FBI reveals BEC attacks pilfered $2.3bn from US companies

Discussion in 'other security issues & news' started by Minimalist, Apr 9, 2016.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,978
    Location:
    The Netherlands
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
    Employee gets email requesting transaction of money to another account. Email seems to come from their boss (email address similar to their boss'). So they transfer the money thinking it is a legit payment (let's say paying an invoice from their supplier). Please explain me how HIPS / anti-loggers can help here.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,698
    Location:
    U.S.A.
    Actual this is about corporate IT security training. Of course, security and training have always been on the bottom of most corps. budget criteria.

    It does show however, the deplorable current state of most e-mail security scanning software. For a developer wanting to make a bundle, this is where I would concentrate my resources.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
    Yes, it's mostly about training, always double-checking info about payments delivered through email and similar. Install and forget solutions IMO won't work here.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,978
    Location:
    The Netherlands
    It depends on the type of attack. The most simple attacks work like the way you described, but the more advanced ones are using malware like the HawkEye trojan to infiltrate corporate networks, in order to increase the chance of a successful attack. That's why I said that both user education and security tools are needed.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,698
    Location:
    U.S.A.
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
    http://www.japantimes.co.jp/news/20...email-fraud-appearing-originate-partner-firms
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,776
    Location:
    EU - Slovenia
    https://www.helpnetsecurity.com/2017/06/23/bec-scam-rise/
     
  12. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,271
    Location:
    DC Metro Area
    "HawkEye [not hawki] malware: Hackers using 'versatile' data-stealing Trojan in multiple new phishing attacks
    Security experts have seen HawkEye infecting various global organisations across multiple sectors.
    ..

    A new data-stealing malware dubbed HawkEye is now being increasingly used by hackers in multiple new phishing campaigns. Security experts said that the distribution of the malware increased after it was put on sale on a "public-facing website."...

    HawkEye also comes with keylogger and screenshot taking features. The malware sends data such as server name, OS, installed language and more to its C&C server. Alarmingly, HawkEye is also capable of spreading via USB and can steal Bitcoin wallets as well..."

    http://www.ibtimes.co.uk/hawkeye-ma...-trojan-multiple-new-phishing-attacks-1633136
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,698
    Location:
    U.S.A.
    Here's the FireEye detailed analysis: https://www.fireeye.com/blog/threat...malware-distributed-in-phishing-campaign.html

    For starters, the payload is contained within a .docx attachment. If Word is configured to open in protected mode, the default mode, OLE malicious payload can't run.

    A similar attack involving a Word exploit using OLE happened here: https://arstechnica.co.uk/informati...-in-the-wild-exploit-critical-microsoft-0day/ . Makes me believe, that applying the registry hacks shown in that article, especially the RTF one, might not be a bad idea. Also RTF can be disabled via Word security settings.
     
Loading...