NACHA Attacks Rising Again

Symantec reports an unprecedented jump in spam volumes containing “polymorphic malware,” malicious software that constantly changes to evade anti-virus software.  One of the most successful lures used in these attacks is spoofed NACHA email.  NACHA is a not-for-profit group that develops operating rules for organizations that handle electronic payments.

Victims of these scams soon find new employees, money mules, added to their payroll to move their ill-gotten funds out.  The thieves use the victim’s online banking credentials to push unauthorized payroll payments to the mules, who are instructed to take out the cash, take a cut for themselves, and wire the rest overseas.

  • In September, attackers stole about $120,000 from Oncology Services of North Alabama.  The organization’s accounting firm was the apparent source of the compromise, indicating that other clients may also have been victimized.  The bank was able to block some of the fraudulent transfers, but it remains unclear how much they got away with.
  • Thieves also robbed the North Putnam Community School Corporation, serving 6 northern townships in Indiana.  They made off about $100,000, sending the money to several people who had no prior business with the school district.  Luckily, all of the fraudulent transfers were returned shortly after the attack.
  • Hackers also struck the City of Oakdale, Calif, stealing $118,000 from a city bank account. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.  Officials from Oak Valley Community Bank wrongly layed blame for the incident on a lack of technology and security.

Blocking these attacks has little to do with bleeding edge systems or scanning files with anti-virus.  It’s not clear what malware family was used in any of these attacks, although the first involved a gang that uses the ZeuS Trojan.  Most victims of modern malware will actually have anti-virus software installed.  What they won’t have is a definition file that detects the specific characteristics of the malware that is attacking them.  Anti-virus firms and users are constantly playing catch up.  Someone has to suspect a file as malicious and send a copy in for analysis before a signature can be developed and pushed out to users.

Preventing theft of your online banking credentials is a critical first step in dealing with this threat. Consumers, small and mid-sized businesses should use a dedicated computer for online banking.  Access bank accounts only from a PC that is locked-down, regularly updated, and used for no other purpose than online banking.  It’s a few hundred dollars, compared to your entire business and reputation.

T&T Supermarkets Breached – 58k Records Exposed

CTV is reporting that the website of Canada’s largest Asian supermarket chain has been hacked.  BC-based T&T Supermarket Inc, with three locations in Toronto has advised the public of “unauthorized and illegal intrusions” on its website  in a press release.  The breaches occurred June 6, 7, 11, and from June 14 to 17.  The personal information of up to 58,000 customers in its database may have been compromised, and the personal computers of some customers could have been exposed to malware.

The compromised data includes usernames, passwords, first and last names, ages, genders, email and street addresseses, cell and other phone/fax numbers.  Information submitted to T&T by job applicants may also have been accessed.  Those who visited the site during June 6th to 17th to place product orders for in-store pick up or apply for jobs may have been redirected to a non-T&T website hosting Fake A-V, instructing them to click a button on the screen to start a malware scan, which could have activated a malware download.

T & T has 20 stores in British Columbia, Alberta and Ontario.  Loblaw Companies Ltd. bought the chain for $225 million in July 2009.  T&T is urging anyone who receives communications purporting to be from T&T not to provide any personal information under any circumstances.  T&T will be contacting customers that may have been affected, but will NOT request personal data, especially sensitive information like credit card numbers.  The company has temporarily suspended its website, retained security experts to conduct a complete investigation, and expects to improve its information security based on their recommendations.

If you believe that you may have been affected, run a reliable commercial anti-virus product on all of your systems, and change any usernames or passwords for unrelated services or accounts elsewhere. All customers are also encouraged to have a heightened awareness of email, telephone and postal scams where personal information is being requested.  Affected individuals can email or call 1-855-926-2342 for assistance.

-=[BUSTED]=- Two Scareware Rings Taken Down

InformationWeek reports that the FBI has disrupted two scareware (fake anti-virus) crime rings, as part of “Operation Trident Tribunal.”  The FBI obtained warrants to seize 22 PCs and servers located across the United States that were used to support the scammers’ operations.  They also worked with law enforcement agencies in France, Germany, Latvia, Lithuania, Netherlands, Sweden, and the United Kingdom to seize an additional 25 PCs and servers.  It would appear the seizure of several servers hosted by DigitalOne in data center space it leased in Reston, Va. may have impacted some unrelated sites.

The first group bagged at least $72 million over a three-year period by tricking one million people into buying the scareware for up to $129 per copy.  The second criminal operation resulted in the arrest of 2 people in Latvia, and charges each with two counts of wire fraud, one count of conspiracy to commit wire fraud, and computer fraud.  The pair were apparently running a “malvertising” scam by creating a phony advertising agency, and purchasing advertising space on the Minneapolis Star Tribunewebsite.  Newspaper staff vetted the digital advertisement before posting it to the site.

The defendants altered the advertisement code to infect website visitors with malware that launched scareware applications on their PCs.  The scareware froze PCs until the user paid to purchase fake AV software.  Those that didn’t pay  found that all information, data, and files stored on the computer became inaccessible.  As part of this scam, the two Latvians allegedly netted $2 million.

These scams may sound lucrative, but it is good to hear that arrests are being made.  Watch for an increase in arrests as the FBI and other Law Enforcement Organizations get a handle on the scope and scale of this type of activity and trace it back to the nest.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading

Protect Your Banking Session

If you use your computer for online banking, you should seriously consider grabbing the free Rapport product from Trusteer.  Trusteer has partnered with just about 100 financial institutions, as well as PayPal and eBay, to bring you a special tool that ensures your transactions are confidential and correct.  Rapport is a specialized security product for Windows and Mac targeting financial malware.  It is not a “conventional” anti-virus product, it works alongside your A/V, securing the communications between the user and Rapport-protected web sites, defeating keyloggers and other common banking malware.

If you haven’t received an invitation from your bank to download and install Rapport, expect one soon.  Ensure that you download it from a REAL bank, or from Trusteer’s website.  Also, it’s a good idea to install it on a clean computer.  I would back-up my data files and install my operating system, patches, and security tools fresh, if I wanted to be certain that my system was protected from malware.  Several Canadian banks have already adopted Rapport, and links to the end-user installs are present on their web sites.  Fraud costs banks A LOT of money, and those costs are passed to their customers, in part through fees and service charges.  If your bank doesn’t have this or a similar product in place, you might want to ask them why.

The secure browsing software solution works in the background and doesn’t require changes in user behavior.  Online banking and use of the internet can continue as usual.  Rapport only pop’s up to provide alerts when potential threats are detected, and is otherwise transparent.  Rapport combats malware with 2 layers of defense.  One layer attempts to prevent banking malware from infecting the computer.  It works outside of the browser and looks for typical malware installer behavior.  Since many of these banking malware agents are built from a small number of special kits, they will exhibit common characteristics, code-base, and behaviros.  It is not impossible to by-pass this layer of protection, so the second layer backs it up.

The second layer of defense assumes that the system IS already infected, and protects the communications between the user and the bank from the malware’s interception and manipulation attempts from inside the browser.  It will block the behaviors typical of financial malware, for example, feeding junk characters to a keylogger, interfering with screen captures, and avoiding password capture.  All data in the Rapport monitored session is encrypted, from the keyboard to the bank.  Rapport also ensures that the address of the bank is correct as well, to protect against spoofing and phishing attacks.  If you type your bank username into a site other than your bank’s site, you will be warned.

I have had Rapport installed on several systems, have never had a problem with it, and I have used it with a variety of operating systesm, browsers, and security products.  No conflicts, no errors, no problems.  This is a FREE product (that your bank is subsidizing).  Get it, use it, love it, forget it.  Until it saves your butt!

Participating Canadian Banks:

A complete list of banks worldwide using this technology is available here:

IMF Network Breached

The New York Times reports that the International Monetary Fund (IMF) has been hit with “a large and sophisticated cyberattack whose dimensions are still unknown.”  The IMF manages financial crises around the world, and is a repository of highly confidential information about the fiscal condition of many nations.  Its staff and board of directors were advised about the attack on Wednesday, but it did not make a public announcement.

Several senior officials said it was both sophisticated and “a very major breach”.  The compromise appears to have occurred several months ago.  Because the fund has been at the center of economic bailout programs for Portugal, Greece and Ireland, and possesses sensitive data on other countries on the brink of crisis, its database contains potentially market-changing information.  It also includes communications with national leaders as they negotiate behind the scenes.  It remains unclear precisely what information was accessed.   The World Bank, an international agency focused on economic development, cut the computer link that allows the two institutions to share information.  The drastic containment step was taken out of “an abundance of caution” until the severity and nature of the attack is understood.  The World Bank has since resumed its normal operations and says it has seen no evidence of any attacks.

No information is available regarding the origins of the attack, a delicate subject because most nations are members of the fund.  The attacks may have been made enabled through “spear phishing,” where specific people are researched and targeted through emails and social engineering, fooled into clicking on a malicious link or running a program that provides access to the network.  It is also possible that the attack was less specific, a case in which an intruder was testing the system to see what could be attacked, or a random lucky malware infection.

Beware “MS-Update” Fake AV

Sophos is reporting that Fake AV distributors are reamping up efforts to deploy their malicious wares by closely imitating the Microsoft Update site in a bid to take advantage of the monthly patch cycle.  Be very wary of any alerts that pop up in your web browser.  You should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.

In this particular attack, victims are being told to install the fake updates urgently, with attackers claiming that “This installation is essential for the normal work of your system. Critical update is needed.”  Here is a message enticing users to download the Fake AV and infect their machine, errors and all:

“After the download, this tool is run only once checking your whole system for infection. It removes any infection found, any specific, prevalent malicious programs such as Blaster, Sasser and Mydoom. When an infection is found this tool displays a status report with the next computer start. This tool is necessary for you computer to make your system being protected from hi-jacking and its download is crucial if you value your personal data and your privacy.”

Victims tricked into downloading this Fake AV will end up infecting their computers with a potential array of malicious programs.

Citi Bank Breach Affects 200k Customers

A little late, but the interviews have kept me busy.  Citigroup has acknowledged that a computer breach may have given hackers access to hundreds of thousands of bank card customers’ data.  The US bank revealed details of the breach on Wednesday, discovered in early May through routine monitoring.  The breach occurred at Citi Account Online, used by its customers to manage their cards, compromising the names, account numbers and contact information of some 200,000 customers.

The bank did not reveal how the intrusion occurred, but says that it “has implemented enhanced procedures to prevent a recurrence of this type of event”, has contacted law enforcement and tightened its fraud detection procedures.  It remains unclear whether any customers reported suspicious transactions.  Citi Bank is reaching out to customers, warning them about the possibility of being targeted with spear phishing emails and downloading banking Trojans and other malware.

As a result of this and other recent breaches, major US banks are coming under increasing pressure from regulators to improve the security of customer accounts.  While Citigroup insisted the breach had been limited, many are calling it the largest direct attack on a major US financial institution, and say that it could prompt an overhaul of the banking industry’s data security measures.

The Federal Deposit Insurance Corp, the nation’s primary regulator, is preparing new measures on data security.  Its chairman Sheila Bair said on Thursday she may ask “some banks to strengthen their authentication when a customer logs onto online accounts.”


Spoofed LinkedIn Invite = Malware

According to M86 Labs, malware scammers are targeting LinkedIn users with legitimate-looking messages that appear to come from the social networking site:

The scammers have used the actual LinkedIn email template and modified it to suit their needs, changing the link behind the confirmation button.  Simply hovering the mouse over the button reveals that the destination URL is not on LinkedIn, but on the (not to be confused with the legitimate domain).

For those unfortunate users who follow the link, the “BlackHole” exploit kit at the destination server tries to exploit a number of vulnerabilities in order to load up malware.  The bulk of the successful exploits appear to exploit Java and PDF reader vulnerabilities.

Lessons learned from this attack campaign include, don’t click that link!  Even if it looks familiar.  Instaed, open up your own browser window and visit the site yourself.  Legitimate invites will be present in your LinkedIn inbox.  Also, keep your software up to date!  One vulnerability is all that the bad guys need.  Once you have been had, it is difficult to undo the damage.

Beware: NACHA Spam Scam

NACHA manages the development, administration, and governance of the ACH (Automated Clearing House) Network, the backbone for the electronic movement of money and data.  The ACH Network provides direct consumer, business, and government payments, facilitating billions of payments annually, such as Direct Deposit and Direct Payment.  As a not-for-profit association, NACHA represents nearly 11,000 financial institutions via 17 regional payments associations and direct membership.

NACHA continues to be spoofed in sustained and evolving phishing attacks in which consumers and businesses are receiving emails that appear to come from NACHA.  The attacks are occurring with greater frequency and increasing sophistication.  Perpetrators may also be exploiting email addresses recently stolen from Epsilon.  Remain vigilent, and do not fall prey to these scammers.

The email that I received appears in the following form:

These fraudulent emails typically make reference to an ACH transfer, payment, or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the email recipient.  The contents of these fraudulent emails vary, with more recent examples including a counterfeit NACHA logo (the above sample shows a logo placeholder) and the citation of NACHA’s physical mailing address and telephone number.  The link in my sample was obfuscated using a URL shortening service to hide its actual destination.

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.

Do not to open attachments or follow Web links in these or other unsolicited emails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.  Forward suspected fraudulent emails appearing to come from NACHA to to aid in their efforts with security experts and law enforcement officials to pursue the perpetrators.

If you did click on the link or open an attachment from a similar email, malicious code is detected, or suspected on a computer, consult with a computer security or anti-virus specialist to remove the malicious code or re-install a clean image of the computer system.  To protect yourself, always use anti-virus software and ensure that the virus signatures are automatically updated frequently.  Ensure that the computer operating systems and common software application security patches are installed and current.