New Advanced Threats Facing the Financial Sector

Just finished listening to a very good security briefing from the FS-ISAC called “Research Update on Malware and Phishing Webinar“.

Here are some of the top points from the seminar:

Latest Threats

Mobile Zeus – First spotted in September of 2010 and next in Febuary of 2011. Attacks not only the PC but also mobile devices. It attempts to intercept the additional authentication from mobile device that many banks are using now.

Tatanga – Attacks at the TCP level, not HTTP. Basically takes over your browser. Sends all encrypted (SSL) data in plain text to the malware server, the malware server then creates the encrypted tunnel for you and plays man-in-the-middle. It also blocks all warning messages that would usually pop up in the browser.

They also talked about Phishing servers (bad sites that steal your credentials). These malware servers get up to 80% of their authentication thefts within 5 hours of the server being put online. No wonder they are so hard to take out!

Mobile devices are coming under increased attacks, and need to be secured. They are vulnerable to exploits just like PC’s and most users do not bother to update the operating systems. Also rooted or jail-broken devices are really starting to become an issue in corporate settings.

The best way to protect against these attacks are to keep both your PC’s and mobile devices patched and updated. A little security goes a long way!


Japan Earthquake and Tsunami Scams

News about Japan relief scams have been circulating. Unfortunately, whenever you have a natural disaster or any type of human suffering, bottom feeders try to scam people.

Scammers have been putting up “Japan Relief Fund” websites to try to take advantage of the good will that members of the international community have. I have also heard of hackers putting up sites with videos of the devastation in Japan. They also try to serve up malware and fake anti-viruses when you visit them. And lastly, the FBI has released a warning today of scam artists sending unsolicited e-mails asking for money.

The FBI released warned that legitimate charities usually end in .org not .com. Don’t send cash, and write checks out to charities, not individual people.

A lot of people want to help. I would recommend sticking with large well-known organizations like the Red Cross and Salvation Army.

It is unfortunate that people would try to gain financially from others pain and lost. If you do give, do so wisely to ensure that your funds will actually get to those in need.

Psst, Hey Buddy Want a Password? Only 15 Cents!

How much is your password worth? Well, would you believe as low as 15 cents? 50,000 stolen iTunes passwords went up for auction on a Chinese auction site for anywhere from 15 cents to 30 dollars:

Roughly 50,000 Apple iTunes accounts stolen by hackers are said to be for sale on China’s largest auction site.

The accounts are available on, the Chinese equivalent of eBay, for prices ranging from about 15 cents to $30 each, China’s Global Timesreported Thursday. Potential buyers are being promised access to seven times the purchase price in movies and music. The only restriction is that the buyer conduct all downloads within the first 24 hours of buying the illegal account.

Big deal, you say, so they can access my music, who cares?

The problem is many people use the same username and password for several accounts. So for 15 cents a hacker might theoretically access your e-mail, online stores, financial sites, etc. This really stresses the importance of using different passwords for each site that you login to.

This really begs the question, should our network security be based on passwords alone? In a previous article, How Much is Your Password Worth?, I showed that people would actually give away their password for a pen or chocolate. Some just gave them away for free! 

And lastly, should you depend on websites that you give personal data to, to protect your information? Do sites, like iTunes, mask your credit card numbers when you view your account page? You wouldn’t want to give out your credit card for 15 cents would you?

Persistent Cross-Site Scripting (XSS) Demo

If you ever wanted to know how cross-site scripting works, look no further. The video was created by Aleksander Gorkowienko, a database and application security expert with the company 7safe.

In “Cross-Site Scripting Explained”, Aleksander simulates an XSS attack against a fictitious online financial company. He demonstrates how a hacker could jump from one authenticated user (using a password and a PIN) to another using PHP Session cookies.

In the attack, Aleksander uses the Browser Exploitation Framework (BeEF), JavaScript and the Web Application security testing platform Burp Suite. I haven’t played with BeEF in a while, so it was good to see it in action again.

This demonstrates why it is important to test web applications for vulnerabilities like XSS.  The video is definitely a must see!

For more information, check out Aleksander’s website IT Security Lab.