Online transactions offer great convenience to both vendors and customers alike. It provides a means to conduct transactions that are better suited to most users’ current lifestyle, which increasingly involves the Internet.

Unfortunately, this increased dependency on online banking and e-commerce is directly proportional to cybercriminals’ interest on how to leverage this to their advantage. Recently we’ve seen certain technologies used in online financial transactions that are being abused:

Session IDs

As detailed in a Trusteer report, a new banking Trojan, detected by Trend Micro as TSPY_ODDJOB.SMA, has been found to be capable of hijacking customers’ online banking sessions. Session IDs, which give users a temporary identity, are meant to be short-lived and expire after a predetermined time of inactivity. TSPY_ODDJOB.SMA effectively keeps sessions open even after customers have logged off, thus enabling cybercriminals to commit fraud.

The capability may be noteworthy, but Trend Micro Smart Protection Network has so far detected and blocked only one instance of the  Trojan.  However, this new technique could prove to be greatly attractive to those criminals using ZeuS and SpyEye, especially because it is relatively simple to incorporate.

In the next few months, session hijacking could easily become a default functionality in banking Trojans.

Read the rest of this entry »

Like my colleagues, I also attended RSA 2011 Conference in San Francisco last week. As they have shared in their posts on the hackers and threats sessions, I would like to share some of my experiences and learnings on sessions involving social media, spies and security.

Mapping an Organization’s DNA Using Social Media

Abhilash Sonwane of Cyberoam discussed the findings of their research involving 20 random small and medium companies across the globe. His team tracked the social media activities of these companies’ employees via Facebook, Twitter and LinkedIn streams. This was done without employing any malicious tactics such as spear phishing or malware infection.

It is interesting to know that by simply correlating the employees’ social media presence, the researchers were able to map the DNA of the company. By DNA, we pertain to a collection of data like the morale of employees and the company as a whole. This includes sensitive information such as who makes the buying decisions. While such information per se may not be directly related to any kind of threat, it can be used by competitors (and potentially, the bad guys) to their advantage.

My key takeaway from this session is that it is very important for companies to strive to create a balance between the benefits and risks of social media. Companies should have solid social media policies to raise awareness among employees about its proper use and corresponding challenges. Furthermore, to cover both internal and external risks, social media policies should be aligned with technology solutions that security companies offer.

Read the rest of this entry »

Privacy has been one of the major concerns of Facebook users today, especially as the social network continues to increasingly grow to become a massive directory of personal information. Users are becoming very concerned as to who can access the information they post, fearful that these may be viewed and used in a malicious way. Given this, stalkers—people who aim to invade other people’s privacy—are considerably becoming Facebook users’ worst nightmare.

Facebook scams play on people’s fear of being stalked. This is not surprising, we have recently seen newly created domains that offer help to users in order to track down who most view their profiles, as well as how many times these were viewed. The domains contain strings like “profile view” and “creepers” in their URLs, suggesting their alleged purpose.

The pages list down certain instructions the user must follow to use the “stalker tool.” The instructions include copying a certain script and pasting it into one’s browser address bar.

The technique is very similar to a scheme we saw last year, which used the lure “10 lies girls ALWAYS tell guys! Funny!” In this case, the lure may be different but the effect is pretty much the same. Once the user copies the script into his address bar and executes it, his Facebook account is accessed by the script then used to spam messages that promote the stalker tool.

Read the rest of this entry »

One of the primary points raised in this year’s RSA Conference is that mobile threats are as real and pressing as other industry issues today. Amid heated discussions over cloud security, several sessions were spent on reviewing the threats to mobile security and on laying out concrete steps so we can defend our mobile lives.

The Ugly Truth Behind Mobile Security

Mobile threats have been around for years, dating back to when mobile phones first became popular. Earlier versions of mobile malware were primitive in the sense that they neither used encryption nor social engineering tactics. Over time, however, mobile malware proliferators improved on their techniques to ensure their profitability.

Interestingly, despite the emergence of more complex threats at a time when smartphones are changing the mobile landscape such as increasing mobile email use, basic SMS malware still exist. The reason for this is simple—cybercriminals are still making money out of SMS malware. Denis Maslennikov’s presentation revealed that 40–67 percent of the revenue goes to affiliates who invest a relatively small amount to be able to engage in malicious schemes. With infected users losing as much as US$1.2 million per month because of these threats, it’s easy to see why these threats continue to proliferate.

Read the rest of this entry »

Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.

At present, we have only been able to identify three different versions in the wild:

• 1.3.04
• 1.3.05
• 1.3.09

As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.

Read the rest of this entry »