Mobile Fraud Soars as Social Sites Help Scammers

By: Phil Muncaster

Phishing continues to dominate the fraud landscape, accounting for nearly half of all attacks, but mobile fraud has jumped 650% over the past three years, according to RSA Security.

The security vendor’s Q1 2018 Fraud Report found phishing to account for 48% of all attacks during the quarter, followed by Trojans (24%) and brand abuse 21%).

The report uncovered a decline in use of traditional web browsers to conduct fraud, 62% in 2015 to 35% today, whilst the mobile app’s share of fraudulent transactions has risen from 5% to 39% over the same period.

However, as an attack type, mobile attacks comprised just 6% of the whole, linked to over 8,000 rogue apps in Q1. Some 82% of fraudulent e-commerce transactions spotted by RSA originated from a new device in Q1 2018, indicating the lengths scammers are going to in order to avoid detection.

RSA also confirmed the increasing role of legitimate social networks in unwittingly helping fraudsters to sell their wares.

“Social media provides the perfect control station for cyber-criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces,” explained RSA Fraud & Risk Intelligence Unit director, Daniel Cohen.

More: https://www.infosecurity-magazine.com/news/mobile-fraud-soars-as-social-sites/

New Spectre (Variant 4) CPU Flaw Discovered—Intel, ARM, AMD Affected

By: Swati Khandelwal

Security researchers from Microsoft and Google have discovered a fourth variant of the data-leaking Meltdown-Spectre security flaws impacting modern CPUs in millions of computers, including those marketed by Apple.

Variant 4 comes weeks after German computer magazine Heise reported about a set of eight Spectre-class vulnerabilities in Intel CPUs and a small number of ARM processors, which may also impact AMD processor architecture as well.

Variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715), known as Spectre, and Variant 3 (CVE-2017-5754), known as Meltdown, are three processor vulnerabilities disclosed by Google Project Zero researchers in January this year.

Now, Microsoft and Google researchers have disclosed Variant 4 (CVE-2018-3639), dubbed Speculative Store Bypass, which is a similar Spectre variant that takes advantage of speculative execution that modern CPUs use to potentially expose sensitive data through a side channel.

Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues and is discarded if not.

However, the speculative-execution design blunders can be exploited by malicious software or apps running on a vulnerable computer, or a nefarious actor logged into the system, to trick the CPU into revealing sensitive information, like passwords and encryption keys, stored in system memory and the kernel.

Unlike Meltdown that primarily impacted Intel chips, Spectre affects chips from other manufacturers as well.

Spectre and Meltdown Continues to Haunt Intel, AMD, ARM

The latest Variant 4 flaw affects modern processor cores from Intel, AMD, and ARM, as well as IBM’s Power 8, Power 9, and System z CPUs—threatening almost all PCs, laptops, smartphones, tablets, and embedded electronics regardless of manufacturer or operating system.

Speculative Store Bypass attack is so far demonstrated in a “language-based runtime environment.” The most common use of runtimes, like JavaScript, is in web browsers, but Intel had not seen any evidence of successful browser-based exploits.

Linux distro giant Red Hat has also provided a video outlining the new Spectre flaw, alongside publishing a substantial guide:

DNS-Hijacking Malware Targeting iOS, Android and Desktop Users Worldwide

By: Swati Khandelwal

Widespread routers’ DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.

Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users’ login credentials and the secret code for two-factor authentication.

According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.

Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.

How the Roaming Mantis Malware Works

Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.

So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

  • fake apps infected with banking malware to Android users,
  • phishing sites to iOS users,
  • Sites with cryptocurrency mining script to desktop users

“After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk),” researchers say.

To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.

More: https://thehackernews.com/2018/05/routers-dns-hijacking.html

Potential Spy Devices Which Track Cellphones, Intercept Calls Found All Over D.C., Md., Va.

By: Jodie Fleische Rick Yarborough and Jeff Piper

The technology can be as small as a suitcase, placed anywhere at any time, and it’s used to track cell phones and intercept calls.

The News4 I-Team found dozens of potential spy devices while driving around Washington, D.C., Maryland and Northern Virginia.

“While you might not be a target yourself, you may live next to someone who is. You could still get caught up,” said Aaron Turner, a leading mobile security expert.

The device, sometimes referred to by the brand name StingRay, is designed to mimic a cell tower and can trick your phone into connecting to it instead.

 The News4 I-Team asked Turner to ride around the capital region with special software loaded onto three cell phones, with three different carriers, to detect the devices operating in various locations.

“So when you see these red bars, those are very high-suspicion events,” said Turner.

If you live in or near the District, your phone has probably been tracked at some point, he said.

A recent report by the Department of Homeland Security called the spy devices a real and growing risk.

And the I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City. The I-Team got picked up twice while driving along K Street — the corridor popular with lobbyists.

“It looks like they don’t consider us to be interesting, so they’ve dropped us,” Turner remarked looking down at one of his phones.

More: https://www.nbcwashington.com/investigations/Potential-Spy-Devices-Which-Track-Cellphones-Intercept-Calls-Found-All-Over-DC-Md-Va-482970231.html

Email No Longer a Secure Method of Communication After Critical Flaw Discovered in PGP

By: Matt Novak

If you use PGP or S/MIME for email encryption you should immediately disable it in your email client. Researchers have discovered a critical vulnerability they’re calling EFAIL that exposes the encrypted emails in plaintext, even for messages sent in the past.

“Email is no longer a secure communication medium,” Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, told the German news outlet Süddeutsche Zeitung.

The vulnerability was first reported by the Electronic Frontier Foundation (EFF) in the early hours of Monday morning, and details were released prematurely just before 6am ET today after Süddeutsche Zeitungbroke a news embargo. The group of European researchers are warning people to stop using PGP entirely and say that, “there are currently no reliable fixes for the vulnerability.”

From the researchers:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

More: https://gizmodo-com.cdn.ampproject.org/c/s/gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682/amp

MAS warns of rising number of phishing scams targeting bank accounts.

By: CNA /hz

SINGAPORE: The Monetary Authority of Singapore (MAS) has advised consumers to “exercise utmost caution” when dealing with emails requesting for sensitive information associated with their bank accounts.

In an advisory on Sunday (May 6), MAS said there has been a rising number of “phishing attempts” in the past week.

The scams involved emails purportedly from banks asking customers to update their personal particulars, including information on their bank accounts, online banking user names and passwords.

The advisory comes following a warning from DBS on Thursday of a phishing scheme targeting POSB Bank customers and mimicking the POSB Internet Banking login page.

“Some of the emails claim it is an MAS requirement for bank customers to do so. Customers who receive such emails should not follow the instructions of the senders and should report them promptly to their banks,” MAS said in its advisory.

MAS said it also expected all financial institutions to take action to protect customers and promptly alert them of any phishing activity and remove phishing websites that target their customers.

More: https://www.channelnewsasia.com/news/singapore/mas-warns-of-rising-number-of-phishing-scams-targeting-bank-10207142

Bolton’s Push to Cut Security Post Not Sound

By: Kacy Zurkus

In the aftermath of President Trump pulling out of the Iran nuclear deal, there has been much anticipation of retaliatory cyber-attacks against the US.

With the paramount goal of preparing to defend against potential threats, the news that national security adviser, John Bolton, aims to eliminate the role of special assistant to the president and cybersecurity coordinator has confounded industry leaders.

“The possible changes come as a surprise as Bolton has been considered a supporter of a more vigorous cybersecurity strategy that targets enemies of the U.S.,” Fox News reported 10 May.

Many security experts have expressed concerns over the potential elimination of the cybersecurity coordinator position that was created by former President Obama in 2009 and is currently held by Rob Joyce.

David Ginsburg, Vice President of Marketing at Cavirin, said, “Initial reporting doesn’t mention that the US has just elevated this to a major command, recognizing the severity and potential impact of cyber-warfare and the need to protect the overall cyber-posture of the US.”

“Without clear cooperation and transparency this will continue to grow as a major problem with a possibility of a full cyber-war as retaliation and with no expert in the White House to see through the fog of threats then this could result in a major disaster,” said Joseph Carson, chief security scientist at Thycotic.

Because cybersecurity must be a high priority at all levels, not having a dedicated person focused on the cybersecurity strategy could cause different challenges. “It will send a wrong message to other nations and malicious actors. Anytime you put dedicated focus and a dedicated person with responsibility on any task [it] gets done better and faster,” said Rishi Bhargava, co-founder at Demisto.

More: https://www.infosecurity-magazine.com/news/boltons-push-to-cut-security-post/

Healthcare Prone to Attack, Still Unprepared

By: Kacy Zurkus

The one-year anniversary of WannaCry, the ransomware that disrupted businesses across the globe, is upon us. Since the ransomware attack that impacted an estimated 200,000 computers, new research suggests that organizations across the UK are still struggling to deal with ransomware, none more than those in the healthcare industry.

Over 400 IT decision makers at UK businesses partook in a recently released report from Webroot, which found that a large majority of the respondents (88%) feel better equipped to deal with a ransomware attack. Healthcare organizations are more prone to attacks than other industries, yet 98% of respondents in the healthcare sector said they are better equipped to deal with an attack now than they were one year ago.

That number could indicate a false sense of security, given that 45% of respondents had suffered a ransomware attack. Of those, nearly a quarter (23%) actually paying the ransom. More than half of the healthcare companies polled (52%) admitting to having suffered an attack.

“Organizations still aren’t investing the necessary time and resources in risk mitigation and recovery processes, leaving them with limited options in case of a successful attack. The healthcare industry in particular needs to be very aware of the fact that it is a high-profile target, with valuable data at stake, and take special care to ensure that defenses are in place,” said David Kennerley, director of threat research, Webroot.

In the healthcare sector, multiple attacks hit over one in four (26%) organizations. Of the 400 survey participants, 56% of respondents would consider paying the ransom. That number is smaller for organizations in the healthcare sector, with only 34% saying they would consider paying. Interestingly, only 5% of all those surveyed have stocked Bitcoin should they need to pay a ransom. However, 8% of organizations in the healthcare sector have acquired cryptocurrency.

More: https://www.infosecurity-magazine.com/news/healthcare-prone-to-attack-still/

NSA collected 530 million calls and texts in 2017

By: Doug Olenick

The National Security Agency (NSA) collected more than 530 million phone calls and texts from individuals around the world in 2017, more than three times the number gathered the previous year.

In the Office of the Director of National Intelligence’s fifth annual Statistical Transparency Report Regarding Use of National Security Authorities for Calendar Year 2017, the agency reported having 534.4 million call detail records for the year, up from 151.1 million in 2016. These figures include domestic and foreign numbers and there could be duplicate records included.

The reason for the huge uptick in records collected in 2017 is not due to a change in recording methods, but likely because the number of court-approved selection terms, like phone numbers and the amount of data the telecoms retain, changes from year to year, a spokesman for the ODNI told The Hill.

More: https://www.scmagazine.com/nsa-collected-530-million-calls-and-texts-in-2017/article/763974/