FTC Issues Alert on Earthquake Relief Email Scams

The Federal Trade Commission (FTC) has issued an alert warning users to be on the lookout for earthquake relief email scams.

In a post published on Wednesday, Colleen Tressler, a consumer education specialist at the FTC, highlights the growing need for aid following recent earthquakes in Japan and Ecuador.

Late last week, a series of strong earthquakes in Japan culminated in a 7.0-magnitude quake, killing nearly 50 people. Aftershocks as strong as 6.1 are still being felt by the survivors, who struggled with a shortage of food and water on Wednesday.

Last Saturday, a 7.8 magnitude earthquake struck Ecuador. At least 570 people were killed, with 155 people missing, 7,015 injured, and 25,000 currently placed in relief shelters. This is the worst natural disaster the country has seen in decades.

Many charities are now attempting to provide aid to the survivors. But as Tressler warns, those looking to donate should spend some time researching whether they are actually giving to a trusted organization.

“Unfortunately, legitimate charities face competition from fraudsters who either solicit for bogus charities or aren’t entirely honest about how a so-called charity will use your contribution,”

To help people avoid donating to fraudulent charities, the FTC has published the following list of tips:

• Donate only to reputable charities. People should avoid organizations that have sprung up overnight and that might not provide donors with the option to designate their gift of aid for a specific disaster.
• Never click on suspicious links or email attachments. If you know the sender personally, contact them by phone or in person to determine whether they actually sent you the link or attachment. Attackers might have hacked their account.
• Be wary of relief solicitations sent to you via social media or text message. It is safer to donate directly from a legitimate charity’s website.

TREASUREHUNT: A Custom POS Malware Tool

Threat Intelligence has observed the significant growth of point-of-sale (POS) malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control (CnC) server.

Although the PCI DSS rules changed in October 2015, leaving retailers who have not transitioned from existing “swipe” cards to EMV or “chip” enabled cards liable for card present fraud in more ways than before, many retailers are still in the process of transitioning to chip-enabled card technology. Criminals appear to be racing to infect POS systems in the United States before US retailers complete this transition. In 2015, more than a dozen new POS malware families were discovered. POS malware may be freely available, available for purchase, or custom-built for specific cyber criminals. Free tools are often a result of malware source code being leaked, and tend to be older and more easily detected by security software. POS malware available for purchase may be newly developed tools or modified versions of older tools. Then there is another class of POS malware that is developed for use exclusively by a particular threat group.

TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server. TREASUREHUNT would be implanted on a POS system through the use of previously stolen credentials or through brute forcing common passwords that allow access to poorly secured POS systems. When executed, TREASUREHUNT installs itself to the %APPDATA% directory and sets up a registry ‘run’ key for persistence.The malware will then initiate a beacon to a CnC server. The connection to the CnC server is via HTTP POST. The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server.When payment card data is found, it is sent back to the CnC server. The operators control the compromised systems and harvest stolen payment card information through a web interface located on the CnC server.

                 
                           All of the TREASUREHUNT samples identified so far contain the same compilation timestamp of 2014-10-19 07:14:39. This is likely an artifact of the builder rather than the time the samples were actually compiled.Using this data, TREASUREHUNT appears to have been first deployed in late 2014 and was seen throughout 2015 and into 2016.
The relatively sparse sample set may indicate that TREASUREHUNT is being deployed in a targeted manner rather than being propagated indiscriminately.

                    In the world of POS threats, there has been a rise in both underground offerings as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip and PIN technology in the United States, which will eventually render these techniques largely useless. While some cybercriminals are looking ahead in an effort to develop ways to exploit chip and PIN (as well as near-field communication technologies), many cyber criminals are looking take advantage of memory scraping POS malware while it still works.
With an increasing number of major firms transitioning to the more secure chip-enabled cards, we expect to see cyber criminals increasingly turn their attention to smaller retailers and banks that may not be as prepared for the transition.

Top Five Hacker Tools Every CISO Should Understand

As the role of the CISO continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job. Nonetheless, CISOs need to keep abreast of the latest tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

“The following is list of tools every CISO should be on top of, and it was very hard to narrow it down to these few items with so many valuable tools out there,” Ouchn said. “My choices were driven by a combination of the tool’s value and their ease of use.”

ARMITAGE

“Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, I will focus on Armitage an open source effort to bring user-friendly interface to Metasploit,” Ouchn said.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. The compromised devices are depicted with a lightning round. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture. In fact, the framework has several capabilities to exploit vulnerabilities in almost any type of layer to therefore infiltrate (by pivoting) systems to reach the network’s nerve center. Armitage should definitely be part of the CISO’s Arsenal and his internal Red Tiger team.”

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it. Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication. HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered. A CISO should certainly incorporate this password cracking tool in his arsenal because it allows to check the complexity of the company password policy. Of course, the complexity of a password is not the only criterion for a well-constructed policy, as there are a plethora of criteria: Duration, length, entropy, etc… So HashCat is a must have for any CISO.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way“. he grip is instantaneous. It is written in Python and runs on all platforms. CISOs should need only to supply the WiFi interface they use and it does the job, verifying that the corporate wireless networks are configured according to the applicable Security Policy, and better yet, it can be used to identify any open and accessible network that can potentially be harmful in terms of Phishing. Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way for a CISO to validate the security of wireless networks.

WIRESHARK

“Known for many years as Ethereal, Wireshark is probably the best tool when it comes to sniffing for and collecting data over a network. On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface. WireShark allows a CISO to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user. “Beyond the sniffing features, WireShark is also a great way to validate the network filtering policy. When placed near filtering devices, it can detect the protocols and communication flow in use. WireShark should be considered by any conscious CISO to validate the filtering policy and the need for encryption.

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool. It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.This will confirm the users security perception within the company and validate the best Awareness Policy to deploy. The SET tool is very well maintained.