Search
  • Avantia Threat Update

Bank Server Hacked US$ 13.4 Million Stolen

Updated: Sep 1, 2018


Not all Bank Robbers have guns and masks!

This week ransomware continues to develop, as well as phishing tactics. Popular mobile platform GOMO was breached in a big way, and one of the largest banks in India was robbed over the past weekend.


Highlights

1. Hacking my Heart!

2. Sextortion Goes Mobile!

3. Huge GOMO Breach.

4. Cash-out in India.


In Other News:

Insta-Bot Is someone trying to set up a botnet on Instagram? ( A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware.) The popular photo-sharing website has experienced a wave of users getting logged out of their accounts and their personal information being changed, often times with profile pictures being changed to stills from Disney movies. When users go to reset their password and access their account, they find that the email address associated with their account has been changed to an email with a .ru domain. Could this be a Russian botnet in the making? Or another cyber criminals shifting blame onto another to avoid detection? Only time will tell.


Heartbeat Spoofing

Hacking someone’s heart? While anything seems possible in the world of hacking today, it is still alarming that researchers from McAfee have discovered it is possible for hackers to falsify patient’s vitals using ‘Rwhat’ protocol. Rwhat protocol is a networking protocol used by medical devices to monitor a patient’s condition and vital signs. By sending incorrect information to the central monitoring stations, a bad actor could feed wrong information, but only if they had physical access to the patient. The researchers also developed a vector of attack where one would not need physical access, although the hacker would need to be on the same network. This variation involves Address Resolution Protocol (ARP) spoofing the central monitoring station, capturing the patient data and then sending falsified data back to the real monitoring station. ARP spoofing is a type of attack in which a cyber criminal sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address ( A media access control address of a device is a unique identifier assigned to a network interface controller (NIC) for communications at the data link layer of a network segment with the IP address of a legitimate computer or server on the network.

Attack of The Princess There is a new kid on the block in the world of ransomware. The ransomware known as Princess Locker has gotten an upgrade and is being sold as ‘Princess Evolution’ on the Dark Web. This ransomware is being sold as a service, which means a few things. First, it means that the developers can focus on improving and supporting the ransomware while still earning revenue. Meanwhile, the affiliates can focus on social engineering attacks and infecting as many victims as possible. This particular ransomware is being sold at a 60/40 split, with the developer taking in 40% of each ransom paid out. This is different than other ransomware as service programs because often, the ransomware is sold as a subscription or at a flat price, while Princess Evolution takes a cut of every successful attack.

Dial - XXX The sextortion scam that has become popular over the last few months is continuing to evolve, now with partial phone numbers being used to fool victims into paying. This email campaign claims that the target's phone was hacked and that the hacker created a double video of the screen and the front-facing camera on the phone. This threat is made seemingly legitimate through a combination of password, full name and phone number of the victim, which can scare a target into paying the bitcoin ransom. It is speculated that the hackers are getting partial phone numbers through account recovery programs where the last few phone numbers are revealed when asking if that is the right number to send a verification code to. This is a logical conclusion, given that if the hackers had the full phone number through a data breach then it would probably be more convincing to just use the entire number.

Threat Focus: Sungy Mobile Limited/GOMO – Hong Kong

Sungy Mobile Limited/GOMO: A Hong Kong based mobile application developer with more than 2 billion downloads of their apps.

Exploit: Exposed database. Risk to Small Business: Extreme: The organisation did not only betray the trust of its customers, but it also exposed a great deal of sensitive internal data such as backend code. Individual Risk: Extreme: A great deal of information valuable for spear phishing was exposed in this breach, as well as assets that would make it easy for a hacker to impersonate a business that the target is known to use. Date Occurred/Discovered: Discovered May 25, 2018 Date Disclosed: Not disclosed.

Data Compromised: Development data; Product data; Admin data; Statistics data; Payment gateway data: Digital marketing data; Branding data for other companies; The complete backend system for many of GOMO’s products; User data; Email addresses; Bcrypt passwords; Country of user; Username; Language preferences; School; Gender; Date of Birth; International Mobile Subscriber Identity (imsi) number; Avatars; In-game credits; In-store purchases; Mobile phone numbers; Passwords;

Users’ ID numbers; Type of connection


Customers Impacted: 50,553,664.

Threat Focus: The Cosmos Bank - India

Cosmos Bank: The second oldest cooperative bank in India.

Exploit: Cloned ATM cards. Risk to Small Business: Extreme: Most organizations would not be able to take such a severe hit to their finances especially in addition to the loss of trust. Individual Risk: Moderate: The money stolen is being covered by the organization. Cosmos Bank: The second oldest cooperative bank in India. Date Occurred/Discovered: August 11/13, 2018 Date Disclosed: August 2018 Data Compromised: $13.4 Million

Customers Impacted: Account holders funds are safe according to the organization, but online banking is currently suspended in response to the event.

Threat Focus: Butlin Leisure Company – United Kingdom

Butlin Leisure Company: UK based chain of holiday camps that provides affordable holidays for British families.

Exploit: Phishing. Risk to Small Business: High: A permanent loss of trust in an organization could result from any sized data breach. Individual Risk: Moderate: Affected customers would be subject to spam and possibly phishing emails. Date Occurred/Discovered: August 2018 Date Disclosed: August 2018 Data Compromised: Booking reference numbers; Lead guest names; Holiday arrival dates

Postal addresses; Email addresses; Telephone numbers


Customers Impacted: 34,000.

Threat Focus: Adams County - USA

Adams County: A county in Wisconsin.

Exploit: Vertical Privilege Escalation. Risk to Small Business: High: The cost of providing identity monitoring to affected customers would put a great strain on any organization. Individual Risk: High: Medical data and tax information was stolen, which is valuable on the Dark Web and useful to bad actors for identity theft. Date Occurred/Discovered: January 2018 – March 28, 2018 Date Disclosed: June 29, 2018 Data Compromised: Names; Addresses; Photographs; Health information: Tax information; Date of birth; Social Security number; Medical record number; License number; License plate numbers; Fingerprints


Customers Impacted: 250,000

POSTSCRIPT:

CatPhish.

This year at Black Hat and DEF CON 2018 (International Hackers Convention in the USA), social engineers showed off the more advanced tactics used to fool targets into giving them the information they want. With traditional social engineering still being highly effective and instrumental in most hacks today, it’s no wonder that these techniques are being contently improved. Technical Researcher for PwC Magazine, Matt Wixey detailed ROSE, or Remote Online Social Engineering, which is his term for the ‘long con’ social engineering tactics where Cyber Criminals create complex false personae and do comprehensive reconnaissance to infiltrate the target network. This is achieved by building a relationship with a specific person at an organization by analysing their online activity, motivations, and way they communicate.


The next step for the hacker is to create a comprehensive online persona that could have gone to the same school. And share similar hobbies or other traits that allow the target and the fake person to relate. This comprehensive online identity would include a social media presence, populated for years (these types of accounts are available for sale on the Dark Web), interactions with other people and possibly acquiring ‘mutual’ acquaintances of the target so even for someone doing a deep dive into this person’s online identity would conclude that the person is… real.


Social media and internet usage are so ingrained in our daily lives that it is often easy to forget to be skeptical of those who you know solely through the channels of LinkedIn or Facebook. As phishing attacks become more focused, comprehensive and believable, it is vital for maintaining a healthy level of skepticism on the web. As one famous comic said “On the Internet, nobody knows you’re a dog.”




Consider this: When you think about Cyber Security think about the ones you care the most about – your family. If you have children or young adults using Smartphones, Tablets or Laptops consider their vulnerability. Do you want to put their digital selves in the hands of pedophiles, scammers and cyber criminals. The purchase of children’s digital credentials (username/password) is big business on the Dark Web. Check out our inexpensive Individual or Family monitoring service – it’s a ‘no brainer’ for your peace of mind. CLICK HERE FOR PRICING



Disclaimer: Avantia Corporate Services Pty Ltd provides the content in this publication for general information only and has compiled the content from number of sources believed to be reliable. No warranty, implied or otherwise, is given as to its accuracy or fitness for use, no validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.

© 2020 by Avantia CORPORATE SERVICES . All Rights Reserved.