ShadowTalk Update – 11.05.2018
November 5, 2018
In November 2016, Tesco Bank suffered a series of fraud attacks that allowed cybercriminals to check out with £2.26m (roughly $3 million) in customer funds. Two years on, Dr Richard Gold and Simon Hall join Rafael Amado to discuss the UK Financial Conduct Authority’s (FCA) investigation into the attacks, which resulted in a fine of £23,428,500 (approximately $30 million). The team discuss the FCA’s findings, what financial services organizations need to know about the techniques used, and why incident response processes can fail in the heat and panic of an attack.
Magecart targets zero-day vulnerabilities to steal data
Security researcher Willem de Groot has observed the threat group Magecart targeting multiple zero-day vulnerabilities in popular e-commerce platform extensions, with undetermined results. The group’s aim is to facilitate the theft of sensitive and card payment information from websites that use the Magento e-commerce platform. De Groot confirmed that most of the vulnerabilities were previously unreported and unpatched. Magecart’s high success rate over the past few years in conducting data breaches, and continued development of their tactics, techniques and procedures (TTPs), suggest the group will remain a highly credible threat to e-commerce platforms for the foreseeable future.
Pakistani bank suffers data breach, potentially substantial theft of funds
The Pakistan-based bank Bank Islami reportedly suffered a data breach affecting its payment card system. Unverified allegations cited the total loss of funds as $6 million. The incident was detected on October 27, 2018, when suspicious transactions were observed on debit cards in locations outside Pakistan. Bank Islami claimed a total of $19,528 was stolen from customers, all of whom have been reimbursed, but international payment providers reported a significantly greater loss of funds. Additional information will likely become available after investigations conclude.
New Cobalt Group activity tracked by security researchers
The financially motivated “Cobalt Group” have been associated with a new campaign after researchers found matching document identification values in the metadata of malicious files. The researchers observed the use of a macro builder to create malicious Microsoft Word documents for distribution by spearphishing emails; the messages possessed similar components to previously reported spearphishing emails. This type of builder allows threat actors to develop payloads for social engineering attacks. It is not known whether the macro builder is used exclusively by that threat group. The tool’s public identification may discourage Cobalt Group from using it in future attacks. Cobalt Group continues to demonstrate high levels of activity despite the arrest of its alleged leader earlier this year.
Russian national indicted for aiding disinformation campaigns
The United States Department of Justice indicted a Russian national on charges of “conspiracy to defraud the United States” for their involvement in funding disinformation campaigns since 2014. The most recent alleged campaign targeted the forthcoming United States mid-term elections. The indictment detailed the abuse of social media platforms to distribute messages that were designed to cause confusion and disruption. Such activity is almost certain to continue as entities seek to incite political change or public dissonance.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.