Hacking & Security
Bot Analysis: Now, you get the original Andromeda build file. Load the unpacked sample at OllyDBG. As before, after the stack frame at the EP, you see that the malware is looking to load API’s address using the PEB_LDR_DATA structure, but this time instead of kernel32.dll; the malware try to find ntdll.dll base address, then, […]
Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.
One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.
IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.
IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…
The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy
Some more interesting facts about Gaza cybergang:
- Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable
- Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets
- Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used
Other operation names:
Kaspersky Lab products and services successfully detect and block attacks by Gaza team.Political file names targeting Arabic countries
File name: بوادر خلاف جديد بين الامارات والسعودية.exe
Translation: Indications of disagreement between Saudi Arabia and UAE.exe
Filename: “Wikileaks documents on Sheikh ******* *** *****.exe”
File name: صور فاضحـــــة جدا لبعض العسكريين والقضاة والمستشاريين المصريين.exe
Translation: Scandalous pictures of Egyptian militants, judges and consultants
File name: Majed-Abaas.zip -> الرئيس الفلسطيني محمود عباس يشتم ماجد فرج.exe
Translation: President Mahmoud Abbas cursing Majed Faraj.exe
File name: “مكالمة مسربة بين القائد العام للقوات المسلحة المصرية صدقي صبحي.exe”
Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe
File name: tasreb.rarIT and IR Malware File Names VCSExpress.exe Hex.exe Microsoft Log.exe IMP.exe Win.exe Corss.exe WinRAR.exe AVR.exe ccleaner.exe codeblocks.exe HelpPane.exe Hex_Workshop_Hex_Editor-o.exe Help.exe Decoded.exe vmplayer.exe Decrypted.exe procexp.exe crashreporter.exe RE.exe WindowsUpdate.exe PE.exe AVP.exe PE-Explorr.exe Kaspersky.exe PE-Explorr.exe Kaspersky.exe hworks32.exe Kaspersky Password Manager.exe
وصية وصور الوالد أتمنى الدعاء له بالرحمة والمغفرة.exe
Military Police less military sexual offenses, drug offenses more.exe
Qualcomm® Snapdragon 615, 1.7GHz Octa-coreRAM 3GB GPU Adreno 405 Storage 32GB, with up to 128GB additional via microSD Networking
Dual-band 2.4/5.0GHz 802.11 a/b/g/n/ac, Bluetooth 4.0LE. LTE and worldwide 3G/HSPA+ cellular data.Ports Micro USB 2.0, headphones Camera 13MP rear camera with BSI and flash, 5MP front camera, Size
7.9 x 76.4 x 152.4mmWeight
3060 mAh with Qualcomm Quick Charge 2.0Starting price $799 Other perks Silent OS 2.0, 1 year SilentPhone encrypted communications,
For the majority of smartphone manufacturers, security and privacy are check boxes on a feature list. For Blackphone, they're the main attraction. Launched last year as a joint venture between the secure communications service Silent Circle and the Spanish specialty phone manufacturer Geeksphone, Blackphone's eponymous first product was an Android-based smartphone intended to provide the security and privacy that were lacking in Google's mobile operating system. Last June, we got an exclusive first look at that device and found it to be largely what it claimed to be. Unsurprisingly for a security-minding phone, the original Blackphone felt somewhat lacking in the usability department and somewhat janky in the hardware department.
A lot has changed in a year. Silent Circle—founded by Phil Zimmerman (creator of PGP), former Entrust Chief Technology Officer John Callas (the man behind much of the security in Mac OS X and iOS), and former Navy SEAL and security entrepreneur Mike Janke—bought out Geeksphone and absorbed the joint venture. The company hired a new CEO (former Entrust CEO and Nortel President Bill Conner), renamed and rebuilt its Android-based operating system, upgraded the infrastructure of its encrypted voice and text communications network, and built an entirely new hardware platform based on a somewhat more industry-standard chipset. All of that has led the team toward Blackphone 2. Today, Silent Circle begins shipping its new flagship (and only) handset; and Ars once again got early access to put it through the usability and security wringer.
The new Silent OS adds updated security functionality, better management for enterprise users, and integration with Google's app ecosystem. The Blackphone 2 delivers all that in a package that is much more polished and commercial than its predecessor. The phone is also the first part of a rollout of a more complete set of security services that includes upgraded versions of its central Silent Phone app for iOS and standard Android.
A time-honored method of extracting cash from stolen credit cards involves “reshipping” scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.
Many retailers long ago stopped allowing direct shipments of consumer goods from the United States to Russia and Eastern Europe, citing the high rate of fraudulent transactions for goods destined to those areas. As a result, fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators essentially split the profits from merchandise ordered with stolen credit and debit cards.
Much of the insight in this story comes from a study released last week called “Drops for Stuff: An Analysis of Reshipping Mule Scams,” which has multiple contributors (including this author). To better understand reshipping scheme, it helps to have a quick primer on the terminology thieves use to describe different actors in the scam.
The “operator” of the reshipping service specializes in recruiting “reshipping mules” or “drops” — essentially unwitting consumers in the United States who are enlisted through work-at-home job scams and promised up to $2,500 per month salary just for receiving and reshipping packages.
In practice, virtually all drops are cut loose after approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, the operator must be constantly recruiting new drops.
The operator sells access to his stable of drops to card thieves, also known as “stuffers.” The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive the packages, the stuffers provide them with prepaid shipping labels that the mules will use to ship the packages to the stuffers themselves. After they receive the packaged relayed by the drops, the stuffers then sell the products on the local black market.
The shipping service operator will either take a percentage cut (up to 50 percent) where stuffers pay a portion of the product’s retail value to the site operator as the reshipping fee. On the other hand, those operations that target lower-priced products (clothing, e.g.) may simply charge a flat-rate fee of $50 to $70 per package. Depending on the sophistication of the reshipping service, stuffers can either buy shipping labels directly from the service — generally at a volume discount — or provide their own [for a discussion of ancillary criminal services that resell stolen USPS labels purchased wholesale, check out this story from 2014].
The researchers found that reshipping sites typically guarantee a certain level of customer satisfaction for successful package delivery, with some important caveats. If a drop who is not marked as problematic embezzles the package, reshipping sites offer free shipping for the next package or pay up to 15% of the item’s value as compensation to stuffers (e.g., as compensation for “burning” the credit card or the already-paid reshipping label).
However, in cases where the authorities identify the drop and intercept the package, the reshipping sites provide no compensation — it calls these incidents “acts of God” over which it has no control.
“For a premium, stuffers can rent private drops that no other stuffers will have access to,” the researchers wrote. “Such private drops are presumably more reliable and are shielded from interference by other stuffers and, in turn, have a reduced risk to be discovered (hence, lower risk of losing packages).”
One of the key benefits of cashing out stolen cards using a reshipping service is that many luxury consumer goods that are typically bought with stolen cards — gaming consoles, iPads, iPhones and other Apple devices, for instance — can be sold in Russia for a 30 percent to 5o percent markup on top of the original purchase price, allowing the thieves to increase their return on each stolen card.
For example, an Apple MacBook selling for 1,000 US dollars in the United States typically retails for for about 1,400 US dollars in Russia because a variety of customs duties, taxes and other fees increase their price.
It’s not hard to see how this can become a very lucrative form of fraud for everyone involved (except the drops). According to the researchers, the average damage from a reshipping scheme per cardholder is $1, 156.93. In this case, the stuffer buys a card off the black market for $10, turns around and purchases more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.
The study examined the inner workings of seven different reshipping services over a period of five years, from 2010 to 2015, and involved data shared by the FBI and the U.S. Postal Investigative Service. The analysis showed that at least 85 percent of packages being reshipped via these schemes were being sent to Moscow or to the immediate surrounding areas of Moscow.
The researchers wrote that “although it is often impossible to apprehend criminals who are abroad, the patterns of reshipping destinations can help to intercept the international shipping packages beforethey leave the country, e.g., at an USPS International Service Center. Focusing inspection efforts on the packages destined to the stuffers’ prime destination cities can increase the success of intercepting items from reshipping scams.”
The research team wrote that disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit.
A copy of the full paper is available here (PDF).
Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.
In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity.
However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.
In a written statement, a Hilton spokesperson said the company is investigating the breach claims.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
As with other recent card breaches at major hotel chains — including Mandarin Oriental and White Lodging properties — the breach does not appear to be related to the guest reservation systems at the affected locations. Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.
It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.
This is a developing story. More as updates become available.