Tag: bank

Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan

Unusually, SOVA, which targets US users, now allows lateral movement for deeper data access. Version 5 adds an encryption capability.Unusually, SOVA, which targets US users, now allows lateral movement for deeper data access. Version 5 adds an encryption capability.Read More

Rechtspraak waarschuwt voor oplichters die telefoonnummers spoofen

Fraudeurs maken gebruik van telefoonnummers van rechtbanken, gerechtshoven en bijzondere colleges om mensen op te lichten, zo …Fraudeurs maken gebruik van telefoonnummers van rechtbanken, gerechtshoven en bijzondere colleges om mensen op te lichten, zo …Read More

A week in security (August 1 – August 7)

Last week on Malwarebytes Labs:

Have we lost the fight for data privacy? Lock and Code S03E16

Wrestling star Mick Foley’s Twitter compromised, selling PS5 consoles

Millions of Arris routers are vulnerable to path traversal attacks

When a sextortion victim fights back

How to protect yourself and your kids against device theft

For months, JusTalk messages were accessible to everyone on the Internet

Update now! VMWare patches critical vulnerabilities in several products

NetStandard attack should make Managed Service Providers sit up and take notice

Bank fraud scammers trick victims with claims of bogus Zelle transfers

Woody RAT: A new feature-rich malware spotted in the wild

Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

Ransomware review: July 2022

FCC warns of steep rise in phishing over SMS

Phishy calls and emails play on energy cost increase fears

Patch now! Cisco VPN routers are vulnerable to remote control

Stay safe!

FCC warns of steep rise in phishing over SMS

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022. 

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly 44 spam texts for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

How to protect yourself from #scam robotexts:
▪️ Do not respond
▪️ Do not click on any links
▪️ Do not provide any info
▪️ File an FCC complaint
▪️ Forward unwanted texts to SPAM (7726)
▪️ Delete all suspicious texts

— The FCC (@FCC) July 28, 2022

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

Bank fraud scammers trick victims with claims of bogus Zelle transfers

It pays to be careful where cold calls from someone claiming to work for your bank are concerned. Scam callers are impersonating bank staff, with suggestions of dubious payments made to your account. One unfortunate individual has already lost around $1,000 to this slice of telephone-banking based fraud. With a little press intervention they were lucky enough to get it back. Sadly most people don’t get that far.

What’s happening, and how can you avoid it?

An unauthorised payment: A scammer’s steps to success

This attack has several steps. Here’s how it plays out:

The scam begins with a call from a supposed fraud team. This is a common confidence trick, it sounds convincing and it has a sense of urgency built in. The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible.
Setting the recipient of the call off-balance is the aim of the game. And what better way to have them second guess themselves than by referring to technology they may not have used before? In this case, the scammer claims the victim’s bank account has made a fraudulent Zelle transfer of $1,000 to somebody in Texas. Zelle is a US based digital payments network. To the recipient of such a call, it may well just sound like a big scary thing has happened to their money which they don’t fully understand.
Adding some time-based pressure is the final blow. “Hurry up and follow my dubious instructions or you lose all of your money” is a very successful tactic. Victims are dissuaded from calling their bank directly because they would just be “redirected back to the fraud team”. In this case, the victim was told to reverse the transaction by punching in a code given to them by the fraudster. After the first $1,000 vanished, the scammer risked it all on another claim of $5,000 in fraudulent transfers. Thankfully, the victim was having none of it and more losses were averted.

Am I protected?

It’s trickier than ever to deal with a case of banking fraud. Banks and payment systems increasingly put the onus on the individual to not get caught out by deception. If you bank online and send people money, you’ll likely have gone through a fraud check flow.

This is where the site asks you to confirm who you’re sending money to and why. If you select “romance” (for example), you’ll be warned about romance scams and eventually you’ll tick a box to confirm that you recognise the risks. If something goes wrong, on your own head be it.

This is almost note for note what happened to the person in the news story above. The bank said that because the victim “authorised” the payment, no protection was in place. This is clearly not an accurate reading of what happened, and the money request was clearly fraudulent. Even so, this is what you may have to contend with should you wander into a fraud situation.

Watch out for red flags

There’s several aspects of this attack common to many others which may indicate a fraud attempt.

They don’t want you to call the bank back. If you do this, the fraud falls to pieces. A genuine member of staff would have no issue with you calling them yourself.
Pressure tactics. If a bank calls you out of the blue and claims that they’re powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
Knowing your date of birth, address, and other information doesn’t mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
Referencing third party payment apps may be another red flag, especially if they talk about technology you’ve not used before.

Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

We get a few questions about ransomware protection and how our Endpoint Detection and Response software can protect you from ransomware. In this post, our security experts answer some of your most frequently asked questions about ransomware and how our EDR can help—let’s get started.

Q: When considering an EDR solution, what anti-ransomware features should I be looking for?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“First, it should quickly identify and isolate systems that are infected with ransomware. Second, it should detect ransomware-like behavior and automatically kill and remove the threat from the system. Third, it should provide options for file recovery (in case something does get encrypted). Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Ransomware stems from the exploitation of trust. We know that in society and computer systems, trust is essential and foundational for communication productivity and growth. What’s needed is encapsulated in a principle called trust-but-verify! In the context of EDR, trust-but-verify means the algorithmic “detection” part of EDR must employ heuristics to look for anomalous encryption that deviates from known-good encryption. This is the trust-but-verified part of a modern EDR tool. To make the EDR tool a solution, it must offer four essential functionalities:

Contain threats, allowing time to investigate and document.
Easy, non-vendor-specific language describing detected suspicious activity.
Precision instrumentation for eradicating malware, potentially unwanted programs, and potentially unwanted changes.
Instrumentation to search for indicators across the rest of your managed endpoints for early signs.”

Q: Other than the percentage of malware-detected efficacy, what other factors should I consider when acquiring an anti-ransomware solution? 

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Other than efficacy, you need to look also at integration—the EDR must become part of your system. It should not be a standalone solution; it should be usable and not complex. Have a “single pane of glass”—with Malwarebytes cloud-based Nebula platform, for example, you have access to an intuitive UI which helps you gain visibility into all activity across your entire organization. If I could summarize it into a single sentence, you don’t want just a next-gen solution; you need a solution that any IT professional will understand without specialized cyber-forensic knowledge.”

Q: How is detecting ransomware different from other malware?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“Up until around 2013, most malware infections were problems that could easily be solved ‘after the fact’.  For example, a bank credential stealing bot can infect a system, steal your credentials and commit fraud. Well the bank can clear out those fraud charges, you can change your credentials and you can clean the system, suddenly the whole attack can be treated as an inconvenience rather than a significant disruption, almost like it didn’t happen. Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it’s often used against multiple endpoints at the same time. So, recovery after the fact is nearly impossible without being prepared, or paying the ransom. This kind of threat requires a lot more planning, redundancy and threat monitoring than any other type of malware out there. Imagine regular malware infections as seasonal allergies, while ransomware is like being hit with pepper spray in the face.”

Q: How does Malwarebytes EDR protect against ransomware attacks?

Robert DeStefano, Senior Global Product Marketing Manager at Malwarebytes:

“First, Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Second, our solution uses multiple combined modes of endpoint isolation, so if an endpoint is attacked, it can easily halt malware from spreading and causing harm—minimizing disruption to IT and users during attacks. Third—we give you up to 72 hours of ransomware rollback. We make use of local cache on each endpoint, storing all relevant changes to the device for up to 72 hours. If you’re infected, Malwarebytes simply backs out device changes and restores files that were encrypted, deleted, or modified. You don’t have to lose all that time reimaging an endpoint. And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”

Q: How often and at what intervals are files backed up? How much space does it take?

David Pier, Senior Sales Engineer at Malwarebytes:

“Our file backup is not triggered on a time basis—it’s really driven by our activity monitoring feature. The backups are only going to be created in an instance where Malwarebytes has detected suspicious behavior. And for the second question, data storage space isn’t an issue, as our proprietary dynamic exclusion technology learns ‘good’ behavior of applications and minimizes storage utilization. Additionally, administrators can configure their policies to dynamically manage disk space requirements, based on the remaining available disk space.”

Q: Can you identify when the first infection took place and if the same threat process has been installed across the environment or on other devices, such as malicious scheduled tasks?

David Pier, Senior Sales Engineer at Malwarebytes:

“Yes! You can do this with the Flight Recorder feature of our EDR, which allows you to search event data captured from all of your managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 7 days to threat hunt or analyze when a compromise occurred in your environment. You can search through file properties, such as the file hash or the file name, or you could leverage something like searching actual command line arguments that were used by the attacker to try and locate the original infection points.”

Q: How many full time employees are needed to deploy and manage your EDR?

David Pier, Senior Sales Engineer at Malwarebytes:

“That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. An EDR solution that you might be interested in may require you to have full-time staff to manage, or configure it. Malwarebytes EDR is not that kind of solution. This is something that we’ve successfully deployed with teams as small as two people managing this. You do not need additional headcount, you don’t need a dedicated SOC to make this program work. That being said, this solution works very well at scale. We have customers with 1000s of endpoints running this solution and effectively using it as an EDR so really, it’s a tool built for customers of any size.”

Q: Would we need a physical server or can this be operated from a cloud-based system?

David Pier, Senior Sales Engineer at Malwarebytes:

“There’s no requirement for any physical architecture,” says Pier. “You could use it entirely cloud-based if you have cloud-based servers or cloud-based VMs. Really the only requirement we have is making sure that your endpoints can reach the Malwarebytes cloud infrastructure, which is all done through HTTPS traffic. So typically, it’s not something you need to customize unless you have a very restrictive network.”

Read about how companies used Malwarebytes EDR to fend off ransomware 

To help you understand the ransomware threat and how Malwarebytes EDR can help, we’ve curated a collection of customer case studies that illustrate the common patterns of ransomware protection and recovery across a variety of industry sectors and business sizes. Check out a few of them below!

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

Phishy calls and emails play on energy cost increase fears

Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into people’s fears with a dash of social engineering to make them worse off than they were previously.

Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

Identifiers of an attack

These attacks target individuals living in countries where oil or electricity prices are a concern. If you have an imminent set of price increases on the horizon, you may be a target. Phone calls, emails, whatever it takes to extract some cash. The UK is a particularly hot flashpoint for these fraud attempts at the moment.

The senders will typically claim to be from an organisation with authority. Maybe an energy watchdog, or a consumer rights group, or maybe an energy company.

Refunds, rebates, and discounts generally are the order of the day. There’s a number of schemes along these lines at the moment due to be rolled out, and you can expect fraudsters to ride on their coat tails.

Energy refund scam types

Fake rebates

This scam involves cold calling and a spin on the (genuine) rebate plan put together by the British Government. Fraudsters inform potential victims that they need to hand over bank details in order to qualify. Normally we’d say “this is not true”. However: There are some cases where people do hand over payment information. Local councils in the UK have reached out to many people pre-emptively to arrange rebate payments. Where the scammers have an angle is that lots of other residents have not been contacted.

In those cases, the onus is on the individual to reach out and apply. They can choose to have the rebate applied to their next local council bill, or have the money paid directly into their bank account. To do this, they need to hand over payment details. The caveat is that the person applying does this themselves, on their local council website. Nobody should be cold-calling asking for payment information.

Ofgem impersonators

Fraudsters are claiming to represent Ofgem, Britain’s independent energy regulator. They claim to be able to help you get a better energy deal and then ask for your payment details. These attacks come via text and email, and have been around for at least a month or so. Some of these also tap into the rebate scam, claiming to offer a “secure application” which is really just a phishing website.

Fake energy company refunds

This is a fairly common scam, just like fake tax refunds during tax season. They are definitely more relevant during the current energy crisis though. In this case, we’re talking fake refunds and a double-threat attack technique. The victim is lured in with emails offering a refund. Once the information is taken by the phishing website, the scammer calls the victim claiming to be working on behalf of their bank. The scammer goes on to highlight several types of fraud to be wary of, all the while trying to extract around $1,200 during the call.

How to avoid these threats

Any email or phone call asking for payment information is not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
If you receive an unexpected call about energy prices or rebates, Insist on calling “them” back on their official number, taken from an official website, directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.
Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email.

Stay safe out there!