now browsing by tag


How open banking can drive innovation and growth in a post-COVID world | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #

By Billel Ridelle, CEO at Sweep Times are pretty tough for businesses right now. For SMBs in particular, a global financial and health crisis of the sort we’re currently witnessing […] View full post on National Cyber Security

#cybersecurity | #hackerspace | BlackBerry Cylance vs. IcedID Banking Trojan

Source: National Cyber Security – Produced By Gregory Evans

BlackBerry Cylance vs. IcedID Banking Trojan

IcedID, originally known as BokBot, is a banking Trojan featuring modular malicious code and infostealing capabilities. It was first identified in the wild in September 2017 by IBM X-Force researchers.[1]

IcedID gathers financial information and credentials from infected hosts through sophisticated web injection and redirection attacks. The infostealer targets banking portals, webmail clients, payment card providers, mobile services providers, payroll portals, and online retail websites.

IcedID may be connected to past activity by the threat actor Neverquest. Neverquest was a Russian Cybercrime-as-a-Service group which disbanded in 2017 following the arrest of one of its members, Stanislav Lisov.[2],[3]

Technical Analysis

IcedID was initially delivered by another Trojan – Emotet.[4] Developed as a banking Trojan, Emotet has been repurposed to become one of the most successful threat distributors via its established botnet.[5] Emotet is generally delivered through spam carrying infected Microsoft Word document attachments. The Word document is often password-protected with the password appearing in the email body.[6]

The Word documents contain malicious macros which, if enabled by the user, invoke PowerShell to download the Emotet payload. Once successfully installed, Emotet downloads IcedID. IcedID uses Emotet’s geotargeting capabilities to focus its attacks primarily on North America and the UK. Variants of IcedID were observed being distributed by Ursnif/Dreambot7, another Trojan similar to Emotet, early in 2018.

Threat actors traditionally work in competition with each other, often removing existing infections before installing their own malicious binaries on systems. There appears to be a recent shift towards threat actors using a more collaborative approach.

Analysts at Flashpoint identified host machines infected with both IcedID and Trickbot8 and highlighted a potential partnership between the two. IcedID’s Command and Control (C&C) servers were observed sending commands instructing victim systems to download Trickbot and vice versa. Also, modifications to updated IcedID variants show indications they may have been influenced by Trickbot’s modules.

Static analysis of this specific IcedID sample file shows a compile date of April 3rd, 2016 – over a year before IcedID was discovered in the wild. The binary contains a section named .ndata with a raw data size of 0 bytes. This indicates the executable was created with Nullsoft Scriptable Install System (NSIS). Extracting the Nullsoft archive reveals it contains several benign files and a malicious DLL file – aerometers.dll, SHA256:


Figure 1: Extract from [NSIS].nsi file

A distinguishing feature of the IcedID infostealer is how it executes its process injection. It implements an alternative method that does not require the target process to be started in a suspended state. This approach has not been previously observed being used by malware authors.

When executed, the sample first launches a copy of itself. The sub process then starts the legitimate Windows process svchost.exe, where its malicious code is injected:

Figure 2: Spawned processes

It is not concerning to see multiple instances of svchost.exe running on a system as the process is used to load services run from Dynamic Link Libraries (SvcHost DLLs). Injecting IcedID’s main payload into an svchost.exe process is an attempt by the attackers to conceal their activities on the victim machine.

The following functions allow IcedID to avoid starting the svchost.exe in a suspended state:

  • kernel32!CreateProcessA
  • ntdll!ZwProtectVirtualMemory
  • ntdll!ZwAllocateVirtualMemory
  • ntdll!ZwWriteVirtualMemory

The function ntdll!ZwCreateUserProcess is hooked within the memory space of the IcedID sample process. The kernel32!CreateProcessA function is then called to launch svchost.exe. Although svchost.exe has launched, its main thread has not been executed. The call to kernel32!CreateProcessA then hits the hook on ntdll!ZwCreateUserProcess which initiates a function call to ZwCreateUserProcess.

Next, ntdll!ZwCreateUserProcess returns the process handle for svchost.exe. With this process handle the ntdll!NtAllocateVirtualMemory and ntdll!ZwWriteVirtualMemory functions can write malicious code into the memory space of svchost.exe.

Calling svchost.exe without any arguments means it has no service to run and will result in the process terminating. Before svchost.exe shuts down the function ntdll!RtlExitUserProcess is called. The malware authors exploit this call to ntdll!RtlExitUserProcess by inserting a jump to the malicious code. The main thread of svchost.exe is then run and the original executable is terminated.

This minimalist approach to process injection is significant as the execution of malicious code is less likely to be detected by process hollowing countermeasures. It succeeds without creating the svchost.exe process in a suspended state or creating new threads in svchost.exe.

The IcedID sample dropped the malicious aerometers.dll file into the user Temp folder. The original IcedID executable is modified slightly before being copied (with a unique generated name) to the %ProgramData% directory, e.g. C:ProgramData{5D189AD3-A8D3-4093-881B-7E03AAE7B040}pdkdkdkqg.exe. Each infection of this copied file has a unique hash.

IcedID requires a system reboot to complete its infection. The reboot requirement represents an effort to hinder sandbox analysis:

Figure 3: Files dropped to the system during dynamic analysis

Figure 4: Additional benign associated artifacts found in the user’s Temp directory

A Windows scheduled task is created to launch the copied IcedID file located under the %ProgramData% directory (e.g. pdkdkdkqg.exe) for every user logon. This allows IcedID to achieve persistence and ensures the infostealer will continue to run following system reboots:

Figure 5: Windows Scheduled Task to launch IcedID with log on

IcedID gathers basic information about the host system to provide to the C&C server. This information is useful for identifying the specific infection bot. All communication between a victim and the C&C server is sent over HTTPS using POST- and GET-requests. Responses from the C&C are encrypted using RC4 and occasionally compressed using LZMAT.

IcedID includes a network spreading module that facilitates infecting other endpoints within an organization. The malware queries the Lightweight Directory Access Protocol (LDAP) to find other users and then attempts to brute-force passwords with a dictionary attack.

IcedID uses web injection to steal login information for targeted banking portals and online retailers. The infostealer downloads a configuration file from its C&C that includes a list of targets for the web injection attacks. It sets up a local proxy, listening on port 49157, to redirect the victim’s Internet activity. This acts as a man-in-the-middle (MITM) style attack which can monitor all outbound traffic:

Figure 6: Process listening on localhost, port 49157

When the user attempts to navigate to a targeted URL the web injection attack will present fake content over the legitimate page. To an unsuspecting user, nothing will immediately appear out of the normal. The bank’s genuine URL and SSL certificate still appear in the address bar. The local proxy intercepts the user’s traffic and the login credentials are exfiltrated to the C&C server. All communications to the C&C server are encrypted and sent by SSL to avoid alerting Intrusion Detections Systems.

IcedID targets webmail accounts and payment card websites with redirection attacks. The local proxy redirects users to fake, nearly identical websites hosted by the attacker’s server. The website will look legitimate by displaying the authentic URL and SSL certificate. Credentials submitted to the fake website are redirected to the attacker’s server.

Blackberry Cylance Prevents IcedID

Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is also effective against malware like IcedID. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.

Blackberry Cylance prevents IcedID and its variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.

Indicators of Compromise (IOCs)

  • SHA256 F476342981C639D55CE2F5471C3E9962FD2D5162890E55D2B4E45DDC641F207F delivered to the system by Emotet
  • Aerometers.dll, SHA256 19591882B072D3DA133E1C6106FDC0A4413DFB86CA5605F94ACBC4EB6968B693

File Information     




Malware Infostealer


157,816 bytes


2016-04-03 21:20:55

ITW names

IcedID, BokBot



Source link

The post #cybersecurity | #hackerspace |<p> BlackBerry Cylance vs. IcedID Banking Trojan <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Weekly Threat Briefing: New Banking Trojan Infects Victims via McDonald’s Malvertising

Source: National Cyber Security – Produced By Gregory Evans The intelligence in this week’s iteration discuss the following threats: Backdoors, Cryptocurrency, Data breaches, Malware, and Trojans. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1: IOC Summary Charts.  These […] View full post on

#cyberfraud | #cybercriminals | NATCOM calls for tough laws to regulate mobile banking in Sierra Leone

Source: National Cyber Security – Produced By Gregory Evans

By Mabinty M. Kamara

Officials of the National Telecommunication Commission (NATCOM) have called on the Bank of Sierra Leone to bring out a stronger legislative framework on mobile money service to complement the rapid growth of these services and curb cybercrime.

Abdul Ben Foday, Director of Corporate Affairs, while acknowledging the growing recognition of the importance of mobile phones and mobile money by tele-communication companies, which he said have brought unprecedented benefits by improving livelihoods and becoming a tool to mobilize and encourage savings for the unbanked populace in Sierra Leone, it has also occasioned issues that need attention.

“The financial services activities of telecos are beyond the purview of NATCOM, but falls within the mandate of the Bank of Sierra Leone. We are looking forward to imploring the Bank of Sierra Leone to come up with a stronger legislative framework than what it currently has,” he said.

He added that the role of the bank of Sierra Leone is pivotal in ensuring that mobile money services are regulated, supervised for the smooth operations of the financial sector.

“In view of this, our vigilance has increased, consumer awareness and consumer public dialogue is on an upward trajectory. The rapid growth of mobile money transactions should [warrant] the urgency for an effective and robust regulatory and legislative framework.” 

The spokesman for the Bank of Sierra Leone, Berestford Taylor, did not respond to Politico when contacted via calls and a text message.

NATCOM, as a regulatory body, is responsible to monitor media and telecommunication technical capacity and functions in Sierra Leone. Their role includes granting licenses for the operations of communications systems and services, ensuring fair competition among operators, establish and monitor quality of service indicators for operators and service providers.

Dr. Abdul Kamara, Manager of Information Cyber Security, noted that cyber security issues are borderless due to the borderless nature of the cyber space itself. He said they have been working with Police to tackle emerging threats.

“In the recent past, we have been able to make some gains in the fight against cybercrimes and fraud in partnership and collaboration with the Sierra Leone Police in the termination of Sim Box fraud,” he stated.

Sim Box Fraud is one of the most sophisticated cybercrimes in the country. However, simpler cybercrimes like scams involving people luring others to send them mobile money by impersonation, have been on the increase.

Mustapha Sesay is a victim of mobile money fraud. He said he recently lost Le5million to a scammer who claimed he was the Secretary to the President of Sierra Leone.

Sesay believes mobile companies are not doing enough to tackle the problem.

 “I think the mobile companies are in connivance with these rogues, otherwise there is no way the same number would be used to scam other people even when the first incident was reported to the Police. The same number that was used to scam me was also used to scam another Le8 million (from someone else). This could not have happened if these mobile companies are serious about curbing the criminal activities of these criminals,” he said.

Police already have a cybercrime unit which they have used in the past to conduct raids and arrest cyber criminals.

Assistant Superintendent of Police, Kabba Lavalie, explained in a Police press briefing this week that they currently have people in custody who impersonated a government minister, so they could carry out a scam.

© 2019 Politico Online

Source link

The post #cyberfraud | #cybercriminals | NATCOM calls for tough laws to regulate mobile banking in Sierra Leone appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | Banking scams becoming more sophisticated

Source: National Cyber Security – Produced By Gregory Evans

Falling prey to online scammers is easier than you might think, with scams becoming increasingly more sophisticated and less blatant than the now well-known “Nigerian prince” emails that clog our spam folders.

According to the SA Banking Risk Information Centre (Sabric), reported incidents of digital banking crimes increased by 75 percent between 2017 and 2018, amounting to a total of R262.8 million lost in digital, mobile and app banking crimes last year alone.

Cyber criminals are becoming smarter in their attempts to steal and will use technology in conjunction with social engineering to try to defraud people. Here are just some of the many scams you need to be aware of, so you can start protecting yourself and your information online.

Phishing is one of the most common forms of online scams that uses email as a platform to scam people. Phishing is designed to trick you into clicking on malicious links that can result in malware being installed on your computer or device, or manipulating you into divulging login details for email, social media and bank accounts. This often takes the form of an email that looks like a legitimate and professional communication from a trustworthy source, except for a few small and easy-to-miss details that tell you it’s fake.

Vishing, or “voice phishing attacks”, occurs when fraudsters pose as bank officials or service providers in order to trick people into disclosing personal and sensitive information over the phone, giving criminals access to your bank card details, mobile banking apps and online banking profiles. Your bank will never call you and ask you to share information such as your account details, user name or passwords over the phone.

Source link

The post #cyberfraud | #cybercriminals | Banking scams becoming more sophisticated appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | Firms to combat cyberattacks and fraud in UAE banking sector

Source: National Cyber Security – Produced By Gregory Evans

The event in progress in Abu Dhabi on Monday.

Business Bureau, Gulf Today

In a collective effort to promote a secure and stable financial landscape in the UAE, UAE Banks Federation (UBF), in partnership with SWIFT, the leading provider of secure financial messaging services, on Monday hosted the ‘SWIFT Customer Security Programme (CSP)’ conference. The CSP conference, which took place in Abu Dhabi, witnessed industry experts coming together to discuss how the widespread implementation of SWIFT CSP can support banks in combating all types of threat of cyberattacks by equipping them with necessary information and tools to mitigate electronic financial frauds.

SWIFT CSP is an initiative aimed at reinforcing the overall security of the global banking system by improving information sharing throughout the community, enhancing SWIFT-related tools for customers, sharing best practices for fraud detection and enhancing support by third party providers. Through the programme, SWIFT has also recently launched the Customer Security Control Framework (CSCF), which outlines a series of compulsory and advisory security controls for customers, which can help them strengthen and improve cyber security standards across the UAE.

Commenting on the occasion,  AbdulAziz Ghurair, Chairman of UBF, said: “On the back of accelerated technological innovation, the threat of cybercrime has significantly increased over the years, and the localised instances of payment fraud have reiterated the necessity for greater and more extensive partnerships to solve these issues. In line with our commitment to foster a safer and more protected banking environment across the UAE, we are delighted to collaborate with SWIFT to encourage the industry-wide adoption of the SWIFT CSP. Cybercriminals are becoming quickly smarter, and we are developing more sophisticated technologies that are becoming fundamental for banks to implement innovative platforms that promote improved transaction processes and provide relief and security for customers.”

Onur Ozan, Head of the Middle East, North Africa & Turkey, SWIFT, said: “With the Customer Security Programme, SWIFT is reinforcing the security of the entire global banking system. Worldwide, financial institutions are adopting SWIFT’s CSP as attackers prove increasingly determined and cunning. The CSP is delivering tangible results, supporting institutions in stepping up to this growing threat.”

The conference included several discussions focusing on SWIFT CSP and CSCF initiatives and the profound impact that such could have on finance and banking environment, emphasising the evolution of the payment landscape as a primary reason to adopt safer security measures.

Meanwhile, a meeting between members of the CEOs Advisory Council of the UAE Banks Federation (UBF) was held in Dubai to discuss recent developments, issues and advancements in the finance and banking sector in the UAE, with a particular focus on Emiratisation.

Directed by AbdulAziz Al Ghurair, Chairman of UBF, the meeting focused on a wide range of topics, including progress on existing UBF programs and initiatives, advances on Emiratisation efforts, findings and results from UBF’s latest Trust Index Survey, and the upcoming Middle East Banking Forum (MEBF) in November 2019.

Speaking on the occasion, AbdulAziz Al Ghurair said: “The astounding amount of change and transformation in the UAE banking industry means it is increasingly necessary for us to regularly hold these meetings, so that we may analyse key strengths, opportunities, and challenges in the sector. For this specific meeting we identified our priorities based on the current happenings in the financial and banking industry, as well as the overall larger economy. The recent announcement of the creation of more than 20,000 jobs for Emiratis in top-tier sectors, including banking, has driven us to focus on Emiratisation efforts within banks, and evaluate ways of working together to enhance the skills and expertise of UAE nationals. Additionally, we are confident that the banking sector will continue progressing and evolving in lieu of the highly positive results from the recently announce Trust Index Survey 2018.”

Distinctively positioned at the centre of the banking industry, which underpins the economy, UBF has a responsibility to support the UAE’s progressive vision to empower society at all levels. Whether it’s addressing the ever-changing challenges in the market, or developing the skills of UAE nationals to increase their recruitment to vital positions in the industry, UBF is continuously working towards a sustainable and diversified economy.

Current plans and initiatives in the banking sector focus on innovation and digitisation, and aim to provide easy access to multiple government and non-government services. From next month, banks will start adopting UAE Pass, a new mobile app which acts as a digital identity and digital signature solution, enabling individuals to conduct financial transactions, upload documents, validate documents and share data. The Emirates Digital Wallet, a tool aimed at promoting financial inclusion and driving a cashless society, is also being developed and will be launched soon.

Source link

The post #cyberfraud | #cybercriminals | Firms to combat cyberattacks and fraud in UAE banking sector appeared first on National Cyber Security.

View full post on National Cyber Security

Importance of #Banking Relationships In #Age of #Hacking

Source: National Cyber Security News

The banking industry is walking a narrow line between providing advanced digital solutions, while at the same time building a level personal relationship that doesn’t expose an organization to increased cybersecurity threats.

Recent ransomware attacks demonstrate the global and indiscriminate reach cyber attackers have. So, it is not surprising to see renewed calls for banks to reduce their reliance on technology, and even take certain services offline. That’s the opposite of what your strategy should be.

Yes, there are security and compliance concerns to address, and the digitization of the industry chips away at the personal touch of relationship banking. However, a retreat to manual processes and systems will stunt your efforts to differentiate your products and services. Instead, it is best to leverage technologies that facilitate online one-on-one collaboration with a consumer, while maintaining the same level of security and privacy that a meeting in your office to review confidential documents provides.

In the HuffPost editorial “Mass Hacking: Time To Go Off-Line,” Robert Kuttner, editor of The American Prospect and professor at Brandeis University’s Heller School, makes several arguments for moving banking offline. One is that because vital systems appear unable to withstand the cyber attacks, the best solution is to disconnect them from the internet.

Read More….


View full post on National Cyber Security Ventures

Open #banking holds #promise but #cybersecurity fears loom for #Canadian #banks

Source: National Cyber Security – Produced By Gregory Evans

As banks work to fortify their cybersecurity defences amidst a growing number of data breaches, they are also exploring the promise of so-called “open banking,” a concept that could finally disrupt the staid financial services industry.

Customers have increasingly moved away from physical branches towards online and mobile apps, but banking has yet to reach its “Uberization” moment, one that breaks down traditional models to usher in new innovations, as Uber has done for the taxi industry.

Open banking — granting third-parties like financial technology startups access to bank data to develop innovative apps — could be such a “game changer,” according to Toronto Dominion Bank’s chief information officer, Jeff Henderson.

All but one of 100 payment executives at major banks globally said they were planning major investments in open banking by 2020, according to an online survey by consulting firm Accenture released last month.

But even as Canadian financial institutions toy with the idea, they’re concerned about the looming risk to consumers’ personal information amid the growing threat of cyberattacks.

The Accenture survey also showed that 50 per cent of respondents said that implementing the emerging concept increases risk.

“There’s no question this is a trend,” TD’s Henderson said.

“(But) I want to make sure that any time we exchange information externally, that is done so in a very controlled and understood manner.”

In these early days, the exact nature of the innovation in the open banking landscape is unclear, said Bob Vokes, managing director of financial services at Accenture in Canada.

“What we’re trying to do in open banking is to create new sets of services off of the banking data, or alternatively, allow you to manipulate your banking information in a different way,” he said.

Open banking allows consumers to share their banking data, which proponents say will spur the creation of new apps and platforms that will make financial transactions easier or develop new use cases.

For example, a consumer could log into one app and see all their financial accounts, from various banks, to get a full picture of their net worth and move funds in real time. Or, geolocation data could be layered over payment data, allowing a consumer to analyze exactly where their money is being spent, while also allowing merchants to offer them location-based rewards.

The buzz around open banking is building just as concerns about cybersecurity mount.

Most recently, Uber announced earlier this month that hackers compromised some 57 million user accounts and Equifax Inc. disclosed in September a cyberattack that compromised the personal information of half of Americans and some 19,000 Canadians.

It also comes as the Bank of Canada once again listed cyber threats as a key vulnerability for the Canadian financial system in its semi-annual review released Tuesday.

“The high degree of financial and operational interconnectedness among financial institutions means that a successful cyber attack against a single institution or a key service provider could spread more widely within the financial system.”

Meanwhile, various jurisdictions are pushing ahead with legislation that would see financial institutions become even more interconnected.

By January 2018, banks in Europe will be required to share proprietary data, in a regulated and secure way, under the U.K.’s Open Banking Standard and Europe’s PSD2 legislations.

Canadian institutions are also jumping on board.

The Competition Bureau said in a report on fintech earlier this month that it is early days “but the potential impact on competition and innovation is promising.”

The Ministry of Finance said in August it is “examining the merits of open banking.”

“Open banking holds the potential to make it easier for consumers to interact with financial service providers and increase competition,” the ministry said in a consultation paper as part of a review of the federal Bank Act.

The Canadian Bankers Association responded to the ministry that while its members are proponents of innovation, they are also concerned about the potential impacts on safety, soundness and stability in Canada’s financial system.

“Canadian banks have devoted very significant resources to creating well-established information security and data warehouses that meet the highest standards worldwide, the CBA said.

“Any initiative that could undermine this trust would be very problematic for Canadian consumers, financial market participants and the broader economy.”

Vokes says these concerns — as well as questions about whether the bank or the third party is liable if something goes awry — will need to be addressed in legislation.

If additional layers of security protection are put in place, open banking should not raise the level of cybersecurity risk, he said, adding however, that cyberattackers are becoming more sophisticated as well.

“Innovation isn’t just the purview of fintechs,” he said.

“As we continue to innovate, fraud and criminal enterprises are also innovating.”

The post Open #banking holds #promise but #cybersecurity fears loom for #Canadian #banks appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers #Attack Global #Banks with Just Found ‘Silence’ #Banking #Trojan

Source: National Cyber Security – Produced By Gregory Evans

One fresh banker Trojan has been detected and found employing techniques resembling ones that the Carbanak employed. The Trojan has been targeting financial institutions mostly in Russia.

According to security researchers from Kaspersky Lab, the new Trojan called “Silence” is used for acquiring continuous access of certain online banking network even as it makes video recordings of computer operations by bank employees, identifies the software they use and the operational activities of the bank. Once equipped with all this knowledge, the attackers controlling the malware apply that knowledge for grabbing cash out of the banks’ customer accounts. posted this, November 1, 2017.

By monitoring victims’ activities in the bank, the attackers get all the necessary details from them for sniffing the bank’s networks while escape unnoticed with stolen money. The victims get an e-mail containing one malicious attachment masquerading as ‘Windows help.’ The attachment contains a CHM file with a JavaScript embedded that by default downloads one Visual Basic programmed script and runs it that thereafter pulls down the Trojan installer via its command-and-control (C&C) server.

The researchers state that the controllers of ‘Silence’ possibly are a Russian-speaking group that has targeted no less than ten financial institutions with some inside Malaysia and Armenia although the majority is inside Russia. This is unlike Russian cyber-criminals who usually spare attacking domestic targets.

Like Carbanak, first victims of Silence are duped with spoofed electronic mails that enable the hackers to gain entry inside the network. The hackers then hang around for as long as it needs them to get all the information for striking attack and stealing huge amounts of funds.

The spoofed e-mails are highly personalized to craft them as spear-phishing e-mails. Kaspersky researchers point out that the hackers had previously attacked to infect banking infrastructure so they could dispatch the malicious messages via the ids belonging to genuine bank employees thus making the e-mails appear inconspicuous while trapping the victims.

The Carbanak gang too was the discovery of Kaspersky Lab back during 2015. According to a particular report then, the infamous hackers managed filching a maximum of $1 billion from over a hundred banks globally.

The post Hackers #Attack Global #Banks with Just Found ‘Silence’ #Banking #Trojan appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures