AFP compiles the most alarming—and informative—fraud news relevant to corporates in Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization. Follow @AFPFraudwatch on Twitter for all the latest updates.
This week, FS-ISAC identifies new methods of phishing and malicious advertising, CloudFlare discovers a critical flaw in Google Apps’ two-factor authentication, and Microsoft takes action against the Flame. New Phishing, Malvertising AttacksTestifying
before the U.S. House of Representatives Capital Markets and Government Sponsored Enterprises Subcommittee, Michele Cantley, chief information security officer for Regions Bank, discussed the evolution of two important methods of cybercrime.
Cantley, who spoke on behalf of the Financial Services Information Sharing & Analysis Center (FS-ISAC), noted that phishing “remains the most popular attack method that criminals use to infect victims’ machines. Nonetheless, emails that purport to be from a victim’s bank are no longer the primary type of phishing email.”
Instead, phishing emails now indicate that the senders are with NACHA, the Electronic Federal Tax Payment System, the U.S. Postal Service, telecom companies, social media providers and private delivery firms. The malware has a keylogger that can capture the user’s banking credentials when they type them, and then log into the user’s banking site and impersonate them.
Cantley also noted that malicious advertising, or malvertising, is evolving. This method consists of cybercriminals placing malicious advertisements on search engines and prominent news sites that appear to be legitimate. However, a more recent method consists of fraudulent messages sent from social media sites. “These may include bogus friend requests, for example, that include links to malicious sites,” she said.Flaw in Google’s Two-Factor Authentication Revealed
A fundamental flaw in Google Business Apps’ two-factor authentication software was revealed last week, following a hack on the Gmail accounts of Matthew Prince, chief executive of CloudFlare.
In a blog post
, Prince explained how a hacker was somehow able to convince Google to add a fraudulent recovery email address to his personal Gmail account. From there, the hacker could reinitiate the password recovery process and have reset instructions sent to the fake email address. To reset a password, a user is supposed to provide a two-factor authentication token, but the hacker was able to circumvent that step.
CloudFlare uses Google Apps for email, and Prince’s personal email address had been listed as a recovery email since the company first established its business email address. The hacker was able to access Prince’s CloudFlare.com email account, and then CloudFlare’s administrative panel, in order to target a particular customer and change their DNS settings. Luckily, CloudFlare spotted the incident quickly and worked with Google to regain control of the email accounts and resolve matters for the customer.
Prince recommends that any Gmail or Google Apps users add two-factor authentication to their accounts, ensure their passwords are extremely strong and not used for any other services, and change any password recovery email to an account that is used for nothing else and cannot easily be guess by a hacker.
However, Prince noted that one glaring problem here is that this particular hacker was able to bypass two-factor authentication. Following some research, Google notified Prince that it had discovered a “subtle flaw affecting not two-step verification itself, but the account recovery flow for some accounts.” Google informed him that the attack vector has since been blocked.
Following further research, CloudFlare and Google believe the incident began with a breach of AT&T’s systems that compromised the out-of-band verification. If a hacker has a phone number that is listed as a possible recovery method for a Google account, then the only thing barring the attacker from accessing the account is the voicemail PIN. CloudFlare has since removed all phone numbers from its Google accounts.The Flame: Microsoft Takes Action
Microsoft released a security advisory
this week regarding “the Flame,” a highly dangerous malware that the Russian IT security firm Kaspersky Lab exposed last week. Although the company acknowledged in a blog post
that the majority of Flame attacks have been highly sophisticated and do not affect the majority of Microsoft customers, the investigation has revealed some techniques that could be exploited by less prominent hackers and used in widespread attacks.
Some components of the malware have been signed by certificates that make it appear as if it was produced by Microsoft. The company identified that an older cryptography algorithm could be exploited and then used to sign code as if it came from Microsoft. Microsoft’s Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services, used that algorithm and provided certificates with the ability to sign code.
In addition to the security advisory with instructions on how to block software signed by the unauthorized certificates, Microsoft also released an update that that automatically does this for its customers. Finally, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed. All corporate users should make sure their software updates really are up to date.