Microsoft Authenticator is a pleasant enough two-factor authentication app. You can use it to generate numeric authentication codes for accounts on Google, Facebook, Twitter, and indeed, any other service that uses a standard one-time password. The login process is straightforward: first you sign in to each site with your username and regular, fixed password, then you use the code generated by the app.
But for Microsoft accounts, Redmond is offering something new: getting rid of that first password and using just the phone to authenticate. With phone-based authentication enabled, after entering your Microsoft Account e-mail address, you'll receive an alert on your phone. From that alert, you can either approve or reject the authentication attempt—no password necessary.
This same approve-or-reject choice on the phone has been offered previously to Microsoft Accounts, but in the past, it still required the use of the fixed password.
Banks always have been a lure for attackers, and while new technologies help to improve client service, they also create additional information security risks.
Cyberattacks on banks frequently start with criminals persuading employees of a financial institution to open specially crafted malware. Positive Technologies expert Timur Yunusov explains below if it makes sense for banks to ban workplace use of social networks to reduce the risk of such attacks.
Employees: the weak link in security
Most cyberattacks on banking infrastructure rely on social engineering. By smoothly manipulating bank employees in correspondence or conversation, criminals frequently manage to penetrate a bank’s internal network. In the case of a targeted attack directed at many bank employees—we know of attacks targeting 10 to 50 (or even more) employees at the same time—we can safely assume that at least one of them will open malware attached to an email message, therefore infecting that employee’s computer.
Research performed by Positive Technologies demonstrates that information security awareness among employees remains low. Employees often open potentially malicious attachments and act in a way that may jeopardize the security of the company's infrastructure. Unfortunately, awareness is still low at companies where employees undergo information security training.
One of the most effective tools for a hacker is the telephone—in 100 percent of cases with the clients we audited, our testers managed to convince the employee on the other end of the line to open the malicious file they had previously sent, or even to disclose the employee’s user name and password. Bank employees are a weak link in security, and therefore financial institutions have to think about how to reduce the risk of attacks on their staff.
Putting the social network controversy in perspective
Considering all the above, banning workplace use of social networks might seem to be a safe and sensible step. After all, popular online services are another way for attackers to spread malware.
But in reality, social networks are less useful for fraudsters than the phone, for instance. To persuade employees to perform a certain action, attackers first need to create relationships and earn trust. Targeted attacks via social networks are a time-consuming process that usually takes a week or more. Timing is trickier too, since if the attacker sends the malicious software or link when the employee is at home, the malware will infect the employee’s computer, instead of a bank computer.
Sometimes attackers hack the accounts of the target employee’s friends. In this case, success is more likely because people trust their friends more than they trust strangers. But performing this attack at any kind of scale against bank employees via social networks is quite difficult and has no guarantees of success. Overall, emails and phone calls are much more effective for hackers.
To ban or not to ban
Statistics show that employees of financial institutions are at risk and are the logical first target for hackers. Many methods are available to hackers for this purpose, including social networking websites.
But banning use of social networks may actually be counterproductive. After a ban, employees could switch over to other communication methods (for example, email and phone) that are statistically riskier with respect to social engineering.
In addition, outright prohibitions may not work and instead push employees to seek dangerous workarounds. At a minimum, any ban must be reinforced by training to educate employees on the basics of information security.
The more effective and reliable choice for banks and other businesses is to combine security awareness training with use of special protection and attack detection tools, such as security information and event management (SIEM) and web application firewall (WAF) solutions.
If you're using a Web-based third-party recruiter site to look for and apply for jobs, you may want to keep a close eye on the e-mails you get in response. As Steve Ragan of CSO reports, scammers are harvesting information from recruiter sites to offer "flexible" jobs that are in fact criminal undertakings—often posing as executives from the companies where applicants have applied for jobs.
One woman who applied for a job at the paint manufacturer Sherwin-Williams through the site of ZipRecruiter received an e-mail shortly afterward from someone posing as the CEO of the company. The person claimed that the position she had applied for was filled but offered another job as a "personal assistant" for the CEO himself for $500 a week.
"If you accept my offer, I will need you to take charge of my mails pick up and drop off as well as errand running during your spare time outside of work," the e-mail read. "The job is flexible so you can do it wherever you are as long as there is a post office in the area. I will pay for the first week in advance to run errands, and will also have my mails/packages forwarded to a nearby post office where you can pick them from at your convenience."
Did you know that almost anyone with a bit of initiative can break into your systems in minutes – quietly and without leaving a trace? Even when you lock up your servers, apply patches, and use group policies to secure your servers and workstations, it only takes a few minutes for a hacker to gain […]
1Section 1. Introduction Regional regulations on data transfers, such as the U.S.-E.U. Privacy Shield framework, have a significant impact on the cross-border moving, use, and protection of personal data. In Asia, one of the major players in the field of ICT, China, is moving towards a more comprehensive regulation of its cyberspace. On 1st of […]
In Part 1 of this article, we have looked at the memory forensics power during the enumeration of forensically important objects like PROCESS, VAD nodes, MEMORY mapping, etc. In this article we will see memory forensics enumeration of other forensically important objects. DLLS Enumeration from memory DLL’s are used to be shared among processes for […]
Most spam, especially the sort that is mass-mailed on behalf of businesses, has quite an impersonal format: spammers create a message template for a specific mailing purpose and often drastically diversify the contents of that template. Generally, these kinds of messages do not personally address the recipient and are limited to common phrases such as “Dear Client”. The most that personal data is ever involved is when the name of the mailbox (or part of it) is substituted with the electronic address that the spammer has. Any specifics that may help the recipient ascertain whether the message is addressed personally to him or not, for example, an existing account number, a contract number, or the date of its conclusion, is missing in the message. This impersonality, as a rule, attests toa phishing attempt.
Lately, however, we have been noticing an opposite tendency occurring quite often, wherein fraud becomes personalized and spammers invent new methods to persuade the recipient that the message is addressed personally to him. Thus, in the malicious mailing that we discovered last month, spammers used the actual postal addresses of the recipients in messages to make them seem as credible as possible. This information is sold to evildoers as ready-to-use databases with physical addresses (they are frequently offered for sale in spam messages), collected by evildoers from open sources, or obtained by evildoers when hacking email accounts, for example. Of course, cybercriminals will not have very many of these addresses at their disposal (compared to generated addresses), but they are much more valuable.
The way spammers organize their personalized attacks plays an important role as well. In general, messages are mass mailed on behalf of an existing company, while the technical headers of fake messages use the company’s actual details.
There are several ways to use valid details. The most unsophisticated method is spoofing, which is substitution of technical headers in messages. The headers can be easily placed with any mass mailing program. In particular, during the spoofing process, the “From” field contains the real address of the sender that the fraudsters have. In this case, spam will be mass-mailed on behalf of the spoofed company, which can stain the company’s reputation quite seriously. Yet, not all technical headers can be substituted when spoofing, and good anti-spam filters will not let these messages through.
Another method entails sending spam from so-called hijacked infrastructure, which is much harder to do technically, as the mail server of the target company has to be hacked. After gaining control over it, an evildoer can start sending messages with legitimate technical headers from any email address owned by the company and on behalf of any employee who works there. At the same time, the fake message looks quite credible for anti-spam filters and freely travels from server to server, as all of the necessary certificates and digital signatures in the header correspond to genuine counterparts. This would result in losses by both the recipient, who takes the bait of the evildoers (network infection and theft of personal data or business information), and the company, whose infrastructure is abused by the evildoers.
Usually, cybercriminals select small businesses (with up to several dozen employees) as victims for hacking. Owners of so-called parked domains are of particular interest, as parked domains are used by a company without creating a website on these domains.
In the samples detected by us, personalized malicious spam was mass-mailed on behalf of an existing business that was a small company specialized in staff recruitment. The messages contained order delivery notifications that are typical of malicious spam, but also indicated the real postal addresses of the recipients. The messages also contained URLs that were located on legitimate domains and were constantly changing throughout the mailings. If a user navigates to the URL, then malicious software will be downloaded to the user’s computer.
In this way, we may affirm that spam is becoming more personalized and mailing is becoming targeted. With the rising digital literacy of users, this is exactly what evildoers rely upon; It is not so easy to remember all your subscriptions, all your online orders, or where you’ve left your personal data, including addresses. Such an information load calls for the use of smart security solutions and the employment of security measures to protect your “information-driven personality”.
Mirai, the botnet that threatened the Internet as we knew it last year with record-setting denial-of-service attacks, is facing an existential threat of its own: A competing botnet known as Hajime has infected at least 10,000 home routers, network-connected cameras, and other so-called Internet of Things devices.
Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals. The message reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT devices. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.
Joel Abel Garcia, a 35-year-old from the Bronx, New York, became the third member of an alleged ring of automated teller machine "skimmers" to plead guilty today in the US District of New Jersey to the charge of conspiracy to commit bank fraud. Another member of the group—Victor Hanganu, a Romanian citizen living in Bayside, New York—pleaded guilty to the same charge on April 10. Eleven others have been charged in the conspiracy, which targeted PNC and Bank of America ATMs in New Jersey from March 2015 until June of 2016. Another Romanian, Radu Marin, pleaded guilty on March 29.
"According to admissions made in connection with the pleas, Garcia, Hanganu, and others sought to defraud financial institutions and their customers by illegally obtaining customer account information, including account numbers and personal identification numbers," a Department of Justice spokesperson said in a statement made on behalf of federal prosecutors in New Jersey. Garcia was found to be personally responsible for $132,805 in withdrawals using forged ATM cards out of a total of $428,581 over the 15-month period.
Garcia admitted as part of the plea that "he installed 'skimming' devices on the ATMs" belonging to PNC and Bank of America at multiple locations in New Jersey, "including pinhole cameras that recorded password entries and card-reading devices capable of recording customer information encoded on magnetic strips," according to the statement.
Most organizations these days want their information system to be managed as safely as possible. Security Evaluation is the basic step in achieving this goal for any organization, followed by Assurance and Information Security Certification. Security Evaluation is particularly important because of the rapidly changing environment of the information security system or the operation system. […]