Ukraine Accuses Russia of Invasion – Ukrainian Hackers Set to Retaliate

Earlier today (August 28, 2014) Ukrainian President, Petro Poroshenko, said Russia has sent troops to eastern Ukraine. Ukrainian hacker groups are quickly aiming to retaliate – Anonymous Ukraine plans to attack number of Russian banks’ websites and Russian President official websites. The first target was sberbank.ru, the attack planned to take place on August 28 at 16:00.

Anonymous Ukraine is threatening to carry out DDoS attacks

Anonymous Ukraine is threatening to carry out DDoS attacks

Other websites on the list include:

Threats to wage cyber attacks on sberbank.ru

Threats to wage cyber attacks on sberbank.ru

How to Spot a Fake LinkedIn Profile in 60 Seconds?

LinkedIn is a terrific platform to cultivate business connection. It is also rife with fraud and deceit. Fraudsters use as a social engineering tool which allow them to connect to professionals, trying to lure them to disclose their real contact details (work email is the best) and then use this email address to send spam or worse deliver Malware.
Always check the profile before accepting an invitation, and do so through the LinkedIn massage mechanism and not through email (fake invitation emails can cause much more harm than fake profiles – see our previous post).

So we’ve established it’s imperative to be able to identify a fake profile when someone invites you to connect on LinkedIn. But how would you do that? Follow our proprietary (just made up) CID protocol! CID stands for – Connections, Image and Details. By following it you will be able to spot most fakes in 60 seconds or less. For more elaborate fraud attempts it will be much longer or maybe even impossible for the non- professional to identify. We will discuss these later.

Connections - while you can fabricate any “fact” on your profile, connections cannot be faked; they have to be “real” LinkedIn users who’ve agreed to connect with you. So unless the fraudster is willing to create 100 other fake profiles, and connect these with the fake persona he’s trying to solidify (something that takes a lot of time and effort to do, and something I hope LinkedIn algorithm will pick up), the only way for him to have 100 connections is to connect to 100 LinkedIn users. So if you see someone with a puny amount of connections you can start to be more suspicious. So, connections number check – 5 seconds. Moving on.

low connections

Very few connections

Image - by now most people creating a LinkedIn profile realize it’s with their best interest to include a real image of themselves, and usually a professionally looking one (either taken by a professional or in a professional attire). So no image or an obscure one is kinda suspicious. Also, too good-looking image should ring an alarm bell. Since it is almost certain that the fraudster will not use his/hers own image (by that they will make the profile real to a certain extent), they will most likely search a nice photo online. How can you tell if the image they’ve used is taken from someplace else? There are dedicated websites for reverse image search, but since we are under serious time constraint here why not simply right-click the image and ask Google to check the source? Very quickly it will find compatible image and you will match the profile image to an existing stock image. Another 25 seconds gone. Say these two tests were not sufficient and you are still not sure? Check the Details.

image search

Starting Google image search

image search results

Image search results

Details - people know that the more detailed their profile is, the better. Profiles lacking education or occupation details are very unreliable, along with these were sever discrepancies ( how could this guy study at Yale and serve overseas at the same time?). lacking skills, recommendations and endorsements are not in favor of any real profile. Taking another 30 seconds of your precious time, you should by now be able to spot a fake profile.
Sure, someone just starting on LinkedIn might have fit our CID protocol while actually just launching his LinkedIn profile, and therefore has few connections. If you know this guy, go ahead and connect. If you don’t it’s best to wait until the profile seems more robust.
It is very important to note that accepting the invitation to connect by itself (given it was delivered via LinkedIn message mechanism or clicked on the user profile) does not create any damage, but it establishes a link between you and a fraudster, which can later be utilized as an attack vector.

Oh, and if you have 30 more seconds, why not do everyone a favor and report the fraudster? LinkedIn allows you to report suspicious profiles for review.

Report profile

Report profile

Simply click the “Block or Report” option, fill the short form and there you go.

Report the profile for review by LinkedIn

Report the profile for review by LinkedIn

P.S.

the profile displayed in this article is an actual fake profile who tried to connect to one of our analysts. busted!

Did Turkish Hackers Actually Hack the Israeli “Iron Dome”?

Ayyildiz Tim (AYT) is one of the more prominent Turkish hacker groups today. The group was founded in 2002 by Turkish hackers residing outside of Turkey. AYT advocates Turkish state ideology and has declared its intention to fight against “every form of attack on the Turkish Republic”, or attempts to threaten Turkish unity and Islam. Israel, the U.S., Armenia, Syria and the Kurdistan Workers’ Party (PKK) are counted among the group’s main targets.

A number of sources and web surfers refer to AYT as “The Turkish Cyber Army”, claiming that the group directly represents the tactical arm of the Turkish government with regard to everything surrounding cyberwarfare.

AYT founder, Mehmet İshak Telli (Cedkan Bir Yafes), was interviewed by the Ihlas News Agency (IHA) – one of the leading video news agencies in the world – on August 7, 2014. In the interview, Telli claimed that Turkish hackers had hacked Israel’s “Iron Dome” air-defense system and that it would be a good answer to Israel aggression. In his statement, Telli claimed that the Arrow 3 anti-ballistic missile software had also been hacked. He further stated that a secret war has been waged between the Turkish and Israeli intelligence units and AYT had proven their cyber superiority.

Following this interview, numerous media outlets published his statements, falsely and mistakenly adding that “BBC editor” Brian Krebs had congratulated AYT and MIT (the Turkish National Intelligence Agency) on their hacking of Israel’s “Iron Dome”. However, the reports about Brian Krebs also misspelled his name “Vrian Krebs.” According to RedHack (another Turkish hacker group), AYT is merely exploiting the media to fool people.

Twit of a Member of Redhack Group

Tweet made by a RedHack member

What Krebs actually wrote on July 28 was: “According to Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), between October 10, 2011 and August 13, 2012, attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies…”.

Another investigation undertaken by security expert Reza Rafati also concluded that the information supporting the AYT claim regarding “Iron Dome” was fake.

MacroExp – a Combined Social Engineering and Exploit Attack

Combining an executable, usually malicious file with a standard Word or Excel file, unbeknownst to the user, has always been an aspiration for cyber-criminals. With such an asset, they could make the victim unwittingly install the malware, without raising his suspicions or AV vendor alerts when running an executable file. For this reason, requests for such services are frequently posted on underground forums, as cyber criminals search for easy ways to spread their malware files. Occasionally, this demand meets a supply, usually highly priced due to the opportunities it provides.

On this occasion, while monitoring Russian underground forums, we came across an advertisement for an exploit that targets Microsoft Office Word via Visual Basic Scripting for Applications feature. The exploit, referred to as MacroExp v 1.0.5 by the seller, first appeared for sale two days ago (on August 11), for $1,000. The price includes the exploit builder, as well as further updates and technical support.

According to the description on the forum, the exploit binds an executable file with a .doc file, making the .exe invisible to the victim. It is compatible with all Microsoft Office Word versions (2000-2013), as well as Windows OS x86 and x64. Since the presence of the executable file is invisible, it is not detected by AV and IPS systems, or firewalls.

The disadvantage of the method, as described by the seller, is the pop-up of a macro-enabling alert required for the actual running of the executable file. He suggests overcoming this obstacle by using social engineering methods.

A week ago, CISCO reported this attack vector, detected by its researchers, in the wild. It was used in spear-phishing attacks in such industries as banking, oil, television and jewelry. The starting point involved sending a Word file written specifically for the recipient. When clicking on the document, a macro alert popped up. Once enabled, it led to the download of an executable malicious file and launched it on the victim’s computer.

It is difficult to say if the same perpetrators are behind the both attacks, or it is just the same vector that is used in the both cases. On the one hand, one of the CnC domains discovered by CISCO was registered seven years ago, which may indicate that the threat actor has been in operation since at least 2007. On the other hand, the seller connected himself to the CISCO report, claiming that the described attack is his project. Moreover, he mentioned that more than 20 clients were already using the exploit, and that this was not the first version since its release. The matter will become clearer as more cases are identified in the wild, combined with more feedback from buyers on the forum.

Screenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the seller

#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs

Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites

Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database

The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.

Financial Scams Involving POS Devices

POS attacks appear to have become both more frequent and detrimental. These systems are considered “easy prey” for scammers because they are vulnerable in two respects: The first is the software aspect – POS terminals are based on popular operation systems and are connected to the Internet, thus serving as a target for infection by Trojans dedicated to data theft. The second is the physical nature of these kinds of systems – they are usually located in public places and are accessible to many people, facilitating the installation of malicious programs and components directly onto the POS terminals.

Russian-speaking platforms located on the web (forums) are known to be supporting grounds for the creation and development of a great deal of cybercrime the world over, and POS-related crime is no exception. This sphere of activity is included in the “real carding” forum topic that also deals with hacking ATM machines, installing skimming devices, hacking into ATM cameras for the purpose of recording PIN codes, etc. Below we summarized the main trends regarding POS systems that were discussed in the Russian forums in the last months.

Trade of Malware Targeting POS Terminals : While 2013 was a year of large-scale breaches via remote access to POS systems, since the beginning of 2014, we have not witnessed an inordinate number of discussions about the remote infection of POS devices, as a large part of them deal with the physical modification of POS devices. Nevertheless, we identified a sale of one new tool in May 2014, referred to by the seller simply as Dump Grabber.

Installing Firmware Components on POS Terminals: The sale of firmware components for different models of POS terminals is very popular on the underground, as is the sale of the complete terminal (ready for installation) already containing the firmware. The average price for a complete terminal is approximately $2,000, while firmware alone will cost around $700. The firmware collects track 1, track 2 and PIN code data while regular transactions are performed on the terminal, and then sends it to a specified destination.

An offer for the sale of a VeriFone POS terminal with installed firmware

An offer for the sale of a VeriFone POS terminal with installed firmware

Technical Discussions: It appears that since the infamous mega-breaches that occurred over the last year, this sphere has attracted a lot of cyber criminals, but some of them lack the technical skills necessary for success. They heard about the easy profits available in the area of POS terminals and are trying to familiarize themselves with the expertise required to make a profit via dedicated online platforms.

The two main issues recently discussed on the forums are obtaining PIN codes and bypassing the demand for chip identification. The energetic discussions that developed on these subjects may point to the difficulties they are facing in the area of POS-related cybercrime.

A forum member asks how to add a PIN requirement in POS transactions

A forum member asks how to add a PIN requirement in POS transactions

Business Models of POS-Related Scams: It is extremely difficult for a single scammer to commit a financial crime exploiting POS terminals. These scams are usually performed by small groups of cyber criminals. If the modus operandi of the scam is the remote infection of POS devices, there is a high probability that the attack group will include three types of perpetrators: the malware coders, the malware spreaders and the purchasers of the dumps.

In case of a physical infection of the POS terminals, of the kind that requires the installation of firmware components or the replacement of the terminal itself, the cooperation of someone at the business point (a shop or a supermarket) will also be required.

A forum member offers a fake POS terminal for rent, in return for 50% of the profit

A forum member offers a fake POS terminal for rent, in return for 50% of the profit

 

Cyber Threats to the Insurance Industry

Written by Gal Landesman

In recent years, insurance companies have been finding themselves affected by the rising number of major incidents of cyberattacks. On the one hand, this trend presents a business opportunity for selling cyber insurance to organizations concerned about protecting their sensitive assets. On the other hand, insurance companies are not excluded from the cyber battlefield, as they hold large amounts of sensitive information regarding their clientele and are therefore targeted by cyber criminals. Moreover, data breaches that occur in the insurance industry are more difficult to detect than credit card information theft because clients check their bank accounts more frequently.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Insurance Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Cyber Insurance

Cyber insurance is a service much sought-after by many companies today. Most fear the bad PR in the wake of a cyberattack, the cost of dealing with the Data Protection Commissioner and handling affected clients. The financial burden and threat of reputation damage caused by downtime and data leakage are becoming more noticeable. Companies in industries such as healthcare, financial services, telecommunications and online retails now realize that cyber insurance is essential to minimize potential financial impact.

Some insurance companies selling cyber insurance have reported up to 30% increase in sales over the last year. This type of insurances typically covers such things as exposure to regulatory fines, damages and litigation expenses associated with defending claims from third parties, diagnostic of the source of the breach, recovering losses and reconfiguring networks.

The cyber insurance market is fast-growing with a value of EUR one billion annually in the U.S. and EUR 160 million annually in the E.U., where it has been adopted at a slower rate.

Cyber Insurance

Insurance Company Data Breaches

Insurance companies are now selling cyber insurance to organizations – ironically making them more vulnerable to attack as they withhold valuable information about organizations and people.

Lately, regulators have been focusing their efforts on insurance companies that can sometimes hold very sensitive information on their customers, such as PII (Personally Identifiable Information) and PHI (Protected Health Information). The New York State Department of Financial Services sent out a survey in 2013 to insurance companies asking them about their cyber security policy. Insurance companies hold not only information on regular people, but they also hold sensitive and valuable information on their corporate customers. Insurers hold sensitive information on companies across a variety of industries.

The risks are evident in the following examples of reported data breaches of insurance companies:

  • Aviva Insurance company suffered a data leak disclosing information and car details to third party companies, by two of their workers.
  • The Puerto Rican insurance company Triple-S Salud (TSS) suffered a data breach and its management was fined $6.8 million by the Puerto Rico Health Insurance Administration.
  • In October 2012, Nationwide insurance provider was hacked, compromising the personal information of 1.1 million customers.

Commercial Espionage

Not only is the insurance sector suffering from the aforementioned threats, but insurance companies are apparently also facing threats from their competitors in the industry, who are going after their data in commercial espionage, employing hacking techniques. According to a report released by The Independent, SOCA – the British Serious Organized Crime Agency – suppressed reports revealing that law firms, telecom giants and insurance companies routinely hire hackers to steal information from rivals. According to the report, a key hacker admitted that 80% of his clientele were law firms, wealthy individuals and insurance companies.

Selling Insurance Information on the Underground Black Market

PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on the underground continue to rise.

Several underground marketplaces include the selling of information packages containing “verified” health insurance credentials, bank account numbers/logins, SSN and other PPI. According to Dell SecureWorks, these packages are called “fullz” – an underground term for the electronic dossier on individuals used for identity theft and fraud, and they sell for about $500 each.

Such underground marketplaces can be used as a one-stop shop for identity theft and fraud. Health insurance credentials are sold for about $20 each and their value continues to rise as the cost of health insurance and medical services rise.