Ensuring cybersecurity is front and center for companies is now a non-negotiable task. That’s why Pindrop released quarterly insider sessions to check in and ensure teams were up to date and supported with the latest innovations. The event was called our Product Showcase CFX Spring Summit 2024 on March 20th, covering Deepfake, Protect, and Authentication.


Several themes popped up at the event, with the new emergence and ease of creating deepfakes. Protection and authentication methods are now at the top of many businesses’ minds.
According to a report by McKinsey, 40% of business respondents are expected to make further investments into AI and cybersecurity, and 28% have already made it a hot topic for their business agendas going into the new year. 

Approximately half of those who participated in the event want to deploy a deepfake solution in the next six months, and 74% in the next 12 months. Pindrop also allowed clients to view the year’s product showcase who were excited about these insider sessions. 

Here are the top themes that popped up.

  1. Ensure training is incorporated into innovative cybersecurity software
    In 2023, small companies spent the most time on training per employee, totaling roughly 59 hours. Larger companies in the United States increased their investment in staff training between 2017 and 2020; however, these training time investments have decreased since then.Innovative tech teams are now looking for technology that can help alleviate this training lift by implementing more creative solutions. At the recent event, 40% said they would be open to using Pindrop’s new Gen AI to help with case reviews, and another 40% would require their organizations to train the model. Teams are now looking for solutions that don’t overburden them in implementation.
  2. Finding an anti-fraud solution for chat
    It was surprising that 50% of the attendees didn’t have chat capabilities in their call centers, and 31% didn’t have an anti-fraud solution for chat. There appears to be a gap and a strategic advantage for companies looking to solve this problem.According to a Federal Trade Commission (FTC) report, U.S. consumers lost $330 million to fraudulent texts last year, up from $131 million in 2021 and $86 million in 2020. Two-way chat also exists in most call centers. When 81% of the attendees would not support chat for moderate or high-risk transactions, this is alarming and needs to be addressed in the market for future support.
  3. Compliance legally allows for easy implementation
    Forty-seven percent of attendees were ready to use a gen AI solution, and 53% either needed an internally developed solution or anticipated headwinds from their legal team. Having an in-house legal department makes communication easier. They also help protect your business from expensive lawsuits, frauds, and scams. When over half anticipated interest from legal teams in intelligent solutions, it makes sense to implement and adopt software that makes that process for legal teams easier.
  4. Audio spoof detection is a competitive advantage
    Sixty-five percent of the attendees would be open to giving Pindrop call audio access to improve spoof detection. Approximately half would support higher-risk transactions over chat if they had an accurate way to detect fraudulent interactions.Predictions from thought leaders at CrowdStrike, Intel 471, LastPass, and Zscaler forecast how the technology will be used, abused, and leveraged in surprising ways in the year ahead. Computer scientists at the University of Waterloo have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries.In the past, this was much easier to catch. However, in a recent Speech Technology Magazine article, Wakefield-Carl states, “AI is being used to circumvent traditional voice biometrics.”

Next steps: Pindrop’s Advice on How to Get in Front of the Latest Cybersecurity Trends and Protect Your Company

The right technology and fraud solution can make or break your company’s brand and prevent employee burnout. PIndrop’s cybersecurity solutions help to avoid overburdening teams with training or creating legal confusion. We were delighted to host our recent event and ensure we are elevating and solving these top issues and trends facing companies today regarding fraud and where AI is used to harm businesses.

Now that almost anyone can manipulate AI and voice biometrics in minutes with generative AI, more intelligent software can help alleviate teams from the risks and detect fraud before it happens. A deeper dive into how products like Pulse work as a co-pilot to your business and prevent fraud within chats can make a huge difference.

Schedule time for a consultation to learn about any innovations highlighted at the CFX Spring Forum.

According to Verizon’s Data Breach Investigations (DBIR) Report, business email compromise attacks have almost doubled across their incident data, accounting for 50% of incidents. This study looked at 16,312 security incidents, of which 5,199 were confirmed data breaches. 

We tuned in to hear Will Gordy, Director of Workplace Collaboration and Customer Experience at Verizon, and Bryce McWhorter, Sr. Director Product, Research & Engineering at Pindrop, in charge of voice center authentication, on a recent webinar to learn more.

1 – How do hackers use various techniques to exfiltrate customer data and shut down operations?

One of every eight employees shares the requested information in a phishing attempt. Sixty percent of employees opened emails they were fully confident were safe. It doesn’t make things easier when socially engineered cyberattacks like phishing are nearly 80% effective.

One socially engineered trend is vishing (or voice phishing). Robert Sheldon on Tech Target describes vishing (voice or VoIP phishing) as “a type of cyber attack that uses voice and telephony technologies to trick targeted individuals into revealing sensitive data to unauthorized entities.” Fraudsters can use this technique to access private information like social security numbers, info on financial accounts, or even network information. 

2 – Why do current systems need to evolve to catch fraudsters?

“The problem is that most call center representatives are not measured against the average time of calls, tickets resolved, or net promoter score,” Bryce revealed on the webinar. “They don’t get bonus points for catching fraudsters day in and day out.” Evolving the IVR measurement system could be a smart way to innovate in the future. Additionally, providing the right tools so reps can focus on the call and not catch a dupe could be ideal. Pindrop Trace Technology determines call risk in the IVR to prevent data theft, account mining, ATO, and omnichannel fraud. 

If companies fail to innovate, it can lead to many companies feeling unconfident in their ability to handle fraud. Thirty-three percent of attendees at this week’s webinar said they were only somewhat confident in their company’s ability to handle fraud today.

3 – What are some ways to stop fraudsters?

According to Will, as found in the DBIR Verizon report, “in the incidents with loss, the calculated median more than doubled to $26,000, and the 95% range of losses expanded to sit between $1 and $2.25 million, putting that upper bound in scarier territory if you are a small business.” He continues, “the FBI did find that only 7% of the incidents had losses in this case, so it’s not all bad news.” Companies appear to be taking appropriate steps and measures to fight fraud in the future and are getting more savvy at doing so with the right technology.

Bryce says, “The first line of defense is through call centers.” Pindrop studies show that 30-40% of the time, fraudsters can get past the call questions. Another avenue is through the OTP or one-time passcodes. At Pindrop, 16 engineers and researchers are working on deepfake security specifically to ensure fraud is stopped before making it this far, but having systems set up to mitigate each of these techniques can make a big difference.

4 – What new fraud attack styles are you seeing? 

On the webinar, there were a few types of fraud methods mentioned. Low and Slow attacks involve what appears to be legitimate traffic at a prolonged rate. Detecting this through network behavioral analysis can be critical. Another is group chats.  

Pindrop services help in several ways by looking at the metadata and tone analysis, audio-based detections, and even STIR/SHAKEN Ingestion. Pindrop processes STIR/SHAKEN headers and incorporates the Attestation-related insights, when available, into our machine learning models to enhance call risk scoring. In short, they improve the call risk with intelligent sorting. It was also mentioned on the webinar that HLR (or Home Location Register) is frowned upon in the industry, because it can lead to SMS spoofing, cloning, etc. This database stores details on every cell phone number connected to the Global System for Mobile (GSM) Communications network worldwide.

Final Thoughts on Exploring the Evolving Cybersecurity Threats

Verizon’s new DBIR Report in 2023 has a wealth of information about the trends being seen in cybersecurity. Some notable stats found in the report are: 

  • 75% of all breaches in 2022 involved a human element
  • 50% of social engineering attacks in 2022 involved pretexting, doubling YoY
  • 49% of breaches by external actors used stolen credentials

“It’s growing increasingly important that agents are trained to get the next call and serve callers quickly and efficiently,” says Bryce. “Outsourcing functions to detect fraud and implementing automated tools and controls can make a big difference.”

WEBINAR

Exploring the Evolving Cybersecurity Threats

Worried your business could be the target of the next wide-scale security breach? In recent news, several large organizations suffered unprecedented cyber attacks, resulting in significant financial loss, a halt in business operations, damaged brand reputation, and exposure of the organizations’ security vulnerabilities.

How hackers used various techniques, such as social engineering and Vishing (voice phishing) to exfiltrate customer data and shut down operations.

The impact of cybersecurity attacks on business, brand reputation and revenue.

Where businesses are most vulnerable within their IVR.

Your expert panel

Bryce McWhorter

Sr. Director, Product, Research & Engineering, Pindrop

Will Gordy

Director, Workplace Collaboration & Customer Experience, Verizon

Patrick Wiley

Partner Alliances, Pindrop

In today’s digital age, the ever-present threat of cybersecurity breaches looms over businesses, reminding us of the need for robust security measures. One recent incident that has grabbed headlines and drawn attention to these vulnerabilities is the September 2023 data breach at MGM Resorts International. In this blog post, we will delve into the details of this breach and explore how Pindrop’s innovative technology solutions could have played a pivotal role in preventing this significant security incident.

The September 2023 MGM Resorts Data Breach

The September 2023 breach at MGM Resorts International sent shockwaves throughout the industry as it exposed sensitive information about countless guests. This breach resulted in the unauthorized disclosure of personal data, including names, addresses, phone numbers, passport information, and more. The incident serves as a stark reminder of the cybersecurity challenges faced by businesses today, particularly in industries like hospitality, where safeguarding customer data is paramount.

But how did a simple phone call cause all this harm?

The group of attackers known as Scattered Spider specializes in social engineering. Particularly, they use Vishing (voice phishing), a technique that involves gaining unauthorized access through convincing phone calls, much like phishing for emails. In this specific scenario, the cybercriminals employed Vishing to manipulate MGM Resorts International’s IT team into resetting Okta passwords. This seemingly innocuous action granted the attackers parallel access to the victim employee’s computer, paving the way for data exfiltration.

While the MGM breach primarily involved data stored on a server, Pindrop’s technology could have added an additional layer of security through voice recognition,caller ID intelligence and behavioral pattern analysis.

Could Pindrop have helped prevent this attack?

Indeed, Pindrop is a multi-factor platform that helps protect against a wide spectrum of attacks, including Vishing. Specifically for Vishing, Pindrop offers solutions like spoofing detection based on the phone number, voice authentication, and liveness detection. These features could have been instrumental in rejecting the impostor’s voice, detecting repeat fraudsters, or identifying indicators of manipulations in the victim’s voice, such as deepfake or replay attacks.

This type of attack, as seen in the MGM breach, is remarkably similar to the threats Pindrop has successfully thwarted for over a decade. While Pindrop’s historical focus has been on financial institutions, the technology’s adaptability makes it relevant and effective across various sectors, including hospitality.

Voice Biometrics and Liveness Detection: Pindrop’s voice biometric solutions allow businesses to verify the identity of callers by analyzing their unique vocal characteristics. Had MGM Resorts International implemented voice biometrics in addition to audio liveness detection, unauthorized access to guest accounts could have been significantly more challenging for cybercriminals.

Fraud Detection: Pindrop’s technology also includes fraud detection capabilities that analyze voice, caller behavior and call metadata to identify suspicious patterns. This could have helped detect unusual activity on the compromised server, potentially alerting MGM’s security team to the breach sooner.

Multi-Factor Authentication: Implementing multi-factor authentication (MFA) with voice recognition could have made it substantially more difficult for cybercriminals to gain access to the cloud server where guest data was stored.

Preventing future breaches

The MGM Resorts International breach serves as a stark reminder of the importance of proactive cybersecurity measures. In today’s interconnected world, businesses must constantly evolve their security strategies to stay one step ahead of cyber threats.

Pindrop’s technology solutions offer a promising avenue for businesses to bolster their cybersecurity defenses, particularly in industries that handle vast amounts of customer data, such as hospitality. By incorporating voice biometrics, fraud detection, and MFA, organizations can significantly reduce their vulnerability to data breaches and enhance customer trust.

What you can do next

In addition to fraudsters’ use of more creative and organized tactics, recent advancements in AI technology have allowed fraudsters to gain access to confidential information using AI-generated voice deepfakes at an unprecedented rate. As we’ve seen, the MGM Resorts International breach is just one example of the evolving threat landscape.

The question is, how prepared is your organization to defend against these ever-more sophisticated attacks? Are you ready to fortify your business against deepfake threats?

**On Demand Webinar: Pindrop leaders Amit Gupta and Elie Khoury dive into the threat of deepfakes and how to protect your business and customers from future attacks.

Researchers are warning about a phishing attack that abuses the way some browsers handle unicode characters to display attack domains that are identical to legitimate ones.
The concept behind the attack is quite old, but it has resurfaced in the current versions of both Firefox and Chrome. The attack relies on the fact that the affected browsers will display unicode characters used in domain names as normal characters, making them virtually impossible to separate from legitimate domains.
“From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as ‘xn--pple-43d.com’, which is equivalent to ‘аpple.com’. It may not be obvious at first glance, but ‘аpple.com’ uses the Cyrillic ‘а’ (U+0430) rather than the ASCII ‘a’ (U+0041). This is known as a homograph attack,” researcher Xudong Zheng wrote in a post on the attack.
Most browsers have some protections in place to defend against this kind of attack, but they don’t prevent every version of it. If the attack domain only replaces the ASCII characters with characters from one foreign language, rather than multiple languages, the protections in Chrome and Firefox will fail. Researchers at Wordfence have demonstrated the issue by creating exact copies of legitimate domains, some with valid SSL certificates.
“The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data,” Mark Maunder of Wordfence wrote.
“We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.”
The danger of this kind of attack is real, as it would be almost impossible for a non-technical user to detect. Google has added a fix for this problem in an upcoming release of Chrome, but for right now it works against the current version of the browser. Mozilla has opened a Bugzilla discussion on it, and Maunder said there is a manual fix for it in Firefox that users can implement, as well. By searching for the word punycode using the about:config feature in Firefox,  users can then set the network.IDN_show_punycode parameter to “true”, which prevents the domain trick from working.
Image: Derek Havey, CC By license.

OAKLAND–For years, bulletproof hosting providers have been the bane of the Internet. They serve as havens for malware, cybercrime operations, and child exploitation rings, while dodging law enforcement by moving their operations early and often. But security researchers and cybercrime investigators are beginning to make some headway in the fight against these operators, through cooperation and quick action.
Like legitimate businesses, cybercrime groups need infrastructure and support in order to operate. For many of them, bulletproof hosting providers–which ask few questions about content and will often run interference with law enforcement agencies–are the foundation of their activities. Ransomware gangs, malware crews, and many other species of cybercriminals rely on these hosting providers to keep the servers they use for their operations up and running. Security researchers and cybercrime investigators know who most of these providers are and track their activities closely, but getting them to take down customers’ servers with illegal content is no easy task.
“Hosters will put different customers in different countries based on the type of content they have. If it’s porn, they use Netherlands. Malware is Ukraine. And they make the life of law enforcement very difficult by being uncooperative,” Dhia Mahjoub, a principal engineer at OpenDNS Research Labs, said during a talk at the Enigma conference here Tuesday.

“Bad guys have an M.O. and if you track that very closely, you can help law enforcement.”

Some bulletproof providers will give their customers advice on how to deal with requests from law enforcement, and will give them several days to move or change their operations before responding to police. And, providers also typically spread their IP space across several ASN systems and multiple countries, which causes issues for law enforcement. Mahjoub said that remains one of the larger challenges in dealing with cybercrime operations.
“Cross-jurisdictional issues are a big challenge. Hosters have very little incentive to change anything. If they take content down, that affects their business,” he said.
“The vicious thing about these guys is that they spread all across the web and stay under certain thresholds so we won’t notice them. Having friends a certain ISP or hosting company is very useful.”
Researchers and cybercrime investigators have had some successes in recent years going after these providers, most notably with the McColo takedown several years ago, and more recently with the operation against RBN. Mahjoub said that takedowns require a delicate mix of technical work and human relationships to be effective.
“If you want to take a poster down, we face challenges. You have to prove the content is bad, prove that there’s intent,” he said. “As researchers, if we give them evidence on a repetitive basis, they will see that it’s a pattern. Bad guys have an M.O. and if you track that very closely, you can help law enforcement. You shouldn’t give up.”

A renowned hardware hacker has released a cheap USB device that, when plugged in to any computer–even password-protected or locked ones–can hijack all of the Internet traffic from the PC, steal web cookies, and install a persistent backdoor that survives after device is removed.
Known as PoisonTap, the device is the work of Samy Kamkar, a security researcher and hardware hacker who built the tool on a cheap Raspberry Pi Zero board. He’s released the code for PoisonTap, which could be a key tool in the arsenal of any security researcher or hacker. The device sounds simple, but there’s a whole lot going on in the background. The entire attack takes no more than a minute, Kamkar said.
Once plugged in to a target computer, the PoisonTap will emulate a USB Ethernet device and Windows and OS X both will recognize it as a low-priority network device. The operating system will then send a DHCP request to the device.
“PoisonTap responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 – 255.255.255.255) is part of the PoisonTap’s local network, rather than a small subnet (eg 192.168.0.0 – 192.168.0.255),” Kamkar said in a post explaining PoisonTap’s functionality.
“Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device and won’t supersede the gateway for Internet traffic, but…Any routing table / gateway priority / network interface service order security is bypassed due to the priority of ‘LAN traffic’ over ‘Internet traffic.’ PoisonTap exploits this network access, even as a low priority network device, because the subnet of a low priority network device is given higher priority than the gateway (default route) of the highest priority network device. This means if traffic is destined to 1.2.3.4, while normally this traffic would hit the default route/gateway of the primary (non-PoisonTap) network device, PoisonTap actually gets the traffic because the PoisonTap ‘local’ network/subnet supposedly contains 1.2.3.4, and every other IP address in existence.”

What that means is that PoisonTap will get all of the Internet traffic from the infected machine, despite the presence of other network devices. The device performs a similar trick in order to siphon off web cookies from HTTP requests. When a browser running on the infected machine makes an HTTP request, the device will perform DNS spoofing so that the request goes to the PoisonTap web server rather than the intended one. The device has the ability to grab cookies from any of the Alexa top one million sites, Kamkar said.
Kamkar is well-known in the security community for producing innovative devices along these lines. In addition to PoisonTap, he’s released KeySweeper, a remote key logger disguised as a USB phone charger, SkyJack, a drone that can hack other drones, and MagSpoof, a small device that can emulate any credit or debit card.
Along with its cookie-siphoning and traffic-hijacking capabilities, PoisonTap also installs a persistent backdoor that an attacker could reach via the web. During the cookie-siphoning operation, PoisonTap produces iframes for thousands of domains, which then serve as backdoors.
“While PoisonTap was producing thousands of iframes, forcing the browser to load each one, these iframes are not just blank pages at all, but rather HTML+Javascript backdoors that are cached indefinitely. Because PoisonTap force-caches these backdoors on each domain, the backdoor is tied to that domain, enabling the attacker to use the domain’s cookies and launch same-origin requests in the future, even if the user is currently not logged in,” Kamkar said.
The code for PoisonTap is available on GitHub. Kamkar said OS vendors can protect against this kind of attack by being stricter about the way they recognize USB devices.
“I would suggest OS’s to not load USB devices (other than mouse/keyboard) while the machines are password protected. Also, asking the user to load new USB devices such as network devices while unlocked would also be beneficial,” he said via email.
Image: Lucas Dumrauf, public domain.

One of the more common ways for sensitive data to leak from an organization is through email. Whether intentionally or through carelessness, employees will often include passwords, financial information, and other important data in emails that wind up in the wrong hands.
Depending upon the kind of information, this can either be slightly embarrassing or potentially catastrophic for the organization. Attackers covet email spools for key corporate employees for just this reason, and Beau Bullock, a security analyst at Black Hills Information Security, has developed a new tool called MailSniper that can identify potentially sensitive information in target email boxes before it leaves the organization.
Part of the motivation for creating the tool was the need for something to search out information in email that could be used to access other accounts during a penetration test, Bullock said.

“Having the power to search through email is huge when hunting for sensitive data. For example, a simple search for the term ‘*password*’ in the body and subject of every email might return instructions on how to access certain systems along with what credentials to use. At an energy company a search for ‘*scada*’ or ‘*industrial control system*’ might return a conversation detailing the location of sensitive ICS devices,” he said in a blog post explaining MailSniper’s functionality.

But there’s also the issue of potentially damaging data leaving the organization, whether it’s financial information or customer data that could represent a regulatory violation.

“At a financial institution a search for ‘*credit card*’ might reveal where employees have been sending credit card numbers in cleartext over email. At a healthcare organization searching for ‘*SSN*’ or ‘*Social Security number*’ could return potential health care data,” he said.

“Organizations can use it for internal investigations or even to determine how widespread malicious emails have propagated.”

MailSniper has two modes, one for searching the current user’s mailbox and another for searching all of the mailboxes in a given domain. Designed to run in Microsoft Exchange environments, the tool can run remotely and gives the user the ability to impersonate the current user and perform a long list of other tasks. Although Bullock developed MailSniper for use by penetration testers mainly, he said it could be used by internal teams as well.

“One example from a non-penetration testing viewpoint would be that internal teams could use it on a regular basis to search for specific terms that should be protected and not leaving or being circulated in an environment using a plain text protocol. Another example, organizations can use it for internal investigations or even to determine how widespread malicious emails have propagated within an environment,” Bullock said by email.

The code for MailSniper is available on GitHub, and Bullock warned that it is still under development and is in beta right now. He said he focused on Exchange because of its dominance in corporate environments, but would like to look at other email systems for future MailSniper versions, too.

“The core idea of searching email on other services besides Exchange would completely rely on how those services are built. Exchange Web Services made it fairly straightforward for me to gather mails and search them. I focused on Exchange due to how widespread it is but would definitely like to look at writing in the ability to do this on other services,” Bullock said.

The fight between attackers and security researchers often is portrayed as a kind of spy versus spy operation, with each side making moves and countermoves in order to stay undetected and continue operating. But while top-tier attackers pay close attention to the details and are adept at hiding their tracks, that doesn’t necessarily hold true for the rest of the herd.
New research from security firm Digital Shadows into the operational security practices of attacker groups shows that there is a wide variety in the quality and professionalism that attackers display when conducting their operations. For attackers at the top of the pyramid–think intelligence services and APT groups–operational security is of the utmost importance and they take it very seriously. There are operations known to security researchers that have been going on for years and yet the researchers don’t have a clear idea of who is behind them. On the other hand, inexperienced cybercriminals often make simple mistakes early on that lead to them being caught.

“Just as threat actor motivations and capabilities vary from group to group, so does OPSEC tradecraft. Different actors have different requirements for privacy and anonymity. Cyber crime forum operators must balance staying off the radar of law enforcement with the ability to sell and market their products. Nation state espionage actors often possess more mature tradecraft, but this isn’t always the case. Hacktivist OPSEC can range from less mature with teenagers launching DDoS attacks, to more mature groups targeting high profile banks and doing data dumps,” Digital Shadows said in its new report.
Rick Holland, vice president of strategy at Digital Shadows, said that attackers often start at the low end of the spectrum, with credit card fraud and other simple crimes. When they have some success there, they may move up to more complex and risky crimes that require better OpSec, but they’re not always up to the task.

“Their OpSec is only going to be as good as it needs to be to stay hidden.”

“There’s a lot of immature people and OpSec. A lot of people start in carding and go after consumers. Carding is where you start, and those that are successful will stay around and become more mature,” Holland said in an interview. “Their tenure, as far as how long they’ve been operating, is a factor. The new groups have to mature their OpSec. If someone is a money mule and they have to go into the physical world to cash out, their OpSec is higher, so the roles matter.”
Attackers of various skill levels communicate, recruit, and compare notes on forums, which often are members-only. Researchers monitor these forums for information on attackers’ tactics and potential targets, and Holland said there’s typically a connection between the risk in what the attackers are doing and their level of operational security. As attackers move up the food chain and come up against more professional and skilled defenders, they are forced to step up their game.
“You see different levels of OpSec on different forums. Their OpSec is only going to be as good as it needs to be to stay hidden,” Holland said. “If someone is ideological, they may have less OpSec because they want people to know what they’re doing.”
One of the most common mistakes that cybercriminals make, Holland said, is not separating their real lives from their online criminal enterprises. In an example laid out in the Digital Shadows report, the alleged operator of a notorious botnet known as Dridex made this mistake and it led investigators right to him.
“In October 2015, the U.S. Department of Justice revealed an indictment against a suspected administrator of a Dridex botnet. The Moldovan suspect, Andrey Ghinkul, was also known by his online nickname, Smilex. Ghinkul was alleged to be part of a group that disseminated Dridex – used to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of keylogging and web injects,” the report says.
“It was estimated by the Federal Bureau of Investigation (FBI) that at least $10 million USD in direct loss to the United States is attributable to Dridex. A subsequent review of the digital shadow of Smilex, revealed a somewhat lax attitude towards operational security, with easily identified traces of the nickname ‘Smilex’ being used alongside the attacker’s real name. From there it was relatively easy to identify a date of birth and a social media presence, including a rather open Facebook profile revealing details of holidays abroad and expensive foreign vehicles.”
Attackers and fraudsters are not just interested in hiding their activities; they also need to hide and launder the money they make from their crimes. This has been made much simpler in recent years with the advent of cryptocurrencies such as Bitcoin. Holland said many cybercrime groups have taken an interest in Bitcoin and use third-party services to launder their currency and break the publicly documented connection between sending and receiving Bitcoin addresses.
“They’re very interested in Bitcoin and digital currency,” he said.

The ransomware ecosystem has developed largely underground, and insights into the way that the malware is developed and controlled are rare. But researchers at Cylance recently got an inside look at the way that AlphaLocker ransomware goes about its business and found that the operation is surprisingly simple and yet still quite effective.
AlphaLocker is a relatively new piece of ransomware, having appeared just a couple of months ago, and it comes in at the low end of the price chart at $65. Many ransomware packages cost several times that amount, and AlphaLocker is also different in that buyers purchase it straight from the creator. But just because the ransomware is cheap doesn’t mean it’s low-end in terms of features and capabilities. Buyers get an administrative panel, as well as the executable of the ransomware and the decryption binary.
Attackers using AlphaLocker have the option of deploying it however they choose and the infection mechanisms are up to them, as well. AlphaLocker is based on an open-source project called Eda2, which was developed by a researcher last year. The source code for the project eventually was taken offline, but it has been reused in part by AlphaLocker. The Cylance researchers who analyzed AlphaLocker found some of the command-and-control nodes used by the ransomware.
“Sometimes we luck out and get to take careful advantage of silly oversights on the part of the ‘bad guys’. In this case, we were able to find more than one active C2, where the initial config files were still present – in this case, install.php,” Jim Walter of Cylance wrote in an analysis of the ransomware.
“All of AlphaLocker’s configuration and support files are unencrypted and in English, while the author(s) appear to be Russian (based on data contained in some of the panel files, as well as the particular forums in which the ransomware is advertised).”
The encryption routine for AlphaLocker is fairly typical, with files being encrypted with unique AES keys. AlphaLocker has the ability to encrypt files even while an infected machine is turned off, and each buyer of the ransomware can decide which file types he wants to encrypt. Buyers have access to an admin panel that provides statistics on infected machines, including the country the machine is in, time of infection, and other information.
“Files are individually encrypted with their own unique key (AES). AES keys are RSA-encrypted via a keypair stored in the local MySQL DB and posted to the C2,” Walter said.
The AlphaLocker ransomware is not well detected by antimalware products right now, Walter said.

Ransomware has become one of the top threats to consumers over the course of the past few years, and it has begun to spread to enterprises as well of late. But as bad as this problem has become, researchers say that what we’re seeing right now may be just a ripple in the water compared to the tsunami that could be on the horizon.
For much of the history of ransomware, the attackers have targeted individual users. There are a number of logical reasons for this, mainly the fact that consumers are seen as easier targets and more likely to pay a ransom than enterprises. Businesses have dedicated IT and security teams, better defenses, and more resources for potentially recovering lost data than home users do, so consumers have borne the brunt of the ransomware attacks.
But that has changed recently, as ransomware gangs have begun to turn their attention to enterprises. One reason for this shift is that if an attacker is able to disrupt a business’s operations sufficiently, he is likely to get a quick payment in order to get things running again. The most prominent example of this phenomenon is the attack on Hollywood Presbyterian Medical Center in February, which rendered large portions of the hospital’s network unusable and inaccessible. After notifying law enforcement, hospital officials decided the best course of action was to pay the ransom and get on with its business.
“The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000. The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” a statement from Allen Stefanek, president and CEO of the hospital, said.  (more…)

SAN FRANCISCO–The Apple-FBI debate has brought up many old arguments about wiretapping, surveillance, backdoors, and law enforcement, but while the discussions aren’t new, the technological context is. Cryptographers and privacy experts who are studying the case say that the recent proliferation of encrypted communications and devices has raised the stakes for everyone involved.
“Wiretapping didn’t spring from nothing. But the encrypted messaging systems and encrypted phones in some sense are practically a day old,” Matthew Green, a professor at Johns Hopkins University and cryptographer, said in a panel discussion on government backdoors at the RSA Conference here Wednesday.
“We started deploying these things at real scale only a couple of years ago. This is creating something from scratch and we have no idea what the implications of the technology are going to be.”
One of the proposals that’s been advanced during the discussion of the FBI’s desire to get backdoor access to an encrypted iPhone is the notion of dividing trust in some way. Splitting encryption keys among two or even more parties isn’t a new idea, but it’s resurfaced as policy makers and technologists look for solutions to the problem at hand.
Green said that while the key-splitting scenario may be technically possible, there are a lot of problems with it.
“Dividing trust requires huge changes. That might work out, it might be possible. But I don’t know who those trusted entities are,” Green said. “If you pick them incorrectly, really bad things happen to you.”
While many of the systems and services that are using encryption may be new, the technology and math behind them are not. Green said that the upside of all of the discussions around backdoors is that they help shed light on the strength of the encryption algorithms in use right now.
“The one thing that no country knows how to do is break encryption. They break it by stealing keys,” Green said. “We know encryption works. The technological facts are fixed.”
In addition to the technological aspects of the backdoor discussion, there’s also a large privacy consideration. If users have an expectation of privacy and later discover their communications or devices have been intentionally compromised, the ramifications could be severe.
“We have a huge expectation of privacy in this country. We want to talk to who we want to talk to unobserved by other people,” said Michelle Dennedy, chief privacy officer at Cisco. “It feels bad to feel out of control. When we have information flowing through our systems, we’re engaging in a sacred trust. We have an ethical, legal and moral obligation to protect it.”

The FDIC has released a cybersecurity framework for banks that describes a long list of threats to financial institutions and includes recommendations for how they can defend against those threats.
The framework doesn’t contain any surprises or novel threats, but provides a broad outline of the problems banks and other financial institutions face, such as phishing, malware, DDoS attacks, and others.
“During the past decade, cybersecurity has become one of the most critical challenges facing the financial services sector due to the frequency and increasing sophistication of cyber attacks. In response, financial institutions and their service providers are continually challenged to assess and strengthen information security programs and refocus efforts and resources to address cybersecu – rity risks,” the introduction to the framework by Doreen Eberley, director of the division of risk management supervision at the FDIC, says.
Financial institutions have been at the top of the target list for just about every kind of attacker since the dawn of the Internet, and banks invest as much in information security as any other organization. But attackers have had more than their fair share of successes against banks in recent years, both with direct attacks and with phone fraud schemes that convince consumers or businesses to transfer money directly to the criminals.
The attack surface for a typical bank is broad and deep, comprising the internal network, the customer base, mobile apps, payment networks, and many other components. Defending that surface against increasingly professional and persistent attackers is a complicated and difficult proposition. Even institutions with mature information security programs can have weak spots that attackers can exploit for profit.
“In today’s banking environment, business functions and technologies are increasingly inter – connected, requiring financial institu – tions to secure a greater number of access points. Innovation has resulted in greater use of automated core processing, document imaging, distributed computing, automated teller machines, networking technologies, electronic payments, online banking, mobile banking, and other emerging technologies. At the same time, physical data assets have been auto – mated and a bank’s sensitive customer information stored on computers has become as valuable as currency— a different kind of asset that needs safeguarding,” the framework says.
Among the recommendations the FDIC includes in the framework are that banks take advantage of available threat intelligence assets, such as information from the FS-ISAC and US-CERT. The group also recommends that banks implement comprehensive patch-manegement programs and security awareness training for employees.
Image from Flickr stream of Pascal.

Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers.
The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries. Karsten Nohl, a prominent security researcher, and two colleagues, discovered that ZVT, an older protocol, contains a weakness that enables an attacker to read data from credit and debit cards under some circumstances. In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network, which isn’t usually a terribly high barrier for experienced attackers.
The attacker also would have the ability to steal a victim’s PIN from a vulnerable terminal, thanks to the use of an easy timing attack. Having the PIN, along with the ability to read the victim’s card data from the terminal, would allow an attacker to execute fraudulent transactions.
“This mechanism is protected by a cryptographic signature (MAC). The symmetric signature key, however, is sometimes stored in Hardware Security Modules (HSMs), of which some are vulnerable to a simple timing attack, which discloses valid signatures. A signature extracted from one such HSM can be used to attack other, more secure models since the signature key is the same across many terminals, violating a base principle of security design,” the researchers from Security Research Labs wrote in an explanation of the research, which was presented at the 32C3 conference in Berlin earlier this week.
Nohl and his colleagues also discovered a problem with the ISO 8583 protocol, which is used for communications between payment terminals and payment processors. One version of this protocol, known as Poseidon, has an authentication flaw related to the way the secret key is implemented in terminals. Many terminals use the same secret key, which makes it somewhat less-than-secret. The researchers discovered that they could manipulate data on a target terminal and get access to the merchant account for that terminal.
“Therefore, after changing a single number (Terminal ID) in any one terminal, that terminal provides access to the merchant account that Terminal ID belongs to. To make matters worse, Terminal IDs are printed on every payment receipt, allowing for simple fraud. Fraudsters can, among other things, refund money, or print SIM card top-up vouchers – all at the cost of the victim merchant,” the researchers wrote.
The researchers disclosed their findings to German banks and payment processors before revealing them publicly, and said that action is needed to defend against these attacks. The most important change is to implement discrete authentication keys for every terminal, the researchers said.
Nohl is well-known in the security community for research on flaws in USB drives that allow them to be reprogrammed with undetectable malware, as well as for finding bugs in SIM cards.
Photo from Flickr stream of Alexander Cahlenstein.

Voice security is
not a luxury—it’s
a necessity

Take the first step toward a safer, more secure future
for your business.