Silobreaker Daily Cyber Digest – 1 March 2016
The first banking malware to target Israeli banks, ATMZombie was discovered by Kaspersky in November 2015 and reported on in detail today.
Once a machine is infected, ATMZombie places its own certificate into browsers’ certificate authority (CA) lists, and modifies proxy settings to act as a Man-in-the-Middle. The next time a victim logs into their bank account, the malware will collect their details.
In the second stage of the attack, the malware’s controller will manually log in to compromised accounts and wire money via SMS to ‘mules’ who have been tricked into cooperating for a small share of the total haul. The money mules will, in turn, forward the bulk of the take onwards via mail.
Acecard or Acekard is a widespread banking trojan that has technically existed for several years, but has only displayed overt malicious activity recently – most notably in Australia.
Made to steal banking information, Acecard can intercept SMS messages and recognise around 50 financial phone apps, which the malware will overlay with phishing windows that ask for card details. On the 28th of December 2015, an Acecard downloader trojan was spotted disguised as a game in the Google Play store.
The group that created Acecard has also been tied to the Torec and Pletor (Android) malware families, and are most likely Russian-speaking.
In a classic PEBKAC blunder, Snapchat have revealed that employee payroll information was given to an outsider who impersonated the company’s CEO via email.
While company systems and app users were not compromised by the spear phishing attack, it’s likely that leaked details include addresses, bank account information and social security numbers of employees both present and past.
Anyone who needs a reminder of the risks posed by social engineering should take a look at the legendary email exchange that compromised HBGary Federal’s website, starting with this gem:
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
Turkey blocks twitter pages
In response to the huge leak of information stored on the servers of the Turkish National Police, the Turkish government has made the decision to block twitter accounts @CthulhuSec, @YourAnonNews and @CryptOnymous.
The alleged grounds for this ruling, made by the Security Affairs General Directorate, are that content from the above sources “…threatens public order or national security by applauding terrorism or provoking violence or crime.”
Hacking Team returns(?)
Researchers have recently noticed Mac malware that uses an updated version of Hacking Team’s Remote Code Systems (RCS) software. The malware isn’t particularly dangerous by itself, but the version of RCS dates from October, three months after the very public dissolution of Hacking Team.
The Silobreaker Team