Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bank Data. Show all posts

Hacker Subscription Service Exposes 600,000 Bank Card Details

 

A disturbing new hacker subscription service has emerged, offering access to 600,000 stolen bank card details for a fee of just £120. This service, identified by cybersecurity researchers from Flare, is named “Breaking Security” and allows its subscribers to exploit stolen bank card information for various illicit activities, including unauthorized transactions and identity theft. 

The service provides subscribers with detailed information about the compromised cards, including card numbers, expiration dates, and CVV codes. This data enables hackers to make online purchases or even clone the cards for physical transactions. The subscription service’s affordability and extensive database make it particularly dangerous, as it lowers the barrier for individuals seeking to engage in cybercrime. Flare’s researchers have highlighted the significant threat posed by Breaking Security, noting that such services are part of a growing trend in the cybercrime industry. These services make it easier for less technically skilled individuals to access sophisticated tools and data, leading to a rise in cybercrimes. 

The availability of such a service underscores the evolving nature of cyber threats and the increasing sophistication of criminal networks. Authorities are currently investigating Breaking Security to identify and apprehend the perpetrators behind the service. Law enforcement agencies are working to mitigate the impact on the affected individuals and prevent further exploitation of the stolen card data. The investigation is focused on tracking down the source of the data breach and the infrastructure supporting the subscription service. This incident highlights the critical importance of robust cybersecurity measures for both individuals and organizations. 

For individuals, it is crucial to regularly monitor bank statements for unauthorized transactions and to use security features such as two-factor authentication wherever possible. Organizations, on the other hand, must invest in comprehensive security solutions to protect sensitive data and detect breaches promptly. The emergence of Breaking Security also points to a broader issue within the cybercrime ecosystem. As long as there is a market for stolen data, cybercriminals will continue to find innovative ways to monetize their activities. 

This calls for a coordinated effort between law enforcement, cybersecurity experts, and financial institutions to dismantle such operations and safeguard against future threats. In conclusion, the discovery of the Breaking Security subscription service represents a significant threat to financial security and privacy. The service’s ability to provide extensive access to stolen bank card details for a relatively low cost is alarming. It underscores the need for enhanced vigilance and proactive measures to combat the growing menace of cybercrime. 

As investigations continue, it is essential for individuals and organizations to remain vigilant and take necessary steps to protect themselves from such sophisticated threats.

New Web Injection Malware Campaign Steals Bank Data of 50,000 People


In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan. 

The malware was first discovered by IBM’s security team, where the researchers noted that the threat actors have been preparing for the campaign since December 2022, after buying the malicious domains.

The attacks used scripts that were loaded from the attacker's server to intercept user credentials and one-time passwords (OTPs) by focusing on a particular page structure that is shared by numerous institutions.

The attackers can access the victim's bank account, lock them out by altering security settings, and carry out illicit transactions by obtaining the aforementioned information.

A Stealthy Attack Chain

The attack begins when the threat actors infect the victim’s device with the malware. While IBM’s report did not specify the details of this stage, it is more likely that this is done through malvertizing, phishing emails, etc. 

The malicious software inserts a new script tag with a source ('src') property pointing to an externally hosted script once the victim visits the malicious websites of the attackers. 

On the victim's browser, the malicious obfuscated script is loaded to change the content of webpages, obtain login credentials, and intercept one-time passcodes (OTP).

IBM found this extra step unusual since most malware can perform web injections directly on the web page.

It is also noteworthy to mention that the malicious script uses names like cdnjs[.]com and unpkg[.]com to mimic authentic JavaScript content delivery networks (CDNs) in an attempt to avoid detection. Moreover, the script verifies the existence of particular security products before execution. 

Also, the script tends to continuously mend its behaviour to the command and control server’s instructions, sending updates and receiving specific outputs that guide its activity on the victim’s device. 

A "mlink" flag set by the server controls its various operational states, which include injecting phone number or OTP token prompts, displaying error warnings, or mimicking page loading as part of its data-stealing tactic. 

IBM notes that nine “mlink” variable values can be combined to instruct the script to carry out certain, distinct data exfiltration activities, indicating how a wide range of commands is being supported. 

According to IBM, this campaign is still a work in progress, thus the firm has urged online users to use online banking portals and apps with increased caution.  

The DLBI Expert Called the Cost of Information about the Location of any Person

Ashot Oganesyan, the founder of the DLBI data leak intelligence and monitoring service, said that the exact location of any Russian on the black market can be found for about 130 dollars. 

According to him, this service in the illegal market is called a one-time determination of the subscriber's location. Identification of all phones of the client linked to the card/account using passport data costs from 15 thousand rubles ($200). 

"The details of the subscriber's calls and SMS for a month cost from 5 thousand ($66) to 30 thousand rubles ($400), depending on the operator. Receiving subscriber data by his mobile phone number cost from 1 thousand rubles ($13)", he added. 

Mr. Oganesyan said that fixing movement on planes, trains, buses, ferries, costs from 1.5 thousand ($20) to 3 thousand rubles ($40) per record. Data on all issued domestic and foreign passports will cost from 900 ($12) to 1.5 thousand rubles ($20) per request. Information about crossing the Russian border anywhere and on any transport costs from 3 thousand rubles ($40) per request, Ashot Oganesyan clarified, relying on the latest data on leaks. 

According to him, both law enforcement agencies and security services of companies are struggling with leaks, but only banks have managed to achieve some success. The staff of mobile network operators, selling data of calls and SMS of subscribers, are almost weekly convicted, however, the number of those wishing to earn money is not decreasing. 

The expert noted that under the pressure of the Central Bank of Russia and the constant public scandals, banks began to implement DLP systems not on paper, but in practice, and now it has become almost impossible to download a large amount of data unnoticed. As a result, today it is extremely rare to find a database with information about clients of private banks for sale. 

However, another problem of leakage from the marketing systems of financial organizations has emerged. The outsourcing of the customer acquisition process and the growth of marketplaces have led to information being stored and processed with a minimal level of protection and, naturally, leaking and getting into sales.

Morgan Stanley to Pay $60M to Resolve Data Security Lawsuit

 

Morgan Stanley agreed to pay $60 million in a preliminary settlement of a class-action lawsuit filed against the company on Friday, according to Reuters, for allegedly neglecting to secure customers' personal data before retiring outdated information technology. 

The settlement offer awaits the approval of New York District Judge Analisa Torres. The lawsuit was filed on behalf of around 15 million Morgan Stanley clients in response to two separate occurrences that occurred in 2016 and 2019. 

Morgan Stanley decommissioned two wealth management data centres in the first incident. Before removing the unencrypted computer equipment from the centres, the bank's vendor, Triple Crown, was tasked with deleting or destroying it. Even after it had left the vendor's control, this device was later discovered to contain data. According to Morgan Stanley, the vendor removed the devices and resold them to a third party without permission. 

As part of a hardware refresh programme, the second incident entailed the replacement and removal of branch office equipment. The bank was unable to discover some of these devices, which could have retained previously deleted information on discs in an unencrypted version due to a software error. 

Customers will receive a minimum of two years of fraud insurance coverage as part of the proposed settlement, as well as compensation for up to $10,000 in related out-of-pocket losses. The bank also stated that it would improve its data security procedures. 

Morgan Stanley maintains that there was no wrongdoing on its part, even though it is seeking a settlement. In a move to dismiss the complaint filed in August 2021, the bank said that despite extensive investigations and ongoing surveillance over the years, it has not discovered a single instance of data misuse generated from any of its own sources. Morgan Stanley was fined $60 million in civil penalties in October 2020 for failing to adequately supervise the decommissioning of its data centres in 2016. 

The Office of the Comptroller of the Currency imposed the penalty after discovering that the bank: failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.