12 more banks now being investigated over Bangladeshi SWIFT heist

(credit: Garrett Ewald)

The investigation into the attempted $1 billion electronic heist at the Bangladesh central bank has expanded to as many as 12 more banks that all use the SWIFT payment network.

Security firm FireEye, investigating the hack, has been contacted by numerous other banks, including some in New Zealand and the Philippines. While most of the attempted transfers in the original heist were cancelled, some $81 million was sent to the Philippines and subsequently laundered through casinos. The SWIFT organization in a statement said that some of these reports may be false positives, and that banks should rigorously review their computing environments to look for hackers.

Symantec, meanwhile, has corroborated earlier claims from BAE Systems that the hackers that stole from the Bangladesh central bank are linked to the hackers that have attacked targets in the US and South Korea since 2009, and that hacked Sony Pictures in 2014. The FBI claimed that those hackers were North Korean. Symantec's rationale is the same as that of BAE; malware found at the bank, Sony, and other victims, all appears to share common code for securely deleting files to cover its tracks.

Read 1 remaining paragraphs | Comments

If Microsoft is banning stupid passwords, why does it still allow “Pa$$w0rd”?

As Microsoft pats itself on the back for its crackdown on easily cracked passwords, keep this in mind: a quick check shows users still have plenty of leeway to make poor choices. Like "Pa$$w0rd" (excluding the quotation marks).

As a Microsoft program manager announced earlier this week, the Microsoft Account Service used to log in to properties such as Xbox Live and OneDrive Azure has been dynamically banning commonly used passwords during the account-creation or password-change processes. Try choosing "12345678," "password," or "letmein"—as millions of people regularly do—and you'll get a prompt telling you to try again. Microsoft is in the process of adding this feature to the Azure Active Directory so enterprise customers using the service can easily stop employees from taking security shortcuts, as well.

But a quick check finds it's not hard to get around the ban. To wit: "Pa$$w0rd1" worked just fine. And in fairness to Microsoft, Google permitted the same hopelessly weak choice.

Read 5 remaining paragraphs | Comments

Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe

Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that pretend to deliver a new version of Flash Player, cybercriminals are now are using hacked sites (including WordPress and Joomla) to distribute the malware posing as a “porn player”:

As soon as the user accesses the website, the following file is downloaded:

The “PornDroid” theme of the injected site and the filename “pornvideo.apk” looked familiar to us; that distribution method is very similar to the one used by the Android ransomware Police Locker at the end of 2014. Could this mean that Police Locker and SpyLocker are related? We decided to take a look at old samples from both malware families and, after some research, we found what seems to be the missing link between the two.

The purpose of the samples is different (ransomware vs. banking Trojan) but there are some similarities that suggest the creators of the ransomware at some point shifted its focus to target banking users. For example, in both samples we can find the same intent-filter and the same class names for two receivers:
SpyLocker_GC_ServiceIn addition to these receivers, there are more classes in common between the two samples, including Autorun, AdminService, and DeviceAdminChecker:

Spylocker_CommonClassesIn addition to the hacked websites distribution method, SpyLocker uses adult sites to lure users and trigger the automatic download of the malware:
Even when the filename of the downloaded file is pornvideo.apk, when the app is installed it appears to be Flash Player (as with the original variants):
Or, recently, an “update”:


As soon as the app is executed, the icon disappears from the home launcher and the malware constantly asks for device administrator privileges to make its removal difficult:


If the user tries to deactivate the device administrator for the app, the malware locks the device, with the following screen preventing the user from clicking the deactivate button behind the cover:


SpyLocker originally targeted banks in Australia, New Zealand, and Turkey; now it monitors the opening of banking and financial apps in additional European countries to display the phishing overlay and capture banking credentials. The following is an example of the overlay targeting banks in Poland:

Users in France are also targeted by recent variants of SpyLocker:


A different and more complete phishing overlay was found in variants targeting banks in the United Kingdom:


Instead of showing the phishing overlays from a remote server, recent SpyLocker variants have them implemented in the app itself, perhaps to avoid locking the victim’s device if the remote server is not available. Because of this we found that there are plans to target banks in Italy, although the overlay interface is not implemented in the variants that we have seen so far. On the other hand, the overlay interface for Russian banks is already implemented but currently not being used because the package names are not in the list of targeted banks. But they could be included in a new variant at any time.

SpyLocker also monitors the execution of Google and popular apps such as Instagram and eBay to display the Google phishing overlay, which now attempts to get more than just the email and password of the Google account:

The fields in the overlay user interface are now validated. If the victim does not provide the information or if it is incorrect (with credit cards an algorithm confirms that the number is valid), the overlay cannot be skipped—thus hijacking the device until the victim enters the correct information. In the case of the credit card field, SpyLocker validates the type of card and, following that, will display an additional field to capture the second factor of authentication needed for electronic transactions:

In addition to the phishing functionality, SpyLocker constantly sends encrypted data to a remote server:

The decrypted data is in the JavaScript Object Notation format, and reports the current status of the infected device:

The data includes device information, the default SMS app, if the malware has device administrator active, if it is currently locked, if any of the targeted banking apps are installed in the device, if intercepting incoming SMS messages is enabled (smsgrab), and if the device is rooted. Using the same format, SpyLocker can leak to a remote server the SMS messages in the inbox (inboxmessage), SMS being sent (sentmessage), the call history (callhistory), and installed apps (instapps):

SpyLocker_InstAppsDecryptedAndroid banking Trojans such as SpyLocker are constantly evolving, adding new targets and distribution methods, and improving their phishing techniques to obtain even more data that will allow cybercriminals to perform fraudulent electronic transactions. To protect yourselves from this threat, employ security software on your mobile, and remember that Android updates are not delivered via APK files automatically downloaded when you visit a website. Further, users should not trust applications downloaded from unknown sources.

McAfee Mobile Security detects this Android threat as Android/SpyLocker and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.


Package names of targeted financial apps


  • com.akbank.softotp
  • com.akbank.android.apps.akbank_direkt_tablet
  • com.akbank.android.apps.akbank_direkt
  • com.teb
  • com.ziraat.ziraatmobil
  • com.tmobtech.halkbank
  • com.pozitron.iscep
  • com.garanti.cepsubesi
  • com.ykb.android
  • finansbank.enpara
  • com.finansbank.mobile.cepsube


  • eu.eleader.mobilebanking.pekao
  • eu.eleader.mobilebanking.pekao.firm
  • hr.asseco.android.mtoken.pekao
  • eu.eleader.mobilebanking.raiffeisen
  • pl.pkobp.iko
  • pl.mbank
  • pl.ing.ingmobile
  • com.comarch.mobile
  • com.getingroup.mobilebanking
  • pl.bzwbk.bzwbk24
  • wit.android.bcpBankingApp.millenniumPL


  • au.com.nab.mobile
  • com.commbank.netbank
  • com.cba.android.netbank
  • org.stgeorge.bank
  • org.banking.tablet.stgeorge
  • au.com.bankwest.mobile
  • com.bendigobank.mobile
  • org.westpac.bank
  • au.com.mebank.banking
  • com.anz.android.gomoney

New Zealand

  • nz.co.anz.android.mobilebanking
  • nz.co.asb.asbmobile
  • nz.co.bnz.droidbanking
  • nz.co.kiwibank.mobile
  • nz.co.westpac


  • net.bnpparibas.mescomptes
  • fr.lcl.android.customerarea
  • fr.laposte.lapostemobile
  • fr.creditagricole.androidapp
  • fr.banquepopulaire.cyberplus
  • com.cm_prod.bad
  • com.caisseepargne.android.mobilebanking


  • ru.sberbankmobile
  • ru.vtb24.mobilebanking.android
  • ru.alfabank.mobile.android
  • com.idamob.tinkoff.android
  • ru.bpc.mobilebank.android
  • ru.bankuralsib.mb.android

United Kingdom

  • com.barclays.android.barclaysmobilebanking
  • uk.co.santander.santanderUK
  • com.rbs.mobile.android.natwest

Targeted apps

  • com.android.vending
  • com.google.android.music
  • com.google.android.apps.plus
  • com.android.chrome
  • com.google.android.apps.maps
  • com.google.android.youtube
  • com.google.android.apps.photos
  • com.google.android.apps.books
  • com.google.android.apps.docs
  • com.google.android.apps.docs.editors.docs
  • com.google.android.videos
  • com.google.android.gm
  • com.whatsapp
  • com.skype.raider
  • com.google.android.play.games
  • com.paypal.android.p2pmobile
  • com.ebay.mobile
  • com.instagram.android
  • com.instagram.layout

The post Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe appeared first on McAfee.

Google Releases Security Update for Chrome

Original release date: May 26, 2016

Google has released Chrome version 51.0.2704.63 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Chrome Releases page and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.