2015 fraudulent cyber attacks resolved

2.2.2016 Research TM News

The world is changing fast, the digital economy is growing and the number of digital payments is increasing.  We at ThreatMark successfully managed to solve many fraudulent cyber attacks in 2015.

We also found unweaponized / piloted threats that will emerge in large scale in 2016 against selected organisations and their clients.

We bring our witness to our hearing of the most interesting attacks in 2015 and reveal how some potential attackers may trigger their fraudulent campaigns in 2016.

We have mostly solved two major cyber fraud vectors which attackers use – Fraudulent malware driven attacks and Social engineering driven attacks.

Fraudulent Malware driven attacks

  • Breaking two factor authentication (SMS, Certificate/PKI in file, RSA token)
  • Mobile financial malware attempting to tamper with Mobile banking applications
  • Financial Malware Injecting into a targeted bank site
  • Financial Malware Injecting into a third-party site (e.g. Freemails, Social networks)

The hard truth is that for modern financial malware it is more easy to abuse a Certificate in a file or an RSA token than the second factor – in the form of SMS on a separate phone from a computer platform (PC).

We can also distinguish two classes of financial malware, from point of fraudulent transaction to state persistence. Some malware strains use a “hit and run” webinject mechanism, whilst other malware strains use manipulation of an account and fraudulent payment amounts which are then transferred silently underneath the visible values that the banking user authorizes and vice versa, the values are then displayed to clients as they enter them, thus making it longer to spot by victims of digital fraud and enabling longer cash-out periods for fraudsters.

Social Engineering driven attacks

Social engineering generally is the approach of tricking people into breaking security and payment procedures of people, and currently uses these most notable methods:

  • traditional phishing approach
  • leveraging social networks
  • malware as part of a fraudulent scheme
  • a fake call center masquerading as a legitimate business
  • Remote Administration Tool Abuse

A special case of social engineering uses Remote Administration Tools together with screen rewriting malware, all orchestrated by a social engineering oriented operator.

New threats to Digital Business

We have solved several cases, where an unlicensed “payment day loan company” asked for and repeatedly gained “client for authentication” information and then, after that accessed the client’s account for doing balance checks using financial malware components. Account takeovers were identified even without active or fraudulent transactions present. The footprint of attack was hundreds of Digital clients affected during a one-month period. Imagine what may have happened if the unlicensed company or its attacker had changed his mind and transferred funds instead of simply spying on them.

This also leads to imagining what risk the “overlay providers” pose for the whole Digital Business affected.

So the most important lesson we learned in 2015 was that in protecting a “Digital Client”, his Security, Experience, Loyalty, Behavior collectively is the most important component asset we have to protect via neXtGEN Cybersecurity approaches. This components is known as Digital Identity Sensing.

 Is someone herding your sheep? Where is the thin red line? Is it between getting the first and second authentication factor?  Or is it between the attacker’s decision “to check and steal (perhaps done by now)”. Do you paint your own lines or are you playing in someone else’s playground, playing their game?