Soraya malware targets payment card data on POS devices and home computers

Home computers and point-of-sale (POS) devices are both being targeted by a recently identified piece of malware that has already compromised thousands of payment cards – the majority of which were issued in the United States.

On May 23, Arbor Networks researchers discovered Soraya, a piece of malware that combines memory scraping techniques found in Dexter, a POS malware, with form grabbing abilities seen in Zeus, a trojan that impacts PCs running Windows.

Using multiple techniques in the same malware is fairly uncommon, Matt Bing and Dave Loftus, a pair of security research analysts with Arbor Networks who wrote about the threat in a Monday post, told SCMagazine.com in a Tuesday correspondence.

“Memory scraping is typically only found in malware directly targeting [POS] systems, and form grabbing is typically [used] to steal data being sent to websites, including payment card information and passwords,” Bing said.

The Soraya malware, which Bing and Loftus said likely dates back to March 2014, has already compromised thousands of payment cards.

Source:
http://www.scmagazine.com/soraya-malware-targets-payment-card-data-on-pos-devices-and-home-computers/article/349880/

Posted in Internet, Privacy, Security | No Comments

U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator

The Justice Department today announced a multi-national effort to disrupt the Gameover Zeus Botnet – a global network of infected victim computers used by cyber criminals to steal millions of dollars from businesses and consumers – and unsealed criminal charges in Pittsburgh, Pennsylvania, and Omaha, Nebraska, against an administrator of the botnet.   In a separate action, U.S. and foreign law enforcement officials worked together to seize computer servers central to the malicious software or “malware” known as Cryptolocker, a form of “ransomware” that encrypts the files on victims’ computers until they pay a ransom.
Deputy Attorney General James M. Cole, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, FBI Executive Assistant Director Robert Anderson Jr., U.S. Attorney David J. Hickton of the Western District of Pennsylvania, U.S. Attorney Deborah R. Gilg of the District of Nebraska, and Department of Homeland Security’s (DHS) Deputy Under Secretary Dr. Phyllis Schneck made the announcement.

Victims of Gameover Zeus may use the following website created by DHS’s Computer Emergency Readiness Team (US-CERT) for assistance in removing the malware:   https://www.us-cert.gov/gameoverzeus .

“This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General Cole.   “We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.”

“These schemes were highly sophisticated and immensely lucrative, and the cyber criminals did not make them easy to reach or disrupt,” said Assistant Attorney General Caldwell.   “But under the leadership of the Justice Department, U.S. law enforcement, foreign partners in more than 10 different countries and numerous private sector partners joined together to disrupt both these schemes.   Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.”

Source:
http://www.justice.gov/opa/pr/2014/June/14-crm-584.html

Posted in Internet, Security | No Comments

NSA Collecting Millions of Faces From Web Images

The National Security Agency is harvesting huge numbers of images of people from communications that it intercepts through its global surveillance operations for use in sophisticated facial recognition programs, according to top-secret documents.

The spy agency’s reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency’s ambitions for this highly sensitive ability and the scale of its effort have not previously been disclosed.

The agency intercepts “millions of images per day” — including about 55,000 “facial recognition quality images” — which translate into “tremendous untapped potential,” according to 2011 documents obtained from the former agency contractor Edward J. Snowden. While once focused on written and oral communications, the N.S.A. now considers facial images, fingerprints and other identifiers just as important to its mission of tracking suspected terrorists and other intelligence targets, the documents show.

Source:
http://www.nytimes.com/2014/06/01/us/nsa-collecting-millions-of-faces-from-web-images.html

Posted in Internet, Privacy | No Comments

Ransomware Now Uses Windows PowerShell

We highlighted in our quarterly threat roundup how various ransomware variants and other similar threats like CryptoLocker that now perform additional routines such as using different languages in their warning and stealing funds from cryptocurrency wallets. The addition of  mobile ransomware highlights how these threats are continuously improved over time.

We recently encountered another variant that used the Windows PowerShell feature in order to encrypt files. This variant is detected as TROJ_POSHCODER.A.  Typically, cybercriminals and threat actors have used Windows Powershell to go undetected on an affected system, making detection and analysis harder. However, in this case, using PowerShell made it easier to detect as this malware is also hardcoded. Decrypting and analyzing this malware was not too difficult, particularly compared to other ransomware variants.

Since it uses Powershell, TROJ_POSHCODER.A is script-based, which is not common for ransomware. It uses AES to encrypt the files, and RSA4096 public key cryptography to exchange the AES key. When executed, it adds registry entries, encrypts files, and renames them to {filename}.POSHCODER. It also dropsUNLOCKYOURFILES.html into every folder.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/

Posted in Internet, Privacy, Security | No Comments

Malware creation breaks all records! 160,000 new samples every day

Malware creation has broken all records during this period, with a figure of more than 15 million new samples, and more than 160,000 new samples appearing every day, according to Panda Security.

Trojans are still the most abundant type of new malware, accounting for 71.85% of new samples created during Q1. Similarly, infections by Trojans were once again the most common type of infection over this period, representing 79.90% of all cases.

In the area of mobile devices, there have been increasing attacks on Android environments. Many of these involve subscribing users to premium-rate SMS services without their knowledge, both through Google Play as well as ads on Facebook, using WhatsApp as bait.

Along these lines, social networks are still a favorite stalking ground for cyber-criminals, The Syrian Electronic Army group, for example, compromised accounts on Twitter and Facebook, and tried to gain control of the facebook.com domain in an attack that was foiled in time by MarkMonitor.

During the first three months of the year we have witnessed some of the biggest data thefts since the creation of the Internet, and as expected, Cryptolocker, the malicious file-encrypting ransomware which demands a ransom to unblock files, has continued to claim victims.

Source:
http://www.net-security.org/malware_news.php?id=2776

Posted in Internet, Security | No Comments