Tag: Threat Analysis

Ahead of Black Friday, Rash of Malware Families Takes Aim at Holiday Shoppers

As the Black Friday post-Thanksgiving buying bonanza looms, many are opting to stay at home and take advantage of the same deals online. But they may get an unwanted extra with their purchase. Banking trojan malware families Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye are targeting online shoppers.

According to Kaspersky Lab, these and other banking trojans have spiked in detections lately, and are hunting for user credentials such as user names, passwords, payment-card numbers and phone numbers. At least 14 malware families have been found actively targeting a total of 67 consumer e-commerce sites between them, the firm said.

Read more about the findings of the Kaspersky Lab analysis on Threatpost.

Report Shows Increase in Email Attacks Using .com File Extensions

Anti-phishing firm Cofense has discovered an uptick in the use of .com file extensions in phishing emails. The .com file extension designated executable files in DOS and Windows 95, 98 and Me. It has been replaced by .exe in later versions of the OS. However, for backwards compatibility, Windows will still attempt to execute a file with the .com extension.

Throughout October, Cofense analyzed 132 unique phishing samples with the .com extension. To put this uptick in context, it found only 34 samples in the entire preceding nine months of 2018. The most popular subject line lures in the new campaign (or campaigns) are ‘payment’ and ‘purchase order’ themes.

Read more about the findings of the new Cofense report on SecurityWeek.

Cinema Chain Sees Bad Movie Script Play Out As It Loses Millions In Email Scam

It was not a good week for the Pathé cinema chains. First, their UK branch’s Twitter account was hacked and used in a cryptocurrency scam and then it became known that their Dutch branch had lost more than 19 million euros (US$21.5m) trough a business email compromise (BEC) scam.

The scam began in March with an email to the company’s CFO, allegedly from Pathé’s French parent firm, which told him to transfer more than 800,000 euros as part of a “strictly confidential” acquisition, Dutch business site Quote reports. Though the CFO and the CEO did discuss among themselves that the request was rather strange, they dutifully obliged.

Read more about this elaborate and successful BEC scam on Forbes.

Seven Hacking Groups Operate Under “Magecart” Umbrella, Analysis Shows

At least seven different cybercrime groups referred to as “Magecart hackers” are placing digital credit card skimmers on compromised e-commerce sites, Flashpoint and RiskIQ reveal in a joint report. Active since at least 2015, the Magecart hackers steal credit card information by placing digital skimmers on the websites they visit.

After conducting a thorough investigation into these attacks, Flashpoint and RiskIQ security researchers discovered that the Magecart umbrella isn’t representative for a single group of attackers, but for at least seven of them, each with their own skimmers, tactics, targets, and other unique elements. The list, however, is not comprehensive.

Read more about the new research on Magecart on SecurityWeek.

Internet Explorer scripting engine becomes North Korean APT’s favorite target in 2018

Internet Explorer’s scripting engine was the favorite target of a North Korean cyber-espionage group this year, after the hackers deployed two zero-days, but also crafted new exploits for two other older vulnerabilities. The group’s name is DarkHotel, a cyber-espionage group that McAfee and many other cyber-security firms have already linked to the Pyongyang regime.

The group has been active since 2007, but it was publicly exposed in 2014. Despite being ousted in public reports, DarkHotel didn’t stop its attacks.

Read more about the recent activity of the DarkHotel APT on ZDNet.

WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. WebCobra silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects.

The researchers believe this threat arrives via rogue PUP installers. They have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.

Read more about the WebCobra cryptojacking malware on McAfee.

If Terrorists Launch a Major Cyberattack, We Won’t See It Coming

“The FBI assesses the cyberterrorism threat to the U.S. to be rapidly expanding,” said one law-enforcement official, testifying before Congress. “Terrorist groups will either develop or hire hackers, particularly for the purpose of complementing large physical attacks with cyber attacks.”

That assessment was made nearly 15 years ago. In the meantime, a generation of tech-savvy jihadists has exploited the internet to attract recruits, share bomb-making expertise, and incite violence. Yet they haven’t managed to pull off the devastating cyberattacks that experts have long feared. With just days left before Americans go to the polls for midterm elections, it is worth considering: Why not?

Read how national-security experts view cyberterrorism on The Atlantic.

Destructive Cyberattacks Spiked in Q3

New data gathered from more than three dozen providers of incident response services reveals a disturbing increase in the past quarter of destructive cyberattacks targeting US organizations. It is not clear whether the attacks—many of them from countries like China, Russia, and North Korea—are a response to the current geopolitical climate, or demonstrate punitive attempts by attackers to hide their tracks after being discovered.

Either way, the implications of the trend are serious for enterprises, says Tom Kellermann, chief security officer at Carbon Black, the security vendor behind the report. Between the second and third quarters of this year, there was a three-fold increase in destructive attacks where adversaries deleted or encrypted data, destroyed logs and backups, and caused system outages in ways designed to paralyze victims.

Read more about the findings of the Carbon Black report on DarkReading.

SamSam ransomware group has hit 67 organizations in 2018, researchers say

The group behind the disruptive SamSam ransomware has attacked 67 different organizations in 2018, nearly a quarter of which were health care organizations, new research shows. SamSam, which is deployed in a more targeted way than other ransomware, hobbled Atlanta’s municipal agencies in March, and reportedly struck medical-testing giant LabCorp in July.

Cybersecurity company Symantec has released data showing that of the 67 organizations targeted by the SamSam group in the last 10 months, more than 80 percent are based in the United States. “SamSam continues to pose a grave threat to organizations in the U.S.,” a Symantec blog post states. “The group is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks.”

Read more about the SamSam ransomware campaigns on CyberScoop.

Kraken Resurfaces From the Deep Web

The Kraken Cryptor ransomware has been spotted in the Fallout Exploit Kit, resurfacing an old threat and hinting at the future of ransomware-as-a-service (RaaS).

Kraken has had a “notable development path” over the past few months, report experts from McAfee’s Advanced Threat Research team and Recorded Future’s Insikt group, who collaborated on this analysis. Kraken’s presence strengthened toward the end of September, when a security researcher found it bundled in the Fallout Exploit Kit, which is known for deploying Gandcrab ransomware.

Read more about Kraken’s recent ‘development path’ on DarkReading.