Data Breach , Fraud

Fraudsters Raid Computers for PayPal, Amazon and eBay Accounts Jeremy Kirk (jeremy_kirk) • June 6, 2016    

TeamViewer is strengthening the security of its remote access application after an uptick in account takeovers that the company says is the result of hackers reusing account credentials from recent data breaches.

See Also: 2016 Enterprise Security Study - the Results

The issue appears to primarily affect consumer accounts, although TeamViewer has a robust enterprise business: 90 percent of Fortune 500 companies use its application for remote support and access.

The vast majority of support queries TeamViewer has received concerning the attacks have been from consumers, says Axel Schmidt, a company spokesman. That's because enterprises have generally followed TeamViewer's security recommendations to protect their accounts.

"Very often what we find is that they [consumers] used the same account credentials across multiple internet accounts," Schmidt says.

Numerous victims have contributed their stories to a long Reddit thread. Fraudsters have used the compromised TeamViewer credentials to remotely access computers and hunt for other credentials stored in web browsers for services such as PayPal, eBay and Amazon.

Fallout From Big Breaches

The TeamViewer situation falls in line with what many security experts have predicted in the wake the release of more than 630 million credentials in May alone from years-ago hacks, including LinkedIn and MySpace (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

Even if login credentials are several years old, many people continue to use the same ones across several services. A compromise of one provider supplies hackers with a fresh batch of logins that can be tried again against many other services. Password managers can help solve the problem, but are generally only used by more tech-savvy users.

On June 1, a statement from TeamViewer put it bluntly: "Careless use of account credentials remains to be a key problem for all internet services."

'Something Is Going Wrong'

An alternative explanation for the uptick in account compromises is that computers running TeamViewer have been infected with malware. The company advises people to avoid downloading adware bundles, to only download TeamViewer through legitimate outlets and to run security software.

Schmidt says TeamViewer has conducted internal audits since the account takeovers spiked and has found no evidence that it has been breached. Account passwords are hashed and salted, he said.

But Troy Hunt, who runs the breach notification service Have I Been Pwned, says the company may need to move forward with a deeper forensic analysis.

"Something is definitely going wrong somewhere," Hunt says. "They really need an independent party in at this time to get to the bottom of it and explain what's going on."

The company's security improvements will make it easier for users to see if their account is being targeted. A feature called Trusted Devices will send an email if there is a login attempt from a new device. Users can then decide whether to grant authorization to access TeamViewer from the device, according to a June 3 statement.

TeamViewer's second improvement, Data Integrity, involves more vigilant monitoring of the location of login attempts. If unusual activity is detected, a TeamViewer account may be tagged for a mandatory password reset, with users receiving an email alert.

The features are being rolled out globally. TeamViewer says "users may experience minor inconveniences" due to the rollout. Schmidt said TeamViewer had planned to introduce the features later this year but opted to speed up the rollout, which means some functions may not work as expected.

Users who think they could be affected by these attacks should immediately change their passwords. Also, TeamViewer offers two-factor authentication, which requires users to enter a time-based one-time passcode to gain access. The company supports eight two-factor apps for Android, iOS, Windows Phone and BlackBerry.

TeamViewer also has blacklisting and whitelisting options, which can restrict what machines are allowed to perform a remote access session.

View of an Attack

Nick Bradley, a practice leader within the Threat Research Group at IBM, described a harrowing account of how he watched a TeamViewer intrusion unfold at his house the night of June 3.

"In the middle of my gaming session, I lose control of my mouse and TeamViewer window pops up in the bottom right corner of my screen," Bradley writes. "As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!"

He ran downstairs to another computer running TeamViewer, only to see the application's window pop up.

"Before I am able to kill it, the attacker opens a browser window and attempts to go to a new web page," he writes. "As soon as I reach the machine, I revoke control and close the app."

Many others haven't been so lucky. The Reddit thread chronicles many users who reported the attackers went on shopping sprees with PayPal funds and tried to buy gift cards on Amazon and eBay.

One Reddit poster attributed a TeamViewer hack that occurred on June 1 to the reuse of MySpace credentials, which were leaked last month in one of the largest data breaches of all time.

"Nabbed $260 from PayPal," the user wrote. "PayPal almost instantly refunded the money to my account. Now working to shore up the gaping hole in my security."

Schmidt says that anyone who suspects their account has been compromised should contact TeamViewer's support and submit log files. He also advised that they report the incident to police. The reason, he says, is that TeamViewer as well as other companies are subject to strict data privacy regulations and can't release certain information to the public.

"We need to get authorities involved," he says.

Fraud , Litigation

Experts Size Up the Impact of Appellate Court Decision on Other Cases Tracy Kitten (FraudBlogger) • June 6, 2016    

A federal appellate court ruling in favor of a Minnesota bank that sued its insurer for coverage of costs associated with a fraudulent wire transfer, is significant. But it may not have a substantial impact on other bank cases, financial fraud experts say.

See Also: How to Mitigate Credential Theft by Securing Active Directory

The U.S. Court of Appeals for the Eighth Circuit recently upheld a Minnesota district court's ruling that fraud losses suffered by the State Bank of Bellingham should be covered by the bank's insurance provider, BancInsure, an Oklahoma-based company that in November 2013 changed its name to Red Rock Insurance Co. The district court awarded State Bank $620,187, plus attorney's fees.

BancInsure appealed the ruling, arguing that Minnesota law governing insurance contracts do not apply to financial institution bonds. But the appellate court disagreed.

The lawsuit was filed in the aftermath of an October 2011 incident in which a computer the bank used to conduct wire transfers through the Federal Reserve's FedLine Advantage Plus system was infected with malware, according to court records. The computer was infected after one of the bank's five employees neglected to remove two physical tokens from the PC used after conducting a legitimate wire transfer, court filings state.

"It's very significant and is right on the mark," says financial fraud expert Avivah Litan, a Gartner analyst. "Hackers can usually find a way into an enterprise, and insurers shouldn't insure if they aren't prepared to deal with that fact. ... So yes, this decision is a win, but not a big win, because I expect insurance companies to continue challenging this type of ruling in future cases."

Litan predicts insurance companies will increasingly include cyberattack coverage exclusions in their policies for banks. "It's a little ... like homeowners' insurance. There are so many exclusions that most occurrences of damage to a house, short of a catastrophic fire, are not covered. And if consumers do file claims, their rates go up while they get little insurance coverage in return."

Other fraud experts predict the Minnesota case won't have much of an impact on other legal disputes between banks and insurers because it focused primarily on one state's laws.

Court Rules Cyberheist Covered by Policy

In the Bellingham case, the tokens were left in the PC overnight, the court records show. When the employee returned the next day, she saw that two unauthorized wire transfers had successfully been sent to two different banks in Poland; the bank was only able to reverse one of the unauthorized wires after contacting the Fed. The other wire, totaling $485,000, could not be reversed, court records show.

"In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases," according to court records.

In 2010, State Bank purchased a financial institution bond from BancInsure. The bond, a type of insurance, provided coverage for losses, such as those caused by an employee's dishonesty and forgery, as well as computer-system fraud.

State Bank sued BancInsure when BancInsure denied the bank's claim, saying BancInsure breached its contract. The bank's coverage was not sold as cyber insurance.

BancInsure said it denied the bank's claim, according to court records, because the bank's fraud loss resulted from an employee's mistake, and not because of the theft of confidential information, mechanical breakdowns or the deterioration of computer systems.

But the district court agreed with the bank that the fraud loss should be covered by bond, noting that "the computer system's fraud was the efficient and proximate cause of [Bellingham's] loss," and ultimately resulted because hackers broke in, not because an employee approved a fraudulent wire or maliciously scheduled one.

"Neither the employees' violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer's anti-virus software was the efficient and proximate cause of [Bellingham's] loss," the district court found.

The insurer appealed the decision, but the appellate court upheld the lower court's ruling. "We find that Minnesota courts would adhere to the general rule of treating financial institution bonds as insurance policies and interpreting those bonds in accordance with the principles of insurance law," the appellate court notes in its ruling. "We agree with the district court's conclusion that 'the efficient and proximate cause' of the loss in this situation was the illegal transfer of the money and not the employees' violations of policies and procedures."

Neither BancInsure nor State Bank replied to Information Security Media Group's request for comment.

Ruling's Impact Likely To Be Limited

Cybersecurity attorney Chris Pierson, CISO and general counsel at invoicing and payments provider Viewpost, questions whether the ruling will have much of an impact on other cases because of its focus on Minnesota law.

"Since this determination is based on the specific language of the policy and state law, it is not a broad brush to all insurance cases," he says. "The court's perspective that failing to remove a dual-factor and tokenized authentication medium is not 'a reasonably foreseeable event likely to cause the exploitation of an illegal money transfer' is hard to swallow. A lot more remains to be seen of this case."

Attorney Stan Orszula, a partner at the law firm Barack Ferrazzano Financial Institutions Group, notes that insurance companies closely watch case law and adjust their contracts after rulings like this one to ensure they don't have to cover big payouts for losses going forward.

"This type of incident could happen to anybody - an employee leaving a token behind or in a computer - so the insurance companies will adjust what they cover," he predicts.

But the court recognized that the fraud loss was tied to a malware infection, Orzsula says. "This loss would not have happened were it not for the criminal. You obviously have to be diligent about your security; but there are limits, and no one can be expected to cover every attack."

Looking ahead, Orzsula predicts insurers sued by banks in similar cases might ask courts to use the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool to help determine if a bank took reasonable security precautions to prevent fraud (see Gartner's Litan: FFIEC Assessment Tool Falls Short).

"Could that tool be used in litigation to prove whether a bank had reasonable security in place?" Orszula asks. "Could insurance companies use it to ask, 'How was your cybersecurity at the time of the attack? Did you assess your security properly? Did you take certain steps to mitigate risks?'"

In this edition of the ISMG Security Report, Executive Editors Tracy Kitten of BankInfoSecurity and Mathew J. Schwartz of DataBreachToday provide the backstory behind the SWIFT-related theft of $81 million from the central bank of Bangladesh and subsequent incidents, as well as their impact on the regulation of financial institutions.

In this report, you'll also hear:

Bob Bigman, the longtime CISO at the Central Intelligence Agency who now serves as CEO of 2BSecure, discuss how enterprises can boost the "trustability" of their systems as technologies rapidly evolve; Jeremy Kirk, ISMG managing editor for security and technology, explain why some cybersecurity experts believe Australia isn't spending enough on its cyberdefense; and A report on how a drone sports what could be the world's most secure operating system.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Please check out our May 31 and June 1 reports, which respectively examine global breach notification and the cybersecurity framework. The next ISMG Security Report will be posted Friday, June 10.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.

Anti-Malware , Fraud , Risk Management

Research Report Says Botnet Located Mainly in Ukraine and Russia Jeremy Kirk (jeremy_kirk) • June 9, 2016    

Researchers have watched a botnet composed mostly of compromised computers in the Ukraine and Russia become a growing hive of criminal fraud activity, playing a role in everything from ransomware and click fraud to spam bots and supporting stolen payment card marketplaces.

See Also: Vulnerability Management with Analytics and Intelligence

The botnet, called Zbot, has also been engineered to be extra robust, which could make it very hard to shut down, according to a new report from cyber threat intelligence company RiskAnalytics, which describes how Zbot has become the back-end infrastructure of choice.

Noah Dunker, RiskAnalytics' director of security labs, started tracking Zbot in mid-2014. He says researchers have seen botnets linked to malware and exploit kits, but Zbot appears to be servicing a huge variety of crimeware.

"This has a smorgasboard of various services that are being by the criminal underground," Dunker says.

Better, Stronger, Faster

Zbot uses many long-known techniques to make it robust, according to the new report. It employs fast flux, which allows a domain name to be pointed at a new IP address quickly. Fast flux has a legitimate purpose that helps with redundancy and load balancing, but cybercriminals use it to make their services harder to shut down. It's difficult to block malicious IP address when the addresses change every few minutes.

Fast flux has long been employed by botnet operators, but RiskAnalytics says Zbot also uses something called double flux: Infected endpoints also run DNS services for the fast flux network, which adds another layer of reliability.

The computers comprising the botnet are loaded with a range of tools: an Nginx web server, spam bots and more. Some of the tools are designed to spread malware, such as ransomware and credential stealers, while others are support tools that help maintain the botnet.

The crimeware domains that are hosted on Zbot change their IP addresses every two and a half minutes. "Over time, hundreds or thousands of IP addresses are used," RiskAnalytics' report says.

Those domains include no less than seven carding websites, where stolen payment card data is sold, and even two scammy websites selling underpriced agricultural and industrial equipment, the new report notes.

Nearly 84 percent of the compromised computers that are part of the fast flux infrastructure are in the Ukraine, with 12 percent in Russia, 3 percent Romania, with others around the world, the researchers say.

Surprising Amount of Crimeware

Wayne Crowder, director of threat intelligence for RiskAnalytics, says researchers were surprised at the amount of crimeware that Zbot supports. The research shows that malware campaigns thought to be separate actually linked back to Zbot.

"If you're a criminal and want to make sure that your stuff is going to stay up, you're going to buy the best infrastructure to hide your activity," Crowder says.

It's not clear how other cybercriminals get linked up with Zbot. Crowder says there isn't a lot of discussion on underground forums for how to rent time on Zbot.

The problem for security companies is figuring out how to quickly block domains and IPs that are part of the botnet. RiskAnalytics says it has developed a way to quickly find out about new bad IPs, which it distributes as a feed to its customers.

Fast flux has its advantages as far as redundancy, but it's also very noisy, Dunker says. RiskAnalytics monitors how the botnet's fast flux infrastructure rearranges the services it is hosting by watching the ever-changing DNS activity, or passive DNS observation.

"As soon as an IP address is seen resolving to one of the host names that we flagged for fast flux, it becomes part of the [block] list," Dunker says.