CyberCrime - W/E - 12/6/19
Customers' Payment Card Data Stolen from Hotels Around the World (12/02/2019)
More than 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks conducted by several threat entities including RevengeHotels The campaign, which has been active since 2015 but has increased its presence since January, includes different groups using traditional remote access Trojans (RATs) to infect businesses in the hospitality sector. Research from Kaspersky shows that at least two groups, RevengeHotels and ProCC, were identified to be part of the campaign; however, more cybercriminal groups are potentially involved. The main attack vector includes emails with crafted malicious documents attached. Some of them exploit a bug in Windows, loading it using VBS and PowerShell scripts. It then installs customized versions of various RATs and other custom malware, such as ProCC, on the victim's machine that could later execute commands and set up remote access to the infected systems.
More than 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks conducted by several threat entities including RevengeHotels The campaign, which has been active since 2015 but has increased its presence since January, includes different groups using traditional remote access Trojans (RATs) to infect businesses in the hospitality sector. Research from Kaspersky shows that at least two groups, RevengeHotels and ProCC, were identified to be part of the campaign; however, more cybercriminal groups are potentially involved. The main attack vector includes emails with crafted malicious documents attached. Some of them exploit a bug in Windows, loading it using VBS and PowerShell scripts. It then installs customized versions of various RATs and other custom malware, such as ProCC, on the victim's machine that could later execute commands and set up remote access to the infected systems.
Elaborate Man-in-the-Middle Attack Involves Email Correspondence, Results in $1M Loss (12/05/2019)
Check Point Software uncovered an elaborate business email compromise scheme that involved an entity using highly sophisticated tactics - including email communications - to trick both parties and steal $1 million USD. The case involves two legitimate companies - a Chinese venture capital fund and an Israeli startup - and a wire transfer. After realizing the theft, the startup tapped Check Point for help. Upon analysis, Check Point determined that the attacker had spotted the correspondence between the two companies ahead of the anticipated wire transfer and set up two lookalike domains to resemble the legitimate companies. The attacker then began corresponding with both the venture capital fund and the startup, spoofing the email addresses of each company. Check Point's Matan Ben David said, "This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination."
Check Point Software uncovered an elaborate business email compromise scheme that involved an entity using highly sophisticated tactics - including email communications - to trick both parties and steal $1 million USD. The case involves two legitimate companies - a Chinese venture capital fund and an Israeli startup - and a wire transfer. After realizing the theft, the startup tapped Check Point for help. Upon analysis, Check Point determined that the attacker had spotted the correspondence between the two companies ahead of the anticipated wire transfer and set up two lookalike domains to resemble the legitimate companies. The attacker then began corresponding with both the venture capital fund and the startup, spoofing the email addresses of each company. Check Point's Matan Ben David said, "This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination."
Europol Seizes Insidious IM-RAT that Took Complete Control of Machines (12/02/2019)
A hacking tool that was able to give full remote control of a victim's computer to cybercriminals has been taken down as a result of an international law enforcement operation targeting the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT). The investigation, led by the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, resulted in an operation involving numerous judicial and law enforcement agencies. The tool had been used across 124 countries and sold to over 14,000 buyers but it can no longer be used by anyone who purchased it. The IM-RAT once installed undetected, gave cybercriminals free rein to the victim's machine. It sold for as little as $25 USD.
A hacking tool that was able to give full remote control of a victim's computer to cybercriminals has been taken down as a result of an international law enforcement operation targeting the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT). The investigation, led by the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, resulted in an operation involving numerous judicial and law enforcement agencies. The tool had been used across 124 countries and sold to over 14,000 buyers but it can no longer be used by anyone who purchased it. The IM-RAT once installed undetected, gave cybercriminals free rein to the victim's machine. It sold for as little as $25 USD.
Four Million Payment Cards from Breached Restaurants Selling in Hacker Marketplace (11/26/2019)
KrebsOnSecurity reported that four million payment cards gleaned from a breach of four restaurant chains are for sale on the Joker's Stash, a cybercriminal underground market. Two financial industry sources told researcher Brian Krebs that the payment cards had all been used at Krystal, Moe's, McAlister's Deli, and Schlotsky's. Krystal confirmed in October that it had been breached while the other restaurants are all part of the same parent company and announced breaches in August.
KrebsOnSecurity reported that four million payment cards gleaned from a breach of four restaurant chains are for sale on the Joker's Stash, a cybercriminal underground market. Two financial industry sources told researcher Brian Krebs that the payment cards had all been used at Krystal, Moe's, McAlister's Deli, and Schlotsky's. Krystal confirmed in October that it had been breached while the other restaurants are all part of the same parent company and announced breaches in August.
Magecart Splinter Group Uses Phishing and Skimming to Lift Payment Card Data (11/27/2019)
A group affiliated with the Magecart attacks has jumped from phishing to card skimming. The group, dubbed "Fullz House," sells packages of individuals' identifying information (known as "fullz") on its BlueMagicStore site. The group also uses skimming to sell payment card information on its carding store called CardHouse. Fullz House isn't new to the cybercriminal world but it ramped up its activities beginning in August-September. While the two parts of this group's operation are mainly split, there is a slight overlap in its attack infrastructure on domain-to-IP address resolution data. The sales platforms this group operates also have infrastructure overlap with the infrastructure tied to the group's operations that steal cards or payment credentials. RiskIQ has published its analysis of Fullz House. Magecart is not a specific entity but a bunch of splinter groups that all use the same tactics to compromise ecommerce sites and inject scripts to steal payment card data.
A group affiliated with the Magecart attacks has jumped from phishing to card skimming. The group, dubbed "Fullz House," sells packages of individuals' identifying information (known as "fullz") on its BlueMagicStore site. The group also uses skimming to sell payment card information on its carding store called CardHouse. Fullz House isn't new to the cybercriminal world but it ramped up its activities beginning in August-September. While the two parts of this group's operation are mainly split, there is a slight overlap in its attack infrastructure on domain-to-IP address resolution data. The sales platforms this group operates also have infrastructure overlap with the infrastructure tied to the group's operations that steal cards or payment credentials. RiskIQ has published its analysis of Fullz House. Magecart is not a specific entity but a bunch of splinter groups that all use the same tactics to compromise ecommerce sites and inject scripts to steal payment card data.
Magecart Threat Group Injects Skimmers onto Salesforce's Cloud Platform (12/05/2019)
Malwarebytes spotted a number of skimmers found on Heroku, a container-based, cloud Platform as a Service that is owned by Salesforce. Magecart threat actors are leveraging the service to host their skimmer infrastructure and collect stolen credit card data. Developers can use Heroku to build apps in a variety of languages and deploy them seamlessly at scale. The Magecart thieves were registering free accounts with Heroku to host their skimming business. After notifying Salesforce of the Magecart activity, the instances were removed.
Malwarebytes spotted a number of skimmers found on Heroku, a container-based, cloud Platform as a Service that is owned by Salesforce. Magecart threat actors are leveraging the service to host their skimmer infrastructure and collect stolen credit card data. Developers can use Heroku to build apps in a variety of languages and deploy them seamlessly at scale. The Magecart thieves were registering free accounts with Heroku to host their skimming business. After notifying Salesforce of the Magecart activity, the instances were removed.
NEC Concludes Agreement with INTERPOL (11/25/2019)
NEC has concluded a global cybersecurity agreement with the International Criminal Police Organization (INTERPOL). This partnership replaces an existing agreement by combining INTERPOL's international network with NEC cybersecurity technology to "assist the investigation and analysis of complex and sophisticated cybercrime" in addition to "strengthening security at an international level."
NEC has concluded a global cybersecurity agreement with the International Criminal Police Organization (INTERPOL). This partnership replaces an existing agreement by combining INTERPOL's international network with NEC cybersecurity technology to "assist the investigation and analysis of complex and sophisticated cybercrime" in addition to "strengthening security at an international level."
Operation ENDTRADE Improves Malware Features to Steal Classified Data (12/02/2019)
The TICK (also known as BRONZE BUTLER AND REDBALDKNIGHT) threat group has increased its malware development deployments since November 2018. TICK, which has been active since 2008, developing new malware families capable of detection evasion for initial intrusion, as well as escalation of administrative privileges for subsequent attacks and data collection. The group is using legitimate email accounts and credentials for the delivery of the malware, zeroing in on industries with highly classified information: defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China. Trend Micro is calling this campaign "Operation ENDTRADE." Further details are available from a white paper published by the vendor.
The TICK (also known as BRONZE BUTLER AND REDBALDKNIGHT) threat group has increased its malware development deployments since November 2018. TICK, which has been active since 2008, developing new malware families capable of detection evasion for initial intrusion, as well as escalation of administrative privileges for subsequent attacks and data collection. The group is using legitimate email accounts and credentials for the delivery of the malware, zeroing in on industries with highly classified information: defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China. Trend Micro is calling this campaign "Operation ENDTRADE." Further details are available from a white paper published by the vendor.
Scammers Posing as CISA Reps to Extort Money from Victims (12/02/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim's questionable behavior and attempts to extort money. CISA advises anyone who receives such a call not to pay any money and to contact a local FBI field office to file a report.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim's questionable behavior and attempts to extort money. CISA advises anyone who receives such a call not to pay any money and to contact a local FBI field office to file a report.