Posts Tagged: EMC


2
Jul 14

Brazilian ‘Boleto’ Bandits Bilk Billions

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate appears to have netted thieves the equivalent of billions of dollars over the past two years.

A boleto.

A boleto.

At issue is the “boleto” (officially “Boleto Bancario”), a popular payment method in Brazil that is used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s Web site, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized  crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a Web-based control panel for a boleto-thieving botnet (see screenshot below); in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the "linea alterada" column shows the accounts used by the thieves to accept diverted payments. "Valor" refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions. Continue reading →


23
May 13

NC Fuel Distributor Hit by $800,000 Cyberheist

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

jtaOrganized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

Continue reading →


9
Feb 11

Adobe, Microsoft, WordPress Issue Security Fixes

Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendor Tipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.

Microsoft’s bundle includes a dozen updates addressing at least 22 security flaws in its Windows operating system and other software. Five of the vulnerabilities earned a “critical” rating, Redmond’s most serious. Six of the Windows flaws fixed in today’s release have been public for some time, although security experts at Symantec say they’re only aware of one of the flaws being actively exploited in the wild — a bug in the way Internet Explorer handles cascading style sheets. Updates are available through Windows Update or Automatic Update.

Microsoft also issued an update that changes the default behavior in Windows when users insert a removable storage device, such as a USB or thumb drive. This update effectively disables “autorun,” a feature of Windows that has been a major vector for malware over the years. Microsoft released this same update in February 2009, but it offered it as an optional patch. The only thing different about the update this time is that it is being offered automatically to users who patch through Windows Update or Automatic Update.

Update, Feb. 18, 11:56 a.m. ET: As F-Secure notes in a useful blog post, Microsoft has once again failed to disable auto-run, because this update is not offered by default, as Microsoft previously indicated.

Original story:

Adobe released an update for its Acrobat and free PDF Reader software that that fixes at least 29 security problems with these products. Adobe is urging users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh to update to Adobe Reader X (10.0.1), available now. Adobe says that an update to fix these flaws in UNIX installations of its products is expected to be available by the week of February 28, 2011.

Continue reading →