This post was authored by Alex Chiu & Angel Villegas.
Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications. In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in the compromise of several retailers. While PoS malware is a major concern, attackers have also realized that targeting individual end users is an effective method of harvesting other types of financial data. As a result, banking malware has become a prevalent category of malware that poses a major threat to users and organizations of all sizes. One of the more well known examples of banking malware is Zeus.
Table of Contents
Domain Generation Algorithm
Banking malware typically operates by redirecting users to malicious phishing sites where victim’s input their banking credentials thinking they are logging into their bank’s website. Banking malware can also operate more stealthily by hooking into a browser’s functionality, capturing the victim’s credentials as they are typed in, and exfiltrating them. Once an attacker has a victim’s banking credentials, attackers can then sell it or use it to perform illicit transactions (such as transferring funds to another account on behalf of the victim). Read More »
Tags: banking trojan, dga, dyre, malware, Talos, Threat Research
Today, we released the first ever Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year). In direct response to your feedback, we have also included a Cisco Security Advisory addressing vulnerabilities in Cisco IOS XE Software in this publication. We hope this timeline and additional “bundling” continues to allow your organization to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
Read More »
Tags: Cisco IOS software, psirt, security, security advisories, vulnerabilities
Authors: William Largent, Jaeson Schultz, Craig Williams. Special thanks to Richard Harman for his contributions to this post.
As consumers, we are constantly bombarded by advertising, especially on the World Wide Web. There is a lot of money to be made either pushing Internet traffic, or displaying ads to consumers. Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018. The online advertising industry field is already awash with many players, each clamoring for a piece of the Internet advertising pie. In fact, so many ad impressions are bought and sold daily, that it’s nearly impossible to keep track of who is buying and selling what.
On one side of the online advertising spectrum are publishers. These are domains that receive Internet traffic and make money by displaying advertisements. On the other side of the spectrum we find advertisers who wish to sell products. And in the middle are ad-networks/ad-exchanges: marketplaces where publishers and advertisers can come together to wheel-and-deal on ad impressions. The astonishingly large number of online advertising industry middlemen between buyers and sellers creates terrific opportunities for bad actors to hide. The result is malware delivered through the online advertising ecosystem, A.K.A. “malvertising”.
How “bad guys” view the online ad industry.
How do malicious ads actually make it to end users? In our attempt to answer that question, Talos has uncovered a piece of Internet malvertising infrastructure that is both highly robust, and highly anonymized. It has been an Internet fixture for almost a sesquidecade, with redirection domains operating since early 2001. This infrastructure was designed specifically to focus Internet traffic towards advertising endpoints, unfortunately with little regard paid to legitimacy of the final destination.
Read More »
Tags: malvertising, Talos, typosquat
This post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, and Alain Zidouemba
Cisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security Intelligence & Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize future risk.
When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.
There is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:
At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
Read More »
This blog post was authored by Earl Carter & Yves Younan.
Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Yves Younan of Talos will be presenting at CanSecWest on Friday March 20th. The topic of his talk will be FreeSentry, a software-based mitigation technique developed by Talos to protect against exploitation of use-after-free vulnerabilities. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows.
Read More »
Tags: Talos, Threat Research