Crypto ransomware targets called by name in spear-phishing blast

Enlarge / An e-mail targeting a retail company to deliver point-of-sale malware. (credit: Proofpoint)

For the past decade, spear phishing—the dark art of sending personalized e-mails designed to trick a specific person into divulging login credentials or clicking on malicious links—has largely been limited to espionage campaigns carried out by state-sponsored groups. That made sense. The resources it takes to research the names, addresses, and industries of large numbers of individuals was worth it when targeting a given organization that had blueprints or some other specific piece of data prized by the attacker. But why go through the trouble to spread crypto ransomware or banking trojans to the masses when a single scam e-mail could do the trick?

Since the beginning of the year, that truism has begun to unravel. According to researchers at security firm Proofpoint, a single threat actor, dubbed TA530, has been targeting executives and other high-level employees in an attempt to trick them into installing an assortment of malware—including the CryptoWall ransomware program that encrypts valuable data and demands a hefty fee to undo the damage. Other malware spread in the campaign includes the Ursnif ISFB banking trojan and the Ursnif/RecoLoad point of sale reconnaissance trojan targeting businesses in the retail and hospitality industries. Targeted executives typically have titles of chief financial officer, head of finance, senior vice president, and director.

According to a blog post published Tuesday:

Read 2 remaining paragraphs | Comments

Microsoft, with help from feds, delivers body blow to massive fraud ring

In a coordinated takedown with the FBI and financial institutions, Microsoft on Wednesday dealt a powerful blow to an online fraud syndicate that siphoned more than $500 million out of bank accounts all over the world.

The takedown, dubbed Operation b54, disrupted more than 1,400 botnets based on Citadel, a powerful piece of banking malware available for sale in underground forums. Citadel has been in existence since 2011 and is based on leaked source code from the Zeus banking trojan. Citadel provides criminals with most of what they need to engage in wide-spread banking fraud, including exploits for infecting end users, keyloggers for stealing those end users' bank passwords, and backend code for running the command and control servers that issue malware updates and receive login credentials from infected computers.

Microsoft used civil seizure orders issued by a federal judge in North Carolina to simultaneously cut off communications between 1,462 Citadel botnets and the infected computers that reported to them. The company also filed suit against a currently unknown operator under the name of Aquabox who is suspected to be connected with one or more of the botnets.

Read 4 remaining paragraphs | Comments