Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Banking Data. Show all posts

The Fake E-Shop Scam Campaign Sweeping Southeast Asia, seizing users banking details

 

In recent years, cybercriminals have been increasingly employing sophisticated tactics to target individuals and organizations across the globe. One such alarming trend is the proliferation of fake e-shop scam campaigns, particularly prevalent in Southeast Asia. 

These campaigns, characterized by their deceptive methods and malicious intent, pose significant threats to cybersecurity and personal privacy. The emergence of the fake e-shop scam campaign targeting Southeast Asia dates back to 2021, with a notable surge in activity observed by cybersecurity researchers in September 2022. 

Initially concentrated in Malaysia, the campaign swiftly expanded its operations to other countries in the region, including Vietnam and Myanmar. This expansion underscores the growing sophistication and reach of cybercriminal networks operating in Southeast Asia. At the heart of these malicious campaigns are phishing websites designed to deceive unsuspecting users. 

These websites often masquerade as legitimate e-commerce platforms or payment gateways, luring victims into providing sensitive information such as login credentials and banking details. Once users are enticed to visit these fraudulent sites, they are exposed to various forms of malware, including malicious Android applications packaged as APK files. 

The modus operandi of the attackers involves social engineering tactics, with cybercriminals leveraging popular communication platforms like WhatsApp to initiate contact with potential victims. By impersonating cleaning services or other seemingly innocuous entities on social media, the perpetrators exploit users' trust and curiosity, leading them to engage in conversations that ultimately result in malware infection. 

The malware deployed in these fake e-shop scam campaigns is multifaceted and constantly evolving to evade detection and maximize its impact. Initially focused on stealing login credentials for Malaysian banks, including prominent institutions like Hong Leong, CIMB, and Maybank, the malware has since incorporated additional functionalities. These include the ability to take screenshots, exploit accessibility services, and even facilitate screen sharing, granting the attackers unprecedented control over infected devices. 

Furthermore, the attackers have demonstrated a keen understanding of the linguistic and cultural nuances of their target regions. In Vietnam, for example, the campaign specifically targeted customers of HD Bank, employing phishing websites tailored to mimic the bank's online portal and language. Similarly, in Myanmar, the attackers utilized Burmese language phishing pages to enhance the credibility of their schemes among local users. 

The implications of these fake e-shop scam campaigns extend beyond financial losses and reputational damage. They represent a direct assault on user privacy and cybersecurity, with far-reaching consequences for individuals and businesses alike. The theft of sensitive personal and financial information can lead to identity theft, unauthorized transactions, and even ransomware attacks, resulting in significant financial and emotional distress for victims. 

In response to these evolving threats, cybersecurity experts emphasize the importance of proactive measures to safeguard against malicious activities. This includes exercising caution when interacting with unfamiliar websites or online advertisements, regularly updating antivirus software, and staying informed about emerging cybersecurity threats. 

Ultimately, combating the scourge of fake e-shop scam campaigns requires collective action and collaboration among stakeholders across the cybersecurity ecosystem. By raising awareness, implementing robust security measures, and fostering a culture of cyber resilience, we can mitigate the risks posed by these insidious threats and protect the integrity of our digital infrastructure.

Nigel Farage Controversy Results in Hundreds of NatWest Private Data Requests

 

Numerous requests for copies of personal data have been made to NatWest Bank under the provisions of data protection regulations. 

It unfolded after an argument between the group and Nigel Farage, a pro-Brexit advocate. According to the former UKIP leader, his account at Coutts, a private bank owned by NatWest, was closed down as a result of his political beliefs. 

It's not apparent if the inquiries were from present or past clients. Mr. Farage received no explanation as to why Coutts decided to cancel his account. 

Subsequently, Mr. Farage asked the bank for a copy of the information they had on him. This is referred to as a subject access request under data protection law. 

He was given a document that had minutes from a meeting in November of the previous year where his suitability as a client was discussed.

It claimed that given his "publicly stated views," keeping Mr. Farage as a customer was inconsistent with Coutts's "position as an inclusive organisation." 

Mr. Farage's retweet of a transphobic joke by Ricky Gervais and his relationship with tennis player Novak Djokovic, who is against the Covid vaccine, the document further reads. 

It also cited various instances, such as his likening of Black Lives Matter demonstrators to the Taliban and his description of the RNLI as a "taxi-service" for unauthorised immigrants, to raise red flags. 

Coutts was also concerned about the reputational danger of having Mr Farage as a customer. Natwest CEO Dame Alison Rose has since apologised for the "deeply inappropriate" remarks. 

On Thursday, Mr Farage claimed that thousands of other people's accounts had been terminated by NatWest, and invited them to file their own subject access requests. 

According to the BBC, the bank has seen an uptick in such requests. The figures are likely to be in the hundreds rather than thousands. It is unknown how many persons who made the requests had their accounts closed.

Preinstalled ‘Guerrilla’ Malware Infects Millions of Smartphones Worldwide

 

Security experts have made the alarming discovery that preloaded 'Guerrilla' malware has been disseminated on millions of smartphones globally. Once embedded in the device, this sneaky type of malware grants attackers unrestricted access to private user data, potentially resulting in privacy violations and financial loss.

The Guerrilla malware, also known as the Triada trojan, is one of the most advanced and persistent mobile threats to date. It was first identified by Kaspersky researchers, who found it embedded in the firmware of various Android devices. This preinfection tactic makes it extremely difficult for users to detect and remove the malware, as it resides deep within the device's system files.

The Lemon Group, a notorious cybercriminal organization, is believed to be behind the distribution of these infected smartphones. They capitalize on unsuspecting users who unknowingly purchase devices already compromised with the Guerrilla malware. Once activated, the malware acts as a backdoor, allowing the cybercriminals to remotely control the device, intercept communications, and steal sensitive information such as login credentials, banking details, and personal data.

The implications of this preinfection tactic are profound. Users are left vulnerable, unaware that their devices have been compromised from the moment they start using them. Even performing a factory reset or flashing the firmware does not guarantee the complete removal of the malware, as it can persist in the device's system files.

To make matters worse, many of these infected devices are sold in regions with limited cybersecurity awareness and infrastructure, making it even more challenging to address the issue effectively. The impact extends beyond individual users to businesses and organizations that may unwittingly integrate these compromised devices into their networks, potentially exposing sensitive corporate data to cybercriminals.

The discovery of millions of smartphones distributed with preinstalled Guerrilla malware underscores the urgent need for stronger security measures throughout the supply chain. Smartphone manufacturers must implement rigorous security checks to ensure that their devices are free from malware before they reach the market. Additionally, users should exercise caution when purchasing devices, opting for reputable sellers and performing regular security scans on their devices.

The battle against preinstalled malware requires collaboration between smartphone manufacturers, cybersecurity researchers, and law enforcement agencies. By sharing intelligence and implementing proactive measures, it is possible to mitigate the impact of this growing threat and protect users from the dangers of preinstalled malware.

Guerrilla spyware that comes preinstalled on millions of cellphones poses a serious threat to consumer security and privacy. Users, manufacturers, and the cybersecurity community must all exercise vigilance and be proactive in addressing this sneaky danger due to the clandestine nature of this malware. We can only protect our digital life and maintain the integrity of our cellphones by working together.

Thousands of Users Impacted in Revolut Data Breach

 

Financial technology firm Revolut has suffered a massive data breach that may have allowed hackers to access the private details of over 50,000 users. 

The fintech giant, which has a banking license in Lithuania, described the assault as “highly targeted” and stated the hacker only had access to 0.16% of customers’ data for a “short period” of time. 

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut spokesperson Michael Bodansky explained. To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”  

However, according to Revolut’s breach disclosure to the authorities in Lithuania, the firm says nearly 50,150 global customers, including 20,687 in the European Economic Area (EEA) and 379 Lithuanian citizens, may have been impacted by the data breach. The leaked data includes names, postal and email addresses, telephone numbers, partial card details, and bank account information.  

Soon after the attack, multiple Revolut users complained regarding obscene texts received via the application’s chat feature. Some customers also reported getting text messages directed to a Revolut phishing website. It’s unclear if these events are related to the breach. 

In its data breach notification to affected users, Revolut warned impacted users to be on high alert for follow-on phishing and fraud scams using leaked details. 

“Cyber-criminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation,” the company warned users. 

“Malicious persons and fraudsters may try, using the publicized information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.” 

According to Forbes, London-based Revolut is UK’s most valuable fintech startup currently valued at $33 billion. It has over 20 million customers in 200 nations but is most popular in Europe and the UK. The app-based bank was established in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.

Cybercriminals Employ Malicious Shopping Apps to Exfiltrate Banking Data of Malaysian Users

 

Cyber criminals have been distributing malicious applications disguised as legitimate shopping apps to steal customers’ financial data belonging to eight Malaysian banks. Earlier this week on Wednesday, researchers at Slovak security firm ESET shared new research reporting three separate apps targeting Malaysian customers. 

First discovered in November 2021, the malicious campaign began by distributing a fraudulent app pretending to be Maid4u, a legitimate-looking cleaning service brand. The cybercriminals responsible designed a website with an identical name -- a methodology known as typosquatting -- and attempted to trick users into downloading the malicious Maid4u app. To make the website appear legitimate, the attackers even used paid Facebook ads. 

Earlier this year in January, MalwareHunterTeam found three other malicious websites employing the same technique, and the campaign is still ongoing. ESET has since spotted another four malicious websites that mimic legitimate cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. 

The malicious websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons redirect users to rogue servers under the attackers’ control. To succeed, this malicious campaign requires the intended victims to enable the non-default “Install unknown apps” option on their devices. 

Subsequently, the victims are presented with payment options, such as credit cards or transferring the required amount from their bank accounts. After choosing the direct transfer option, victims are presented with a fake FPX payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. 

When users submit their bank credentials, they are sent to the attacker's command-and-control (C2) server. The victim is then shown an error message. "To make sure the threat actors can get into their victims' bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank," the ESET researcher Lukáš Å tefanko explained. 

"While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on," Å tefanko added. "At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future."

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Mekotio Banking Trojan Resurfaces with Tweaked Code

 

On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."