Category Archives: EMC

Brazilian ‘Boleto’ Bandits Bilk Billions

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate appears to have netted thieves the equivalent of billions of dollars over the past two years.

A boleto.

A boleto.

At issue is the “boleto” (officially “Boleto Bancario”), a popular payment method in Brazil that is used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s Web site, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized  crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a Web-based control panel for a boleto-thieving botnet (see screenshot below); in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the "linea alterada" column shows the accounts used by the thieves to accept diverted payments. "Valor" refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.

Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.

The malware also harvests usernames and passwords from victim PCs, credentials that are thought to be leveraged in spreading the malware via spam to the victim’s contacts. RSA said this fraud gang appears to have infected more than 192,000 PCs, and stolen at least 83,000 sets of user credentials.

Administration screen of the Bolware gang shows the original Boleto numbers "Bola Original" and their destination bank "Bola".  Image: RSA

Administration screen of the Bolware gang shows the original Boleto numbers “Bola Original” and their destination bank “Bola”. Image: RSA

RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds. That’s roughly 7,997 more accounts than were used by the boleto bandits responsible for the diverted transactions in the boleto botnet control panel I discovered.

Researchers at RSA suggest that Brazilians who wish to transact in boletos online should consider using a mobile device to manage their boleto transactions, noting that boleto-thieving malware currently is not capable of altering the data stored in the barcode of each hijacked boleto order — at least for the time being.

“As the malware does not alter the barcode (for now), the safest approach is to use mobile banking applications available on smart phones (for now, immune to this malware) to read the barcode and to make payments,” the company said in its report (PDF) on this crime wave.

NC Fuel Distributor Hit by $800,000 Cyberheist

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

jtaOrganized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

“They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost,” said Jim Mitchell, an adjuster for EMC.

According to J.T. Alexander & Son, the company’s bank – Peoples Bancorp of North Carolina Inc., a state-chartered bank with $1.1 billion in assets and 22 branches across the state — had just upgraded its security system a month prior to the cyberheist. Before the upgrade, the company’s controller had to enter a login ID, password and then enter a six-digit code that was read by an automated system at the bank that would call them.

“Also, it used to be we could only access the bank’s site from my computer,” said Kristie Williams, who works in accounting and finance for J.T. Alexander. “The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”

Peoples Bank did not return calls seeking comment.

These types of cyberheists — in which neither the victim organization nor its financial institution notice the theft for days on end — can be especially costly. It’s difficult to assign blame for such incidents to either the victim or its bank — there were failures on both parts, to be sure — but typically the liability for these breaches lies with the victim. That’s why it’s vitally important for small businesses that wish to bank online to assume they are targets of organized crime and to take the necessary precautions, wherever possible.

If you run a small business and manage your company’s accounts online, please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.

RSA to replace all SecurID tokens – or perhaps not

SecurID tokenThe internet is abuzz with news that beleaguered security company RSA, which suffered a security intrusion and theft of trade secrets back in March, is offering to replace its customers’ security tokens.

Security tokens are used in two-factor authentication to add additional strength to conventional password-based logins.

The simplest sort of token generates and displays a sequence of pseudo-random numbers, with a new number appearing every minute or so. You enter this ever-changing number as well as, or instead of, your regular password.

The theory behind time-based token authentication is that only your authentication server and the token itself can reproduce the pseudo-random stream. So, if you don’t have possession of the token, you’ll never know the password-of-the-minute.

And if a crook should shoulder-surf or keylog your current token number, it’ll be worthless next time. That should make you much more secure than relying on a password you use over and over again.

But one concern over RSA’s security breach was that some of the trade secrets stolen might allow cybercrooks to work out a token’s pseudo-random number sequence. Of course, this would destroy the very foundations of RSA token security.

RSA didn’t do itself many favours when it first commented on the breach, playing its cards rather close to its chest and not saying much more about the ongoing security of its tokens than:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

F-22 Raptor jet fighterSadly, RSA’s confidence may have been misplaced, with recent attacks on US defence contractors linked with the compromise of RSA token security.

Under this sort of pressure – and perhaps still reluctant to give away too many technical details for fear of making a bad thing worse – RSA has just announced a free replacement plan for users of its tokens.

That’s going to be a big job. But is it going to be quite as big as PC World suggests when it says that RSA “will replace [SecurID] tokens for any customer that asks“?

RSA’s open letter on the subject isn’t quite as clear-cut.

It looks as though RSA will only replace your tokens for free if you are a customer:

"with concentrated user bases typically focused on protecting intellectual property and corporate networks."

Open letter from RSAThose sound rather like weasel-words to me. What is a “concentrated user base”? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?

What if you’re a boutique ISP with a webmail service who has taken the extra step of offering selected users two-factor authentication? Is your user base concentrated enough? Are you protecting intellectual property, or just casual chatter?

And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don’t have the same flaws as the old ones?

What do you think? Take part in our poll – and be thankful you’re not working in one of RSA’s call centres or help desks right now!

Strike three: Speculation rises that another US military contractor has been hit by hackers

Military aircraftFox News is reporting that US military contractor Northrop Grumman may have suffered a hacking attack on its networks.

If true, the defense giant will be joining the likes of L-3 Communications and Lockheed Martin who have both been targeted in recent weeks by cyber attacks.

According to Fox News, Northrop Grumman unexpectedly shut down remote access to its network on May 26th, just five days after Lockheed Martin detected that unauthorised persons had infiltrated its systems.

A anonymous source at Northrop Grumman, which is the US’s second-largest defense contractor, told Fox News that the sudden lockdown was a shock to staff:

"We went through a domain name and password reset across the entire organization. This caught even my executive management off guard and caused chaos. I've been here a good amount of time and they've never done anything this way - we always have advanced notice."

SecurID tokenSpeculation is rising that what links the L-3, Lockheed Martin and Northrop Grumman security breaches are RSA’s SecurID tokens – devices used by many organisations worldwide to provide two factor authentication for remote staff.

In March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to their SecurID two-factor authentication products.

RSA, the security division of EMC, hasn’t been forthcoming about the precise details of what was taken when they were hacked – but now that a third military contractor appears to have suffered as a consequence, there will be many firms keen to hear more details of how they should protect themselves.

L-3 defense supplier targeted in RSA SecurID hack attack, report claims

L-3 and RSA SecurID tokenUS military contractor L-3 Communications, whose customers include the US Department of Defense, has been named in a news report as having been targeted in attacks by external hackers.

According to reports, L-3 warned 5,000 employees in April about an attempted hack against the company’s network using forged RSA SecurID tokens.

The claim, by Wired magazine, follows news earlier this week that US military giant Lockheed Martin had been subject to its own hacking attack, with RSA SecurID token security once again in the frame.

An anonymous source told Wired that L-3 “uses SecurID for remote employee access to the unclassified corporate network, but classified networks at the company would not have been at risk in the attack.”

RSA Security, a division of EMC, admitted in March that it had been hacked, and that some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

There will obviously be some who will point fingers at China as likely suspects for the probes into the networks of US military suppliers, but until some evidence is made public it’s only going to be speculation.

As RSA has chosen to keep largely schtum about what was taken from them – and we can hardly expect the military contractors to share much detail – your guess is as good as mine right now.

What does seem clear, however, is that stories of hacking into military and government systems has never had a higher profile. Bear that in mind when you read news reports that The Pentagon is working on a Cyber Defense Strategy that could see an internet attack treated as though it were an “act of war”.

US military contractors hacked – possible link with RSA SecurID breach

F-22 Raptor jet fighterHackers have broken into the network of Lockheed Martin and several other US military contractors, according to media reports.

Lockheed Martin, has described the attack as “significant and tenacious”.

Blogger Robert Cringely claimed that Lockheed Martin first detected the security breach last weekend (a fact later confirmed by the weapons maker in a press statement). In response to the attack the firm is said to have promptly blocked all remote VPN access to their internal network, and informed over 100,000 users that they would have to change their passwords.

In addition, it’s claimed that all Lockheed personnel with RSA SecurID tokens will be given new tokens.

From the sound of things, Lockheed Martin took swift and sensible action. It was wise of them to take the step of shutting down access to its internal networks as a precaution, once it believed that unauthorised users may have breached its systems.

SecurID tokenThe mention of RSA SecurID tokens, though, is interesting. They’re the devices used by many companies and organisations to provide two factor authentication to allow provide workers with a more secure way of proving they are who they say they are than just providing a username and password.

You may have used something similar when accessing your online bank account – for instance, a keyfob that displays a sequence of numbers that changes every 30 seconds or so.

The reason why this raises eyebrows is that back in March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

However, RSA has never made public details of precisely what kind of data was stolen – leading to speculation that the security of the widely-used SecurID tokens might have been compromised.

Is it possible that whatever information was stolen from RSA helped the hackers break into Lockheed Martin? If that’s the case, that’s worrying news for businesses around the world.

An unnamed source with direct knowledge of the attacks is said to have confirmed to Reuters that other military contractors have also been compromised.

It’s important to realise that all of these companies are victims of a criminal act – the authorities will no doubt be keen to uncover who is behind these attacks, and where they might have originated from. Only time will tell if those questions are ever answered satisfactorily.

Update: Lockheed Martin has now confirmed the attack, claiming that its “systems remain secure; no customer, program or employee personal data has been compromised.”

Press statement from Lockheed Martin

Here’s the meat of the statement by Lockheed Martin about the hack:

On Saturday, May 21, Lockheed Martin (NYSE: LMT) detected a significant and tenacious attack on its information systems network. The company's information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

Throughout the ongoing investigation, Lockheed Martin has continued to keep the appropriate U.S. government agencies informed of our actions. The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security.

To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security.

Copyright © 2014. Powered by WordPress & Romangie Theme.