PIN Code, here you need to understand that banks will never do these type of activities because they have metadata of all the users.

2. Never store your passwords on browsers because criminals can steal cookies by spreading malware. Always log out your financial accounts after using them. Do not use these type of financial services on public wifi or cafes etc. If you want to do then use private browsing option.

3. Make sure that, the website on which you are going to enter your credit card information is a real website? Always take services from trusted websites which are using “https” protocol. Criminals may use the fake websites which look likes the original websites. They can use repeating alphabets in their website. For eg: www.bankofamerica.com is a real website and its fake website will look like www.bankoffamerica.com.

4. Always use a complicated and unique password for your online accounts, which is not easily guessable for criminals. Set a different password for each account. Never use the same password for all accounts. Use 2-step Authentication security method.

5. Use high quality paid AV Tools. Never compormise with your security by using free AV Tools. Criminals may use keyloggers to steal your credentials. If you have installed an Anti Virus software of good quality in your system,it will not be easy for criminals.

6. Use seperate card for online transaction which has less balance. In case if your account has been compromised by the hacker, the ratio of loss will be less.

7. If you are using mobile banking on smartphone, update all the apps and softwares time-to-time. Because all the outdated softwares are malwares.

It is your responsibility to protect your money from online fraud. Awareness about this is must, because internet is a place of advantages for both common user and cyber criminal.

Wednesday, February 24, 2016

Stuxnet Is Only The Tip Of The Iceberg

Stuxnet, the world-famous computer worm that destroyed Iran’s centrifuges at the Natanz uranium enrichment plant, was only one part of a much larger operation. Nitro Zeus, as the plan was known internally, was to target Iran’s communications systems, key parts of the power grid, and air defences if talk between the Islamic Republic and the West failed to reach a peaceable resolution and the United States had to engage in a war between Israel and Iran.

Thousands of US intelligence and military personnel were involved in planning Nitro Zeus, and tens of millions of dollar were invested in successfully inserting surveillance and sabotage measures into Iran’s infrastructure. The Fordo nuclear enrichment site, long considered the most impenetrable of Iran’s nuclear facilities, was also targeted as part of the plan.

Nitro Zeus was brought to attention by the documentary Zero Days, which explores the atmosphere of the growing conflict between Iran and the West, as well as the tense collaborative efforts of Israel and the US to stop Iran’s programme. The movie, first shown at the Berlin Film Festival on Wednesday, was directed by Alex Gibney.

To uncover the covert operation, Gibney’s research team interviewed current and former members of the programme. They revealed details of the the efforts to sabotage Iran’s computer networks in preparation for a potential order to disable them.

This programme was a real trial by fire for the fledgling United States Cyber Command, which is still in the process of forming its cyber special forces and deploying them around the globe. “This was an enormous, and enormously complex, program,” one participant who requested anonymity told the New York Times. “Before it was developed, the US had never assembled a combined cyber and kinetic attack plan on this scale.”

Tuesday, February 23, 2016

“Ratopak" malware attacked on Russian Banks

Employees of six Russian banks had been targeted by a phishing campaign. Cybercriminals had targeted them by sending a harmful malware Ratopak, which is a spyware. This spyware is capable to take control of infected system. Security researchers at Symantec said that cybercriminals were running this campaign in December 2015.

Cybercriminals were very smart and they were sending emails to the employees of Russian Banks. They were using a domain to send the emails, which was looked like the domain of Central bank of Russia. Attackers were using “cbr.com.ru” domain to send emails and the original domain of bank is “cbr.ru”. Attackers were trying to trick the employees by sending them emails, which had a malicious link. When employees were clicking on this link, a spyware was automatically installing itself into computer system of user.

The security researchers of Symantec noticed many mistakes, which had been done by attackers. They were using a different type of “From to” field to enter the details of sender. The name of the sender in “from to” form and name in the signature were different. These were the mistakes from where researchers came to know that it was a phishing campaign.

How Ratopak was infecting systems of bank Employees?

Researchers said that Ratopak is very harmful Malware. It can work as a keylogger and can collect the key strokes typed by the employees. It can also take screenshots of the computer system. Besides of it, it can exchange the files between infected computer system and C&C server.

Ratopak was a hard coded Malware which was able to hide itself with the extension of “buh”. The meaning of “buh” in Russian language is “accountant”. Employees did not notice it because they think it could an accounting process, running on computer system. Before these Russian banks, many other financial firms were the target of this harmful Malware.

This malware had a quality of termination during code execution, when it recognize any other language expect Russian. Developers of this malware were well skilled and they were using a filter in its source code to do this.

Also read: Gozi Banking Trojan is back, Targeting Window 10’s Edge Browser!

There are a number of cybercriminal groups in Russia and they are experts in hacking banks only to stealing money. Anunak and Carbanak are the two most famous groups of hackers. Both groups had steal more than $1 billion from banks of Russia and many other countries.

It is not clear yet, which group was running this hacking campaign. There could be another new group of hackers behind this.

Source: softpedia

Saturday, February 20, 2016

Beware Android Users! “Xbot” Trojan

Beware Android Users! “Xbot” Trojan is stealing Banking Credentials!

The security researchers at Palo Alto Networks, found a new Trojan in Android Devices. The name of this Trojan is Xbot and this is capable to steal all the sensitive data from your device. This Trojan is not widely spread yet but it is targeting the devices in Russia and Australia. This Trojan can steal online banking login credentials of users. It is a ransomware which can hold file hostage of any device. The criminals behind this Trojan are very clever and they are spreading it very quickly to target maximum devices.

This Trojan has been coded by expert programmers, because coding used by them in this Trojan is very complex and difficult to detect. This Trojan first infect the users and then hide itself into file system of device. Xbot Trojan is capable to steal online banking login credentials and sensitive information of user by using “activity hijacking” technique. Criminals behind this Trojan are using C&C (Command and Control) servers to control it. When user tries to open any application, Xbot launch a different type of action at same time. User do not know about this process. He only knows that he is using an application. This Trojan can harm all those devices which are using an out dated version of android.
How it works?

Xbot Trojan has functionality to recognize financial apps. When user launch any application, this Trojan monitor that application. If it is a banking app or any other financial app, it will do it work and will steal all the sensitive information entered by user. The coding used by its author is very complex, due to which it can easily recognize the working architecture of any application. When Xbot recognized any banking app, it creates an interface between that device and control server. After that Xbot sends all the gathered information to the control server. In simple words, it works like an agent which steals all the sensitive information from device and passed it to the control server.

Also read: New Trojan found in Google Play Store! More than 60 games are infected!

Authors of this Trojan are using fake interfaces to steal information from users. They are using same type of interfaces, which are used by the famous banks of Australia and Russia. When users fill their user name, password and credit card details into form, it directly goes to Control and Command server. Users think, they are submitting credentials to bank servers but it is not happening in actual. Researchers at Palo Alto have also detect six fake interfaces used by criminals.

This Xbot is also a ransomware. Criminals behind this can target people by creating a WebView interface. Criminals are using a well-known ransomware program CryptoLocker. First they encrypt all the files of device and then demand for US$100 for its decryption key. Criminals are using a specially designed spoofed PayPal site to receive money from victims.

Source: CIO blog

Thursday, February 18, 2016

Hollywood hospital brought down by a ransomware attack

Image source: Wikipedia

The Hollywood Presbyterian Medical Center was the victim of a ransomware attack last week when its patient files were locked by hackers in exchange for a ransom.

One of the patients, Melissa Garza, said, “I wasn’t feeling very well, went in for a check-up and they said their computers were down. I asked, what’s going on here and they said we were hacked.”

Ransom of 3.6 million US Dollars

Computer forensics expert Eric Robi said that the hackers demanded in the region of 9,000 bitcoins, which would bring the amount to over USD$3.6 million (£2.52 million) in exchange for unlocking the records. In most cases, Robi says, it’s cheaper to pay the ransom than to try to fix the problem.

The Hospital is sadly just another unfortunate victim of cyber crime. Investigators confirm there is no apparent motive for attacking the hospital – but if you’re informed about cyber security you will know that hackers target the weakest link: those that are simply not secure enough.

While the hospital has declared they are in the midst of an “internal emergency”, Kaspersky explains that there is absolutely no guarantee that the attackers will adhere to their part of the ‘deal’ if the hospital chooses to the pay the ransom – these are criminals, after all.

Read more at: http://www.itgovernance.co.uk/blog/major-hollywood-hospital-brought-down-by-a-ransomware-attack/?utm_source=social&utm_medium=linkedinannc

Monday, February 15, 2016

Pakistani Citizen Hacked US PBX Systems! Admits money laundering of $19 millions!

Muhammad Sohail Qasmani is a citizen of Pakistan and he is charged by FBI for money laundering of $19 Mn. He had done this by hacking PBX (Private Branch Exchange) under a telecommunication fraud scheme. He is 47 years old. This man was a team member of some hackers which were targeting US companies by hacking their PBX systems. This hacking group was targeting firms of United States from both Pakistan and Bangkok. Another person was running this operation from Karachi and his name is Noor Aziz. He is also a member of this hacking group. Hackers were using live phone extensions in this operation, these extensions were not assigned to anyone by the telecom department.

Hackers used these extensions to trick the people by making high premium rate phone calls. The total amount of money laundering was 50 mn dollars. 19 mn dollars are the share of Muhammed and he had transferred this money to different 600 bank accounts in four years. Security experts and Fraud investigators ask that this scam was very planned by the hackers. These 600 bank accounts were present in different countries. Muhammed was using these accounts to collect the money which was coming from fake telephone lines. Muhammed was just keeping his commission, all the rest of amount was the share of other hackers.

Muhammed is in the custody of FBI from December 2014. Now he have admitted all this. There are chances he could receive the jail of 20 Years. Noor Aziz was the head of this operation and he is in the top of FBI’s wanted list.

Source: securityaffairs

Pages