Thought leadership. Threat analysis. Cybersecurity news and alerts.
6 Top Things to Do in Preparation for the GDPR Implementation
May 25, 2018 – is the full implementation of the General Data Protection Regulation (GDPR).
The GDPR is a European Union (EU) law that sets out the obligations of organizations in order to protect the personal data of EU residents. The law also sets out harsh penalties in case of failure to comply.
Even if your organization isn’t based in any of the EU states, the implementation of the GPDR will still impact your organization as this law has extra-territorial scope.
This means that even if your organization is based, for instance, in Canada, this European law still applies if your organization processes personal data of EU residents. For example, if your organization offers goods or services (regardless of whether payment is made) or monitors the behavior of EU residents, your organization is covered under GDPR. And even if your organization is a small one, that is, it only employs fewer than 250 people, it’s still covered under GDPR.
The personal data referred to by the law refers to any information that can be used to identify a person either directly or indirectly, including name, email address, photo, medical information, bank details, posts on social networking websites and computer IP address.
Here are the 6 top things to do in order to prepare your organization for the upcoming implementation of GDPR:
1. Make Consent Process User-Friendly
In GDPR, your organization will no longer be allowed to use long and legalese terms and conditions to request for personal data consent.
Under the EU law, request for consent must be presented in layman’s terms and the purpose of the data processing must also be presented in clear and plain language. There must also be an easy way for customers to withdraw their consent. In the case of minors, parental consent must be given.
2. Delete Data that No Longer Serves Original Purpose
Under the GDPR, the right to erasure, also known as the right to be forgotten, is enshrined. Article 17 of the EU law provides that data should be deleted when the data no longer serves the original purpose of processing and when the data subject withdraws his or her consent. The law, however, provides that the right to be forgotten must be weighed against "the public interest in the availability of the data".
3. Implement Data Protection as Precautionary Measure, Not as an Afterthought
The GDPR calls for “privacy by design” – a concept now made into law that requires organizations to make data protection as part of the preventive measure, instead as an afterthought or reactionary measures.
The law specifically requires organizations processing personal data to implement appropriate technical and organizational measures in order to protect personal data that it processes.
Organizations, under the law, are required to hold and process only the personal data that’s necessary for the completion of its functions. The law also requires organizations to limit the access to personal data only to those who are necessary for carrying out the data processing task.
4. Be Transparent to Affected Individuals
Part of the expanded rights of EU residents under the GDPR is the right to obtain confirmation from organizations as to whether or not their data is being processed, for what purpose and where. Organizations are also required under the law to provide free digital copy of the personal data being processed to the affected individuals.
5. Determine if Your Organization Needs to Appoint a Data Protection Officer (DPO)
Appointment of a Data Protection Officer (DPO) is mandatory under GDPR only if your organization engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. If your organization doesn’t engage in any of these functions, then there’s no need to appoint a DPO.
6. Be Transparent About Data Breach
Under GDPR, there will be no more concealing of data breaches. Notification is mandatory under this law in case where the data breach is likely to “result in a risk for the rights and freedoms of individuals”. This law requires that data breach notification to the concerned agency must be done within 72 hours after first having become aware of the breach. Notification to affected customers, meanwhile, has to be done “without undue delay” after first becoming aware of a data breach.
Penalties for Non-Compliance
Several factors are taken into consideration in calculating the fine under GDPR. These factors include:
The maximum fine that can be imposed for a breach of this law is 4% of the annual global turnover or €20 Million, whichever is higher. The maximum fine is imposed for the non-compliance of key provisions of GDPR such as violating the core of Privacy by Design concepts and failure to get sufficient customer consent to process data.
The penalty of 2% of the annual global turnover or €10 million, whichever is higher, meanwhile, can be imposed in case of non-compliance of technical measures such as failure to report data breach and failure to give affected individuals access to personal data being processed.
"Rapid technological developments and globalisation have brought new challenges for the protection of personal data,” the law states. “The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”
Trying to make sense of GDPR compliance requirement? We can help you using a proven approach. Call us today to book a consultation.
Beware of DDoS-for-Hire
Beware of DDoS-for-Hire
Distributed-denial-of-service (DDoS) attacks have become a public menace.
DDoS was once a tool used by hactivists to further their social or political ends. In recent years, DDoS has become a toll for purely financial gain and for utter destruction. DDoS-for-hire services, also known as stressers or booters, have grown in recent years.
One DDoS-for-hire organization offers its DDoS service for a monthly fee of $7. A simple online search using the keyword “stressers” or “booters” will yield a number of organizations offering DDoS services for a fee. One DDoS mobile app even showed up on Google Play but this one was immediately pulled out.
Many of these DDoS-for-hire services openly advertise their services on the guise of offering a legitimate DDoS service. The reality is that it’s not illegal to conduct a DDoS attack or stress test on a website, for instance, to test the capacity of the site to receive high volume of traffic or to test how to deflect unwanted volume of traffic. The question of legitimacy comes on whether or not the owner of the website authorizes the stress test.
According to the FBI, the hiring of stresser or booter service to carry out a DDoS attack to take down a website is punishable under the US law called “Computer Fraud and Abuse Act” and this may result in any one or a combination of the following: seizure of computers and other electronic devices, arrest and criminal prosecution, significant prison sentence, penalty or fine.
“Booter and stresser services are a form of DDoS-for-hire – advertised in forum communications and available on Dark Web marketplaces – offering malicious actors the ability to anonymously attack any Internet-connected target,” the FBI said. “These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency.”
What Can a DDoS-for-Hire Service Actually Do?
To understand what a DDoS-for-hire service can actually do, let’s take a look at the Gammel case and the Dyn case.
The Gammel case is the first Minnesota case to address the DDoS-for-hire cybercrime. In April of this year, in a criminal complaint filed before the US District Court of Minnesota, the Federal Bureau of Investigation (FBI) alleged that Gammel, a former employee of Washburn Computer Group – a Minnesota-based company – paid several DDoS-for-hire services to bring down 3 websites of Washburn in a more than one-year-long DDoS campaign.
According to the FBI, the first 2 websites of Washburn were knocked down several times as a result of the DDoS attacks paid by Gammel. The FBI also alleged that the 3rd website – the one that replaced the 2 other sites of Washburn – was knocked down several times as well a result of the DDoS orchestrated by Gammel. Washburn claimed that the DDoS attacks resulted in a minimum of $15,000 in loss.
In the criminal complaint, the FBI defined DDoS attack as "an attempt to make a machine or network resource unavailable to its intended users, such as by temporarily or indefinitely interrupting or suspending services of a host connected to the Internet, usually by shutting down a website or websites connected to target of the DDoS attack.”
The DDoS attacks against Dyn – a domain name service (DNS) provider to which many websites rely on – was considered as one of the largest. Because of the DDoS attacks against Dyn, 80 widely used websites like Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were rendered temporarily inaccessible to the public.
“The [Dyn] attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack,” the FBI said.
According to the FBI source, the DNS provider lost approximately 8% of its customers following the DDoS attacks.
How a DDoS Attack Works?
In the Dyn case, the company itself confirmed that the Mirai botnet was the primary source of DDoS attacks although it won't comment about the motivation or the identity of the attackers.
According to Dyn, on October 21, 2016, it observed a high volume of traffic on 2 occasions in its Managed DNS platform in the Asia Pacific, South America, Eastern Europe and US-West regions. The company said that the 2 major DDoS attacks on its Managed DNS platform involved 100,000 compromised IoT devices originating from different parts of the globe that were infected by the Mirai botnet.
The Mirai botnet works by infecting IoT devices with weak security – those that use default usernames and passwords – and turned them into bots or robots that can be ordered around, in this case, to conduct DDoS attacks.
The effects of malicious and unauthorized DDoS attacks are immediate. They render targeted websites inaccessible or slow. As experienced by Washburn and Dyn, DDoS attacks proved to be costly and can cause businesses to lose customers.
Availability of DDoS Tools
The danger of DDoS attacks is the tools for this cybermenace aren’t just available from the DDoS-for-hire services themselves but from public sources. For instance, one can conduct a DDoS attack on his or her own using the Mirai botnet as the source code of this was made available in September of this year to the public by someone who calls himself or herself “Anna-senpai”.
DDoS tools are also evolving. Just days after the online publication of the Mirai source code, a new DDoS tool called “Reaper” emerged. This DDoS tool hasn’t attacked yet as it’s still in the process of infecting vulnerable IoT devices. The stark difference between the 2 DDoS tools is that while the Mirai infected 100,000 IoT devices, the Reaper has infected over half a million IoT devices. This means that this new botnet is much more powerful.
While it’s cheap to hire malicious cyberactors to conduct DDoS attacks, it’s equally affordable to hire professionals to prevent DDoS attacks. Contact us today if your company is currently burdened by this cybermenace or if your organization simply wants to be proactive in stopping DDoS attacks.
How to Prevent Account Takeover or Hijacking
A new study conducted by Google and University of California (UC) delved into the question which among these three cyberattacks – phishing, keylogging and third-party data breach – most likely results in account takeover or hijacking.
From March 2016 to March 2017, researchers at Google and UC examined 12.4 million potential victims of phishing kits, 788,000 potential victims of keyloggers and 1.9 billion usernames and passwords exposed via third-party data breaches traded on the black market.
The Google and UC study found that victims of phishing kits are more likely to have their account taken over by cybercriminals as these kits harvest the same information that Google uses in verifying every time a user logs into his or her email account. Details that are harvested by phishing kits include the victim's secret questions, geolocation, phone numbers and device identifiers.
The study found that accounts of victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user. The likelihood of account takeover is far lesser for keylogger victims (40 times likely to be hijacked) and third-party data breach victims (10 times). Researchers found 25,000 blackhat tools used for phishing and keylogging.
“We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials,” the researchers wrote in their paper “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials”. “Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”
Once an account is taken over, the attacker can download all of the victim’s private data; remotely wipe the victim’s data and backups; impersonate the victim; reset the victim’s passwords and use this hijacked account as a stepping stone to access the victim’s other online accounts.
Third-Party Data Breach
Most of the 1.9 billion usernames and passwords exposed via third-party data breaches in the Google and UC study came from MySpace, Badoo, Adobe, LinkedIn, VK, Tumblr and Dropbox. The study revealed that the passwords listed below are the most commonly used passwords by victims of phishing, keylogging and third-party data breach:
These data leaks which date back to 2012–2014 appeared in public
blackhat forums, paste sites and sites like leakedsources.com, leakbase.pw and breachalarm.com – sites that charge those who would like to find out if their accounts are compromised. Victims of third-party data breach were mostly from the US (39%), India (8%) and Brazil (2.6%).
The importance of an account, in particular, an email address and its login details can’t be undermined. “As the digital footprint of Internet users expands to encompass social networks, financial records, and data stored in the cloud, often a single account underpins the security of this entire identity – an email address,” the researchers said.
The phishing kit referred to in the Google and UC study refers to prepackaged fake login page for a popular site like Gmail, Yahoo and online banking. Phishing kits are often uploaded to compromised websites and automatically harvest credentials of victims. Researchers found that phishing kit variants were uploaded to fake login pages of Yahoo, Hotmail, Gmail, Workspace Webmail, Dropbox, Google Drive, Docusign, ZoomInfo, Office 365 and AOL.
The study showed that the most popular phishing kit that utilized fake login pages for popular email providers – Yahoo, Hotmail, AOL and Gmail – generated 1,448,890 stolen credentials. Based on the last sign-in to email accounts receiving stolen credentials, the top 3 phishing kit users are those from Nigeria (41%), United States (11%) and Morocco (7.6%). Victims of phishing were mostly from the US (50%), South Africa (4%) and Canada (3%).
Google in a blog post said, “By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.”
Of the three forms of cyberattacks – phishing, keylogging and third-party data reach, phishing is the most destructive as this doesn’t only yield a password, but other sensitive data that Google itself may ask when verifying an account of a holder such as IP address, location, phone numbers and device model.
Keylogger is a malicious software that tracks and records every keystroke entry you make on your computer and often without your knowledge or permission. Attackers use keyloggers to capture sensitive data like financial information or passwords, which are then sent to third parties for criminal use. Keyloggers can steal your on-device passwords, harvest clipboard content, screenshot your online activities and monitor your keystrokes.
Based on the study, the top 10 keylogger families are the following: HawkEye, Cyborg Logger, Predator Pain, Limitless Stealer, iSpy Keylogger, Olympic Vision, Unknown Logger, Saint Andrew’s, Infinity Logger and Redpill Spy. HawkEye, in particular, sent over 400,000 snooping reports to 470 emails believed to be managed by attackers.
The top keylogger users based on the last sign-in to email accounts receiving stolen credentials came from Nigeria (11%), Brazil (7.8%) and Senegal (7.3%). Victims of keyloggers were mostly from Brazil (18%), India (10%) and US (8%).
Here are some of the ways to stop account takeover or hijacking:
Attackers have already known our “1234567” and “password” passwords. It’s time to use less obvious passwords. Cybersecurity, however, needs to move beyond strong passwords.
To ward off attackers, many online businesses today safeguard their accounts through two-factor authentication. Two-factor authentication is when you use something you know, for example a password, and also something you have, for example a smartphone, whereby after entering your password, you either received an SMS with an additional code, or will use an app to get the code to finalize the logon process. In addition, some online software providers and social networks already force a multi-step authentication. For instance, when Google detects that you logged in into your account from a different device or different location, it will ask additional information only you would know, before granting access.
As shown by the destructive nature of phishing, even a two-way factor authentication isn’t enough to ward off attackers as they can harvest sensitive information that Google itself may require when verifying an account.
Contact us today to learn more about how to protect your enterprise accounts from takeover or hijacking.
New Marcher Malware Victimized Android Users in a 3-in-1 Scheme
Attackers today are taking their time to get what they want. Researchers at Proofpoint revealed that threat actors or actor since the early part of this year has been siphoning bank details of victims in a prolong attack dubbed by some as “triple threat”.
According to Proofpoint, the threat actor since January of this year has been targeting customers of Bank Austria, Raiffeisen Meine Bank and Sparkasse Bank by employing three hacking tactics. The description below shows how personal and bank details of nearly 20,000 bank customers in Austria were stolen by the threat actor using these three hacking tactics: malicious emails, malicious websites and malicious software.
Step 1: Malicious Email
The threat actor’s point of entry in attacking the victim is through a malicious email. When this email is opened by the victim using an Android phone, the victim is exposed to a malicious link. The email link is a bit.ly shortened link, aimed at evading detection.
Step 2: Malicious Site
Once the malicious link is clicked, the victim is redirected to a phishing site – a fake site that copies the layout and content of a landing page of a bank – that asks for an account number and PIN. The image below is an example of the phishing site that copies branding from Bank Austria.
The URL addresses of the phishing sites have "bankaustria" words on it, fooling victims into thinking that they're inside the real Bank of Austria website. Here are some of the malicious URL addresses:
Once the victim enters his or her banking account information on the fake landing page, he or she is then directed to a page that asks email address and phone number. Below is a sample of the page that asks for the email address and phone number.
Step 3: Marcher Malware Infection
Once the attacker siphoned the banking and personal information of the victim, the victim is then asked to download a fake mobile app of a targeted bank. The message below is shown to the victim.
Proofpoint provides the following translation for the message above.
***Start of Translation***
The system has detected that the Bank Austria Security App is not installed on your smartphone. Due to new EU money laundering guidelines, the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system.
Please install the app immediately to avoid blocking your account.
Follow the instructions at the bottom of this page.
Why you need the Bank Austria Security App:
Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted.
Our security app allows us to transmit this sensitive data encrypted to you, thus increasing the security that you will not suffer any financial loss.
Step 1: Download Bank Austria Security App
Download the Bank Austria security app to your Android device. To do this, open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code.
After this message, the victim is then shown additional instructions in installing the bank's fake mobile app. Below is the screencap of the additional instruction and corresponding translation by Proofpoint.
***Start of Translation***
Step 2: Allow installation
Open your device's settings, select Security or Applications (depending on the device), and check Unknown sources.
Step 3: Run installation
Start the Bank Austria security app from the notifications or your download folder, tap Install.
After successful installation, tap Open and enable the device administrator. Finished!
Once the fake app is installed on the victim's Android phone, the bank's icon can be seen on the home screen of the victim's phone. When the app is used for the first time, the victim is asked to provide his or her credit card number and other personally identifiable information, such as date of birth, address, phone number, password, purportedly for authentication.
From the malicious email to the malicious sites, fake bank app, the real bank’s branding is copied, causing the victims to throw away their caution. Victims believed that they’ve downloaded the real mobile app of their bank. They instead downloaded the new version of the malicious software (malware) called “Android.Fakebank.B”, also known as Marcher.
Marcher malware is an Android-specific malicious software. It was first observed in the wild in October 2013. An older version of Marcher malware came with a call-barring functionality. This functionality was aimed at stopping customers of South Korean and Russian banks from canceling their payment cards that the Marcher malware itself stole. Once installed, this particular version of Marcher malware registers a BroadcastReceiver component that’s triggered every time the victim tries to make an outgoing call. The malware automatically cancels the call once it determines that the victim is calling any of the customer service call centers of the target banks.
Another version of the Marcher malware came with a text message spoofing functionality. Once installed into the victim’s Android phone, this specific Marcher malware spoofs a text message from the targeted bank asking the user to verify a fraudulent transaction. This tricks the victim into logging into a fake mobile app of a bank.
How to Prevent Marcher Malware Attacks
“As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites,” researchers at Proofpoint said. “Unusual domains, the use of URL shorteners, and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware.
Here are some additional tips to further protect your Android phone from Marcher malware:
Hackers Use Google Search Results to Spread Malware
Cybercriminals are continually finding new ways to distribute their malicious software. This time, they took advantage of Google search results in spreading their malware.
Researchers at Cisco discovered that Google search results are being used by cybercriminals for spreading their malware. Cybercriminals took advantage of the links provided by Google search results in spreading the new version of the banking malware dubbed as “Zeus Panda”, also known as “Panda Banker”.
Google search is the digital world’s go-to place whenever we want to know something. Google answers our questions by providing links that it believes (based on its algorithm or criteria) are the best responses to our queries.
Billions of people around the world are using Google search. According to StatCounter, a Dublin-based web tracking service, as of October 2017, Google received the bulk of the search engine market share worldwide (91.47%), followed by Bing (2.75%), Yahoo (2.25%) and Baidu (1.8%).
Zeus Panda, the malware distributed by the threat actors via malicious links on Google search, is a malware that borrows some of the code of another malware called “Zeus” – a malware that first appeared in 2007. Cybercriminals have since earned hundreds of millions of dollars using the Zeus malware by stealing banking credentials and generating fraudulent banking transactions.
How Zeus Panda Spreads via Google Search ResultsIn order that these malicious links show up on the first page of Google search results, threat actors used the process called “SEO”, short for search engine optimization. Google, for its part, allows legitimate SEO – referred to as "whitehat" SEO. One of the legitimate SEO techniques used by the threat actors is the use of targeted banking related keywords to zero in their target victims.
“By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc.,” Cisco researchers said.
Threat actors, for instance, used the banking related keywords "al rajhi bank working hours during ramadan". The screencap below from Cisco researchers shows one of the top links in the Google search results for the above-mentioned keywords.
Below are the other keywords used by the threat actors:
"nordea sweden bank account number"
"how many digits in karur vysya bank account number"
"how to cancel a cheque commonwealth bank"
"salary slip format in excel with formula free download"
"bank of baroda account balance check"
"bank guarantee format mt760"
"sbi bank recurring deposit form"
"axis bank mobile banking download link"
As can be gleaned from the above-mentioned keywords, certain geographic regions appear to be directly targeted, with many of these keywords targeting users trying to search about financial institutions in India as well as the Middle East. The treat actors compromised business websites that have received high number of reviews and high ratings to appear legitimate to victims. Once a victim clicks on this compromised link, a multi-stage malware infection process is then initiated.
As shown below, the victim is redirected to a compromised site that shows a fake alert from Windows Defender that the Zeus virus is detected.
Once the victim clicks the “OK” button, the victim is once again redirected to another compromised site which hosts a malicious Word document as shown below.
Clicking on the "Enable Editing" and click "Enable Content" will initiate the downloading of the new version of Zeus Panda malware into the victim's computer.
This new version of Zeus Panda shares many characteristics of its predecessor Zeus Panda. Both borrowed the code of Zeus malware – the creator of which released the source code to the public in 2011. Both are designed to steal banking and other sensitive credentials and conduct fraudulent banking transactions.
Zeus Panda malware was first discovered by the researcher only known as “Fox IT” in February 2016. As reported by Proofpoint, this early version of Zeus Panda stole banking credentials of customers from European and Australian banks, UK online casinos and international online payment systems.
Unlike the new version of the malware which uses Google search results to spread the malware, the older version of Zeus Panda was spread using malicious email attachments, malicious email links and web injects.
In August 2016, Proofpoint found that millions of emails were sent to organizations involved in manufacturing, retail, insurance and related sector. The email messages masquerading as coming from legitimate banks contained malicious links leading to Microsoft Word documents. These documents contain macros which, if enabled, download Zeus Panda malware.
In October of this year, IBM reported that customers in North America were targeted by the Zeus Panda malware. For this October 2017 campaign, IBM said, the threat actors distributed the malware via malicious emails purporting to come from courier services like UPS. These fake emails, according to IBM, contain embedded links that lead the recipient to a site infected by Zeus Panda malware.
According to Proofpoint, the early version of Zeus Panda was also spread using web injects – a process by which cybercriminals intercept online banking traffic and modify banking sites on infected computers in order to carry out man-in-the-browser (MITB) attacks. In carrying out MITB attacks, threat actors infect a web browser to modify web pages of banks, online casinos and international online payment systems and modify the transaction content.
How to Prevent Zeus Panda Attacks
In order to prevent being a victim of the Zeus Panda malware, it’s important to think twice before clicking anything online and opening an email attachment. As shown by the new version of Zeus Panda, it’s important to remain discerning and vigilant in the results of a Google search.
Cisco researchers who discovered the new version of Zeus Panda said, “Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape.”
Ramnit Malware Makes a Comeback via Google Play
Ramnit, the once notorious malware that infected 3.2 million computers around the world, has resurfaced via infected apps on Google Play.
Symantec researchers found 92 distinct apps on Google Play with a total of 250,000 downloads laden with Ramnit malware. Some of the Ramnit-infected apps that turned up on Google Play were educational and tutorial apps.
Symantec informed Google of the presence of these infected apps and the company has removed them from the app store. This isn’t the first time that Ramnit-infected apps have turned up on Google Play. In March of this year, more than 100 Ramnit-infected apps were similarly removed from Google Play.
Ramnit first appeared in the wild in 2010. In February 2015, a law enforcement operation led by the European Union Agency for Law Enforcement Cooperation (Europol) crippled the operation of the cybercrime group behind Ramnit by shutting down the command and control servers, as well as shutting down and 300 internet domain addresses used by the group. At the time, the group already infected 3.2 million computers in total and defrauding undetermined large number of victims.
The law enforcement operation against the group behind Ramnit was participated by investigators from Germany, Italy, the Netherlands and the UK. Representatives from the private industry like Symantec and Microsoft were also involved in the law enforcement operation.
Ramnit is a multi-feature cybercrime tool. It compromised a victim in the following manner:
This malware monitors web browsing activities and detects when certain websites like online banking sites are visited. Ramnit can inject itself into the web browser and alter the website of the bank to make it appear that the bank is asking the user additional information like credit card details.
This malware can hijack online banking sessions. Ramnit attackers achieve this by stealing session cookies from web browsers and by using the stolen cookies to impersonate victims to authenticate themselves on websites.
This malware scans computer’s hard drive. It’s configured in such a way to search for specific folders that are considered likely to contain sensitive information like passwords.
This malware can gain remote access – upload, download, or delete files and execute commands – on the victim’s computer in two ways: by connecting to an anonymous FTP server and by Virtual network computing (VNC) module.
Ramnit is a persistent cyber threat. The malware’s creators made sure that once a computer is infected it’ll be difficult to remove the malware from the compromised computer.
Once the malware is installed on the compromised computer, it copies itself to the computer’s memory, hard drive and removable drive. The malware’s version that’s copied to the computer’s memory checks the hard disk-based copy of the malware. If the memory-based copy of the malware detects that the hard disk-based copy has been quarantined or removed, it’ll create another malware copy for the hard disk to sustain the infection.
Microsoft describes Ramnit malware this way: "This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running."
How Ramnit Spreads
While the latest method of propagation of Ramnit is via Android apps, this doesn’t, however, mean that this malware works with Android devices. Since its appearance in 2010, this malware has always been a threat to computers using Windows as an operating system.
Ramnit won’t run on your Android device even if you’ve the misfortune of downloading a Ramnit-infected app on Google Play. In order for the Windows infection to happen, an Android device loaded with a Ramnit-infected app has to be connected to a Windows computer. Once the malware compromised a Windows computer, it searches for all exe, .dll, .htm, and .html files on any removable drives like USB drive and the local hard disk and infects them by making copies of itself.
“The HTML file infection process uses two tactics: injecting VBScript code into an HTML page that drops and executes the worm, and also injecting a hidden iframe into HTML files that downloads a remote file if the page is opened in a browser,” Symantec said.
Ramnit malware is one of the reasons why it’s unsafe to use or borrow removable drive or USB flash drive of another. You never know, this USB drive may be laden with the Ramnit malware.
In addition to propagating the malware through infected apps and through infected removable drives, Ramnit attackers also spread the malware through malicious emails and exploit kits served through malicious advertisements on social media pages and websites. Public FTP servers are also used by Ramnit attackers to distribute the malware. The Europol considers Ramnit as a botnet.
“This botnet – a term used to describe a network of infected computers - was used by the criminals running it to gain remote access and control of the infected computers, enabling them to steal personal and banking information, namely passwords, and disable antivirus protection,” Europol said. “This malware, infecting users running Windows operating systems, explored different infection vectors such as links contained in spam emails or by visiting infected websites.”
"Despite the setback many years ago, Ramnit’s operators have not completely gone away and there also seem to be many latent infections worldwide,” Symantec said. “We know that Google has a system in place for vetting uploaded apps, but we don’t have visibility into the processes for vetting submitted apps, so we can’t say for sure why these infected apps are getting through the vetting process.”
How to Prevent Ramnit Attacks
According to Microsoft, Windows Defender Antivirus detects and removes Ramnit malware.
Here are additional tips for preventing Ramnit attacks:
Steve E. Driz, I.S.P., ITCP