MitM Attacks Pick Up Speed – A Russian Coder Launches a New Web Injection Coding Service

In a successful MitM attack, the hacker infiltrates a web session between a bank and a bank customer, intercepts the messages they are exchanging, including credentials and classified information, and injects new messages, all without arousing the suspicion of either party.

In most cases, the injections are tailored to the victim. In other words, the victim sees a website purporting to belong to the specific bank whose site the victim is attempting to access. The injections are delivered via banking Trojans such as Zeus. On closed forums, injections are sold as separate modules for banking malware.

Web injections are sold on a Russian underground forum

Web injections are sold on a Russian underground forum

On one of the leading Russian-language cybercrime forums, we recently discovered a new thread offering web-injection services. The author was selling a large variety of injections for banks and online services in the United States and Canada.

According to the thread, the service includes an administration panel for managing the infected machines and stolen data, the ability to change the victim’s banking account balance (after a money transfer was performed), the ability to grab answers to security questions, and many other features.

The prices are quite affordable and vary from $50 to $150, though it should be noted that anyone wishing to carry out an MitM attack should already possess a botnet of machines infected with banking Trojans. When the victim tries to access his bank account, the attacker intercepts the session and displays a fake webpage that is very similar to the real bank’s site. The victim is asked to fill in login credentials, answer security questions, provide credit card data, and more. The attacker immediately receives the information through the administration panel and can use it to transfer the money, while the victim receives a connection error and simply tries to connect to the bank’s website one more time.

Detecting such an attack can be difficult, since one failed connection to the bank website or minor differences between the design of the fake page and that of the real page do not usually arouse the victim’s suspicions. In addition, as mentioned above, the account balance that the victim sees does not change after the money has been stolen.

The seller has launched a website to promote sales of the injections he coded. The site contains samples of injections for banks in the United States and Canada and for online services such as PayPal and Ebay. The targeted banks are Wells Fargo, HSBC, Citizens Bank, Scotiabank, RBC Bank, and many more. There was a section in the site indicating that European institutions will be targeted in the future.

Example of injection for a bank, published on the dedicated website

 

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013

Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

#OpIsrael Campaign – April 7, 2015: Cyber Intelligence Review

Background

This is the third round of the anti-Israel cyber campaign called #OpIsrael. The hacktivists are highly motivated to attack Israel, and they have been gradually building their campaign infrastructures on social media networks. Many have been posting videos with threatening messages in the leadup to April 7. AnonGhost, which is behind the campaign, has announced that it will cooperate with three anti-Israel groups known from previous campaigns: Fallaga, MECA (Middle East Cyber Army), and Anon Official Arabe.

Official announcement from AnonGhost on future cooperation

Official announcement from AnonGhost on future cooperation

Most of the social media discussions about the campaign are taking place in the Middle East, North Africa, Southeast Asia, Western Europe, and the United States (the attackers appear to be using proxy services). In addition, during March 2015 the number of Twitter tweets about the campaign increased by hundreds per day. Nevertheless, it is important to note that during the campaign, there will likely be several thousand or even tens of thousands of tweets a day, as was the case during previous campaigns.

Increase in the number of tweets about #OpIsrael per day in March 2015

Increase in the number of tweets about #OpIsrael per day in March 2015

Prominent Participants

At the time of writing, the number of participants is about 5,000. The most prominent groups in the campaign are from North Africa, the Middle East, and Southeast Asia. Groups of hackers from South America, such as Anonymous Chile and Anon Defense Brasil, and hackers affiliated with Anonymous have also expressed support for the campaign. We have not yet seen evidence of active involvement or public support for the campaign by cyberterrorist groups.

Attack Targets

The attack targets recommended by those participating in the campaign are government websites, financial websites such as the Tel Aviv Stock Exchange’s or the Bank of Israel’s, academic websites, telecom websites, and media websites. These lists are familiar from previous anti-Israel campaigns.

In addition, AnonGhost and Fallaga leaked a list of hundreds of telephone numbers of Israeli officials from an unknown source to point out potential targets for anti-Israel text messages or phishing attacks, such as those that took place during #OpSaveGaza.

Post from AnonGhost threatening to send messages to Israeli telephone numbers

Post from AnonGhost threatening to send messages to Israeli telephone numbers

Attack Tools

The attack tools we have identified so far mostly appear in lists that include links for downloading the tools. Most of these lists are well-known from previous anti-Israel campaigns. However, we identified several unique self-developed tools created specifically for the campaign:

  • AnonGhost DDoS – A DDoS tool developed by AnonGhost, which initiated the campaign.
  • LOIC Fallaga – A DDoS tool developed by Fallaga. This tool was developed for an anti-Israel hacktivist operation that took place on March 20 of this year, but we expect that hacktivists will use it in the #OpIsrael campaign as well.

School Is Now in Session – The Spread of Hacking Tutorials in the Deep and Dark Web

One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.

Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.

Case Studies

The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.

POS tutorial in the onion network

POS tutorial in the onion network

The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.

PayPal tutorial on closed forum

PayPal tutorial on closed forum

What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?

Motives

There is no one answer to this question, but we can divide hackers’ motivations into four categories:

  • Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
  • Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
  • Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.
A forum member selling his knowledge

A forum member selling his knowledge

  • Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.

Conclusions

In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter

Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers

    Open Facebook group of well-known Arab hackers

  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia

    Secret Facebook group from Southeast Asia

  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group

    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page

    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

‘BandarChor’ and ‘Ebola Virus’ Ransomware – Are They the Same?

F-Secure recently reported on BandarChor, a new player in the field of ransomware. The SenseCy team that analyzed the so-called new malware was intrigued by some of its characteristics. Further analysis revealed that BandarChor is another variant of Ebola Virus, ransomware we reported on in October 2014.

Brief Review of BandarChor (according to F-Secure)

First documented infections – November 2014
Spreading platform/method – Malicious emails or distribution by exploit kits
Capabilities – Upon execution, the ransomware encrypts multiple files on the infected machine. Afterwards the files are renamed to [original_file_name].id-[ID]_fud@india.com.

The Link Connecting BandarChor with Ebola Virus

BandarChor’s “file name modification” attribute caught our attention, as SenseCy had already encountered ransomware with a very similar modus operandi. In a blog post in October 2014, we reported on Ebola Virus, a new ransomware whose victims were mainly in Russia. Based on our research, we believe that Ebola and BandarChor are variants of the same ransomware, although with slight differences. This is because both use the same file name modification after encryption. BandarChor renames files to [filename].id-[ID]_fud@india.com, while one of the previously discovered Ebola variants changes file names to id-*_decrypt@india.com, indicating that the attackers were using the same domain.

BandarChor / Ebola Ransomware Evolution as Observed by SenseCy

SenseCy first encountered Ebola malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that had infected his computer. The sample that we examined was received by the victim in an email that contained a malicious link. Clicking the link initiated downloading of an RAR archive, and unzipping the archive encrypted all files stored on the PC that had the extensions .pdf, .doc, .docx, .xls, .xlsx, .jpg, or .dwg. After that, the filenames were changed to *id-*help@antivirusebola.com. According to an infected user, to recover the files on the PC, he had to send an email to help[at]antivirusebola.com, and he was subsequently instructed to pay one bitcoin to a certain address.

We conducted a further investigation on the Russian-speaking web that revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent through an email, allegedly from the tax authorities or traffic police.

The ransomware was reported on several security firm forums (such as Kaspersky, Symantec, and Dr.Web), and later in November, was included in TrendMicro’s threat encyclopedia under TROJ_CRYPAURA.A (with a decryption solution).

According to Russian security firm Dr.Web, the the Ebola virus first appeared on August 20, though a slightly different version has been distributed since August 7 that changes the file names to id-*_decrypt@india.com or id-*_com@darkweider.com. All three versions are probably variants of the same malware, identified by Dr.Web as Trojan.Encoder.741, and were coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer, and encrypted with the AES-128 algorithm.

Additional Variants of this Ransomware

After performing additional research, we discovered more formats of this ransomware. In most cases, it is disguised in an email allegedly from the tax authorities, courts, or the like. Here is a list of email addresses identified as being connected to this ransomware (according to a Russian cyber security blog):

  • Com[at]darkweider.com
  • protectdata[at]inbox.com
  • xsmail[at]india.com
  • decrypt[at]india.com
  • decode[at]india.com
  • help[at]antivirusebola.com
  • foxmail[at]inbox.com
  • marineelizz[at]inbox.com
  • protectdata[at]inbox.com
  • sos[at]xsmail.com

In conclusion, this case study demonstrates the importance of near-real-time cyber intelligence. By identifying future threats and notifying our customers in advance, we can help them to protect themselves before the threat can be detected by traditional security systems.

 

Australian Banks Targeted by Russian Malware for Android Devices

Introduction

Several months ago, while monitoring Russian underground forums, we came across a new malware designed to attack Android smartphones via a social engineering vector, luring victims into providing their banking data, as well as credit card details to the attackers.

The malware is dubbed GM BOT, and it has been offered for rent since October 2014 on a Russian underground forum dealing with malware development and sales. The price was $4,000 for one month, and this later dropped to $2,000. In January 2015, the renter of the GM BOT posted about deploying the malware on Australian botnet, including screenshots of banking details from Australian banks.

Later, in February 2015, the renter posted examples of Man-in-the-Middle (MitM) attacks that can be carried out by his malware, two of them presenting fake login pages to Australian banks.

GM BOT Capabilities

The first version of the malware was released on October 29, 2014 and according to the thread, it is designed to collect banking and credit card details. The data collection from the infected devices is performed via a social engineering vector, when fake pages are presented to victims. The tool works in different ways:

  • Collection of VBV data by using a fake Google Play application (Luhn algorithm is used for validation).
  • Scanning the mobile phone for installed banking services, and presenting dialog boxes for filling in confidential data.
  • Checking for email and social media accounts linked to the phone (Gmail, Facebook, Twitter, etc.) and presenting dialog boxes for filling in confidential data.

In addition, the malware is capable of incoming SMS message interception and blocking (to avoid alerts from the bank from reaching the victim), as well as incoming call redirection, GPS data monitoring and more. The malware received highly positive feedback from other forum members, as suitable for cybercrime activity.

Initially, the thread’s author specified that the bot would be rented to five clients – Russian speakers only. On November 3, 2014, the renter announced that all the five clients had been found, and that the ad was no longer relevant. However, one month later, on December 2, he posted about updates of GM BOT capabilities, saying that he is looking for more clients. The new version of the bot enables its operator to create JS or HTML dialog boxes that are presented to the victim, thus expanding the number of accounts whose credentials can be achieved.

The Australian Link

On January 13, 2015, the author posted again. This time the post included screenshots showing the results of GM BOT activity. According to the post, 165 users in Australia were infected on January 10. 68 of these were communicating back with the C&C infrastructure at the moment of the post. Screenshots of the collected data were attached.

Credit card data and banking credentials of Australian bank clients, collected by GM BOT

Credit card data and banking credentials of Australian bank clients, collected by GM BOT

On February 12, 2015, another post regarding GM BOT was uploaded by the author, focusing on its MitM attacks capabilities. According to this post, the bot can inject JS or HTML code into running application, thus showing the user fake pages for drawing out data.

It should be mentioned that the malware distribution method is not included in the rented product. This means that the attacker who purchases the malware delivers it to the victims by a method of his choosing, spam emails for instance.