Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: Online bank fraud - Bank malware, webinjects, etc.

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation BGP multiple banking addresses hijacked

    FYI...

    BGP multiple banking addresses hijacked
    - https://isc.sans.edu/diary.html?storyid=16249
    Last Updated: 2013-07-30 00:29:00 UTC - "On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you aren't there. You are still at home and haven't moved at all. All packets that should happily route to you now route elsewhere. Emails sent to you bounce as undeliverable, or are read by other people. Banking transactions fail. HTTPS handshakes get invalid certificate errors. This defeats the confidentiality, integrity, and availability of all applications running in the hijacked address spaces for the time that the hijack is running. In fact this sounds like a nifty way to attack an organization doesn't it? The question then would be how to pull it off, hijack someone else's address? The Autonomous System (AS) in question is owned by NedZone Internet BV in the Netherlands. This can be found by querying whois for the AS 25459. According to RIPE this AS originated 369 prefixes in the last 30 days, of these 310 had unusually small prefixes. Typically a BGP advertisement is at least a /24 or 256 unique Internet addressable IPs. A large number of these were /32 or single IP addresses. The short answer is that any Internet Service Provider (ISP) that is part of the global Border Gateway Protocol (BGP) network can advertise a route to a prefix that it owns. It simply updates the routing tables to point to itself, and then the updates propagate throughout the Internet. If an ISP announces for a prefix it does not own, traffic may be routed to it, instead of to the owner. The more specific prefix, or the one with the shortest apparent route wins. That's all it takes to disrupt traffic to virtually anyone on the Internet, connectivity and willingness to announce a route that does not belong to you. This is -not- a new attack, it has happened numerous times in the past, both -malicious- attacks and accidental typos have been the cause.
    The announcements from AS 25459 can be seen at:
    - http://www.ris.ripe.net/mt/asdashboard.html?as=25459
    A sampling of some of the owners of the IP addresses that were hijacked follow:
    1 AMAZON-AES - Amazon.com, Inc.
    2 AS-7743 - JPMorgan Chase & Co.
    1 ASN-BBT-ASN - Branch Banking and Trust Company
    2 BANK-OF-AMERICA Bank of America
    1 CEGETEL-AS Societe Francaise du Radiotelephone S.A
    1 FIRSTBANK - FIRSTBANK
    1 HSBC-HK-AS HSBC HongKong
    1 PFG-ASN-1 - The Principal Financial Group
    2 PNCBANK - PNC Bank
    1 REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION
    Some on the list were owned by that ISP, the prefix size is what was odd about them. The bulk of the IP addresses were owned by various hosting providers..."

    Diagnostic page for AS25459 (NEDZONE-AS)
    - http://google.com/safebrowsing/diagnostic?site=AS:25459
    "... over the past 90 days, 186 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-08-12, and the last time suspicious content was found was on 2013-08-12... we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 60 other site(s)... We found 41 site(s)... that infected 332 other site(s)..."

    Last edited by AplusWebMaster; 2013-08-13 at 02:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Banking Threats: Apollo Campaign

    FYI...

    Banking Threats: The Apollo Campaign
    - http://atlas.arbor.net/briefs/
    Elevated Severity
    October 21, 2013
    The Apollo Campaign targets eastern European banks for man-in-the-browser style attacks which lead to financial theft.
    Analysis: This trend is not new, but it is getting more press. Shylock is another banking threat that has targeted specific regions of the world. Attackers have resource constraints as well, and may be finding that their ROI is enhanced when they target specific regions. This could be due to having some local understanding of the target audience, banking security measures, and the typical end-user security measures that are commonly put into place. Despite having been around for many years, banking trojans continue to be a problem and they continue to innovate. In this case, the threat actors used "Bleeding Life Exploit Pack, Pony Loader, Ann Loader, and ZeuS" to support the operation. Detecting all of these types of threats on the wire and on the host provides many opportunities to intercept this threat at multiple places on the "kill chain".
    Source: http://blog.trendmicro.com/trendlabs...ollo-campaign/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Neverquest Trojan - Banking Threat

    FYI...

    Neverquest Trojan - Banking Threat
    - http://www.symantec.com/connect/blog...n-older-threat
    4 Dec 2013 - "... Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006... We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address 195.191.56.245 was used as a C&C server by Trojan.Snifula... The Aster Ltd domains Pluss .com .tw and Countdown .com .tw are hosted on the IP address 195.210.47.173. Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3 .net and Facestat .com .tw, are being hosted on the IP address 195.137.188.59, another known C&C IP address for Trojan.Snifula... Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon..."
    * http://www.symantec.com/security_res...112803-2524-99

    - https://www.virustotal.com/en/ip-add...5/information/

    - https://www.virustotal.com/en/ip-add...3/information/

    - https://www.virustotal.com/en/ip-add...9/information/

    Last edited by AplusWebMaster; 2013-12-05 at 00:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Tiny Banker Trojan - targets customers of major banks

    FYI...

    Tiny Banker Trojan - targets customers of major banks ...
    - http://blog.avast.com/2014/09/15/tin...nks-worldwide/
    Sep 15, 2014 - "After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
    > http://blog.avast.com/wp-content/upl.../hsbc_bank.png
    ... How does Tiny Banker work?
    1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
    2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
    3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
    4. If he/she -confirms- the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
    The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.
    > http://blog.avast.com/wp-content/upl...14/09/form.png
    ... Targeted financial institutions:
    Bank of America, Associated Bank, America’s Credit Unions, Etrade Financial Corporation, US bank, Banco de Sabadell, Farmers & Merchants Bank, HSBC, TD Bank, BancorpSouth, Chase, Fifth third bank, Wells Fargo, StateFarm, Regions, ING Direct, M&T Bank, PNC, UBS, RBC Royal Bank, RBS, CityBank, Bank BGZ, Westpack, Scotiabank, United Services Automobile Association
    Screenshots of targeted banks:
    - http://blog.avast.com/wp-content/upl...09/us_bank.png
    ...
    - http://blog.avast.com/wp-content/upl...09/td_bank.png
    ... Conclusion: Keep your software up-to-date. Software -updates- are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about updates available for your computer..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •