Search
  • Avantia Threat Update

ROYAL BANK OF CANADA 'SPOOFED'.............


This Week the Royal Bank Of Canada imitation Email delivers Banking Trojan virus, highly-sensitive medical conversations accessed from a Swedish health phone line, rogue politicians stir up data breach anarchy in the U.K., restaurant customer credit cards exposed across 100+ establishments in 9 U.S. states.


This Weeks Top DARK WEB Compromises:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domain (99%) Top Industry: Business & Professional Services Top Employee Count: 11 - 50 Employees


This Weeks Top TARGETED INDUSTRIES:

Finance Hits: 88 | Targets: Equifax Inc, PayPal, Western Union, Intuit Inc, Central Bank of Bangladesh

Software Hits: 87 | Targets: Google, Yahoo, Intuit Inc, eBay Inc, LinkedIn

Information Technology Hits: 76 | Targets: Amazon, Google, Yahoo, Intuit Inc, LinkedIn

Retail Hits: 53 | Targets: Wendy's Co, Amazon, Apple, Metro AG Company, Carphone Warehouse

Internet Hits: 52 | Targets: Amazon. Dynamic Network Services, Inc (Dyn), eBay Inc, LinkedIn, MyHeritage


This Weeks Top THREAT ACTORS:

APT27 Emissary Panda (Threat Group-3390) Hits: 65 | Targets: United States, National Data Center in Asia, National Data Center, Aerospace Corp, Microsoft

Hezbollah Hits: 11 | Targets: Israel, Syria, Iran, Lebanon, United States

Lizard Squad Hits: 7 | Targets: Xbox Live, Sony Corp, PlayStation Network, Malaysia Airlines Flight 370, Facebook

APT28 Fancy Bear Hits: 7 | Targets: Democratic National Committee, Democratic National Convention, United States, Germany, United States Senate

Scarlet Widow Hits: 6 | Targets: Salvation Army, Australia


This Weeks Top MALWARE VIRUSES:

Farseer Hits: 65 | Targets: Android, Microsoft Windows, WordPress, techiebuzz

Mirai Hits: 18 | Targets: Internet of Things, Dynamic Network Services, Inc (Dyn), Deutsche Telekom, Germany, United States

ZXShell Hits: 18 | Targets: Word Processor, China, Microsoft Office

UPATRE Hits: 17 | Targets: University of Florida, Personal Computer, Microsoft Windows, Microsoft Windows Xp, Application Compatibility Database Installer

Gh0st RAT Hits: 17 | Targets: Microsoft Windows, Australia, Tibet Autonomous Region, Amnesty International, Hypertext Transfer Protocol



In Other News:


Royal Bank Of Canada (and their customers) become victims of ‘spoofing’ scam.

(Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, and websites, or can be more technical, such as a computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server.) The RBC example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering the Trickbot banking Trojan. The email with the subject of “Payment Receipt Advise/Avis de Reception de paiement” pretends to come from RBC Royal Bank of Canada but actually comes from “noreply@achaft-rbc.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. Today they are using XLSM Excel spreadsheet files. RBC Banque Royale, Banque Royale du Canada, Royal Bank of Canada has not been hacked or had their email or other servers compromised. They are not sending the emails to their customers. They are just innocent victims in exactly the same way as every recipient of these emails. What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally there is only one newly registered domain that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website in some way. These are hosted on & send the emails from 3 or 4 different servers. Sometimes, however, there are dozens or even hundreds of fake domains. Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. (Godaddy is the largest registrar of domains worldwide)

Because of new GDPR rules investigators cannot easily find the registrants name or any further details. The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.


Report finds 40% of malicious URL’s were found on good domains.

While tried-and-true attack methods are still going strong, new threats emerge daily, and new vectors are being tested by cybercriminals, according to the 2019 Webroot Threat Report. Legitimate websites are frequently compromised to host malicious content. To protect users, cybersecurity solutions need URL-level visibility or, when unavailable, domain-level metrics, that accurately represent the dangers. Home user devices are more than twice as likely to get infected as business devices. Sixty-eight percent of infections are seen on consumer endpoints, versus 32 percent on business endpoints. Phishing attacks increased 36 percent, with the number of phishing sites growing 220 percent over the course of 2018. Phishing sites now use SSL certificates and HTTPS to trick internet users into believing they are secure, legitimate pages. Seventy-seven percent of phishing attacks impersonated financial institutions, and were much more likely to use HTTPS than other types of targets. In fact, for some of the targeted financial institutions, over 80 percent of the phishing pages used HTTPS. Google was found to be the most impersonated brand in phishing overall. After 12 months of security awareness training, end users are 70 percent less likely to fall for a phishing attempt. Webroot found that organizations that combine phishing simulation campaigns with regular training saw a 70 percent drop in phishing link click-through. Nearly a third of malware tries to install itself in %appdata% folders. Although malware can hide almost anywhere, Webroot found several common locations, including %appdata% (29.4 percent), %temp% (24.5 percent), and %cache% (17.5 percent), among others. These locations are prime for hiding malware because these paths are in every user directory with full user permissions to install there. These folders also are hidden by default on Windows Vista and up. Devices that use Windows 10 are at least twice as secure as those running Windows 7. Webroot has seen a relatively steady decline in malware on Windows 10 machines for both consumer and business. “We wax poetic about innovation in the cybersecurity field, but you only have to take one look at the stats in this year’s report to know that the true innovators are the cybercriminals. They continue to find new ways to combine attack methods or compromise new and existing vectors for maximum results. My call to businesses today is to be aware, assess your risk, create a layered approach that protects multiple threat vectors and, above all, train your users to be an asset—not a weak link—in your cybersecurity program,” said Hal Lonas, CTO, Webroot. Despite the decrease in cryptocurrency prices, cryptomining and cryptojackingare on the rise. The number of cryptojacking URLs Webroot saw each month in the first half of the year more than doubled in the period from September through December 2018. These techniques can be more lucrative than ransomware attacks, since they don’t require waiting for the user to pay the ransom, and they have a smaller footprint. As far as web-based cryptojacking, Coinhive still dominates with more than 80 percent market share, though some new copycat cryptojacking scripts are gaining in popularity. While ransomware was less of a problem in 2018, it became more targeted. We expect major commodity ransomware to decline further in 2019; however, new ransomware families will emerge as malware authors turn to more targeted attacks, and companies will still fall victim to ransomware. Many ransomware attacks in 2018 used the Remote Desktop Protocol (RDP) as an attack vector, leveraging tools such as Shodan to scan for systems with inadequate RDP settings. These unsecured RDP connections may be used to gain access to a given system and browse all its data as well as shared drives, providing criminals enough intel to decide whether to deploy ransomware or some other type of malware.


UK Supermarket Chain found Libel ‘vicariously liable’ for actions of an employee

The U.K. has seen its first group litigation case concerning data breach, and the organization in question, the supermarket chain Morrisons, was found vicariously liable for the actions of one of its employees. A disgruntled employee posted a file on a file-sharing website that included data on nearly 100,000 of his colleagues. That employee was found guilty of several charges related to the incident, including fraud and gaining unauthorized access to computer materials, and sentenced to eight years in prison. Then 5,518 of the individuals whose personal data was published sued Morrisons. In this class-action-type suit, Morrisons — which was determined to have been compliant with data security laws at the time — was found vicariously liable for its rogue employee’s actions. It now faces large compensation costs. Notable not only for being the first of its kind around data breach in the U.K., this case is also interesting for setting a high standard of responsibility among companies for their employees’ actions. As data breaches increase in both frequency and scope in Europe, those affected by them are likely to look to class-action claims under the provisions of the GDPR, which gives data subjects’ more rights and increases defendants’ penalties. A side note: Similar claims but concerning nonmaterial damage like emotional distress may be enabled by the GDPR and the Irish Data Protection Act 2018 to be brought to Irish courts.



THREAT FOCUS: North Country Business Products – USA

Exploit: Malware injection into point-of-sale (POS) systems North Country Business Products: A Minnesota-based provider of POS systems for the hospitality sector

Risk to Small Business: 1.444 = Extreme: Customers of restaurants and hotels in nine states, including some 50 Arizona establishments and 65 Dunn Brothers coffee shops, may have had their payment card information accessed between January 3 and January 24, 2019. Announcement of this potential exposure was made February 15 by North Country Business Products, which provides point-of-sale software systems in the hospitality sector. Upon discerning suspicious activity in certain of its clients’ networks, North Country launched an investigation January 4, determining on January 30 that an outside party deployed malware to some of its business partners.

Risk to Small Business: 1.444 = Extreme: Customers of restaurants and hotels in nine states, including some 50 Arizona establishments and 65 Dunn Brothers coffee shops, may have had their payment card information accessed between January 3 and January 24, 2019. Announcement of this potential exposure was made February 15 by North Country Business Products, which provides point-of-sale software systems in the hospitality sector. Upon discerning suspicious activity in certain of its clients’ networks, North Country launched an investigation January 4, determining on January 30 that an outside party deployed malware to some of its business partners.

Customers Impacted: To be determined

Effect On Customers: The issue was first noticed January 4 and data continued to be exposed for another 20 days, until January 24, signaling an opportunity for North Country Business Products to implement advanced security monitoring technologies. All businesses should consider the promise of machine learning solutions, which can detect and predict suspicious activities before they inflict damage.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: Memorial Hospital at Gulfport - USA

Exploit: Phishing Memorial Hospital at Gulfport: Hospital in Gulfport, Mississippi Risk to Small Business: 1.444 = Extreme: On December 17, Memorial Hospital at Gulfport discovered that an employee opened a phishing email 11 days earlier, allowing a hacker to gain access to PII for over 30,000 patients before it was discovered. It remains to be seen if patients will choose other facilities for their medical care..

Individual Risk: 2.142 = Severe: Data contained in breached emails included patient name, date of birth, health data, services received at Memorial Hospital, and — for a limited number of patients — Social Security numbers. This information could be sold on the Dark Web and used for identity theft

Customers Impacted: 30,000

Effect On Customers: Employee training in recognizing signs of phishing can help safeguard an organization’s data security. All companies should partner with MSPs that can offer constant monitoring to discover customer and employee data breaches in a timely manner.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: United States Consumers

Exploit: Malvertising campaign American consumers: Users in the U.S. exposed to malicious campaign that garnered over 800 million impressions online

Risk to Small Business: 2.111 = Severe: A malvertising campaign by the eGobbler group targeting U.S. users was launched over Presidents Day weekend, February 16-18, garnering some 800 million impressions. Those who clicked on the ads were redirected to a wide range of phishing sites that attempted to trick consumers to enter personal details, including financial information.

Individual Risk: 2.571 = Moderate: Cybercriminals can use the information collected to conduct spear phishing email campaigns or they can sell the stolen credentials on the Dark Web to other criminals.

Effect on Customers: Malvertising campaigns can expose sensitive customer and employee data, or cause mistrust in websites hosting the infected ads leading to brand erosion and customer churn.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: Advent Health Medical Group - USA

Exploit: Malware AdventHealth Medical Group: Taveras, Florida-based health care practice Risk to Small Business: 1.777 = Severe: AdventHealth Group recently announced a 16-month data breach stretching back to August 2017 that exposed some 42,000 patients’ sensitive personal data. The medical provider group has not detected how the malware was installed, nor has it stated why the breach was not discovered for nearly a year and a half.

Individual Risk: 2.428 = Severe: The malware allowed access to patient names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, and medical histories, as well as race, gender, weight, and height. This data could allow identity theft and potentially blackmail where particularly sensitive medical conditions, such as HIV/AIDS or addiction, are concerned.

Customers Impacted: 42,000 users

Effect On Customers: The breach extended across 16 months before it was discovered, and the medical group has not yet determined its origin, indicating a need to implement advanced security monitoring technologies. All businesses should consider the promise of machine learning solutions, which can detect and predict suspicious activities before they inflict damage.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: Medhelp and Medicall – SWEDEN

Exploit: Unencrypted web server Medhelp & Medicall: Firms administrating a Swedish medical helpline

Risk to Small Business: 2 = Severe: A technology news site, Computer Sweden, discovered that 2.7 million phone conversations, totaling about 170,000 hours and dating back to 2013, were stored on an unencrypted web server. It is not yet clear if the firms contracted to operate the medical helpline reported the breach, as required under Europe’s General Data Protection Regulation (GDPR). The Swedish Data Protection Authority has said it will launch an investigation.

Individual Risk: 2.285 = Severe: The content of the conversations is highly personal, including users’ symptoms and diseases and their social security numbers. This information could form the basis for identity theft and potentially blackmail in the case of consumers who have conditions carrying social stigma.

Effect on Customers: Phone helplines that record interactions cross many disciplines and industries, from customer service to tech support to health care. Organizations that rely on them want their customers to rely on them as well, and that means knowing that the content of those recorded conversations is kept securely and accessed appropriately by authorized users for valid reasons.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS: United Kingdom Labour Party – ENGLAND

Exploit: Theft of data from member databases Labour Party: a center-left political party in the United Kingdom Risk to Small Business: 2.111 = Severe: The United Kingdom’s Labour Party announced February 20, 2019, that it had detected several attempts to access member databases and campaign tools. The surmise is that members of Parliament (MPs) who recently left the Labour Party to form a competing party known as The Independent Group tried to steal information that would allow targeting in future political campaigns. Anyone obtaining or attempting to obtain personal data without the consent of the controller is committing an offense under the U.K.’s Data Protection Act of 2018.

Individual Risk: 2.714 = Moderate: It is yet unknown if information was obtained by individuals whose access to that information should have been revoked. Labour Party officials may also be questioned as to the large number of individuals with access to its databases, including not only MPs but also paid and volunteer campaign associates across the nation.

Effect on Customers: All organizations, whether public or private sector, need robust systems and processes to validate access rights and continually manage those rights, which includes triggering notices when unauthorized parties attempt to gain access.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



POSTSCRIPT:

Cross-border e-commerce is booming: it is expected to bring in $203 billion annually by 2021. Yet many U.S.-based merchants hesitate to engage in global transactions. To be sure, risks abound, but so do misconceptions about payment fraud...

Myth 1: International transactions are riskier than the domestic ones.

Many US-based online merchants believe that selling cross-border is far riskier than selling domestically. This is evidenced by the fact that only 36 percent of US merchants sell to international consumers. Local payment methods or LPMs are a way for US merchants to expand globally. LPMs are payment methods outside of traditional credit card and brands such as Visa and Mastercard that expedites the needs of various geographies, cultures and domestic economies across the globe. A majority of LPMs have their own security features built in to the payments. These security features, like multifactor authentication, are linked to specific banks that individual consumers belong to.

Fact: International transactions made with LPMs are just as safe as domestic ones.

Contrary to popular belief, these local payment methods are favored worldwide and make reaching global consumers easier and safer. For example, in China 49 percent of online transactions occur by e-wallet and only 23 percent by credit card. Offering push payment methods where the customer initiates payment are less risky because the merchant does not need to collect any payment data from the customer. This approach can help to reduce exposure to chargebacks due to fraudulent purchase with stolen cards. The merchant is forced to refund the cardholder, usually after the goods have already been delivered. With push payments, chargebacks are not possible as the transaction is securely authorized by the payer. This not only protects the merchant from financial loss, but also allows for higher conversion rates as merchants do not have to worry rejecting orders to protect themselves from fraudsters.

Myth 2: Frequent online shopping will lead to fraud and data breaches for consumers.

With data breaches being a common threat to consumers, the access to personal data in online shopping is often a top concern. There are some qualms among US merchants in conducting global e-commerce; are these payments safe, and how do I reach global consumers? However, with the rise of digital and mobile payments, much of this risk can be averted through safer LPMs like e-wallets that don't give merchants access to a consumer's full bank account.. There is a global smartphone penetration of 53 percent, and this figure rises in major markets like Asia and Western Europe.

Fact: E-commerce is perfectly safe and sound for online shopping, as merchants can offer various local payment methods.

Bank transfers are becoming increasingly used globally, as 49 percent of e-commerce transactions in Germany are facilitated by this method. Bank transfers are the process of moving money directly from a consumers' bank account to a merchant. This is performed via redirect during checkout either through a real-time or offline transfer process. Offering payments such as these are seamless for global consumers and keep consumer data out of harm's way from savvy hackers. By using your bank login details and the redirect for the payment method, consumers' personal account information is not directly shared with the merchant, further reducing the risk of the payment, This enhanced consumer experience is vital as 14 percent of consumers will abandon a purchase if they can't find their top payment method. Further proven by the fact that 23 percent will abandon if they don't trust payment security and 15 percent will abandon if they find paying too tricky.

Myth 3: Cashless payments increase a consumer's chance of fraud.

Digital payments are on the rise, yet many merchants believe these cash and cardless payments are unsafe. They prefer to offer traditional card and cash payments, however, this may no longer be the most secure payment option.

Fact: Many cashless payments like e-wallets can actually reduce the chances of fraud.

E-Wallets are registered online money accounts that can be loaded and used for payments. They can also serve as a database to store various payment method information, eliminating the need to carry physical payment cards or personal data in various locations. E-wallets offer two-step authentication and encryption further securing consumer's personal information. These digital payments are becoming increasingly favored to traditional payments. For example, cash only makes up 6 percent of online transactions in France. LPMs offer US merchants the tools to expand their business outside of US borders. E-wallets and bank transfers are great ways to reduce the risk of fraud while making payments easier for global consumers. Around the world, consumers want to feel safe when they shop and are looking for a seamless experience. LPMs check both of the boxes as they present the safety and ease that many card-based payments cannot.




* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.

© 2020 by Avantia CORPORATE SERVICES . All Rights Reserved.