Tag Archives: fraud

New bracelets for ransomware kingpin

Image courtesy of .v1ctor. on Flickr

I’m happy to say that, as a result of close cooperation between Trend Micro threat research and Spanish law enforcement a number of important arrests have been made in connection with the Reveton ransomware. The Spanish police announcement can be found here [Spanish].

Over the past several months Trend Micro researchers have been providing evidence and intelligence related to the Reveton ransomware or “police trojan”. Law enforcement in Spain first became interested in this malware as a result of complaints they were receiving from victims of the scam. Trend Micro and Spanish law enforcement agencies have collaborated extremely closely; sharing intelligence, sharing samples and related technical detail. As a direct result of activities carried out by Trend Micro threat research, they were able to map the criminal network infrastructure including traffic redirection and command and control servers. Some of the intelligence gathered by law enforcement enabled them to reach a high degree of certainty of the identity of one of the individuals at the very top of this criminal gang.
Continue reading

Banks to tighten the rules on refunds?

ATM keypad

The Daily Mail has recently run a couple of interesting reports, detailing how banks such as Santander and HSBC, among others, are tightening up the security obligations they place on their customers. These obligations are meant to ensure that customers adequately protect their personal information, reducing their risk of falling victim to fraud, but of course there are two sides to every story they also leave the door open for banks to refuse compensation payouts in cases where the customer is deemed to have fallen foul of the new rules.
Among the customer responsibilities that the financial institutions will now insist on are:

  • Use a separate PIN for every bank card
  • Ensure that no one can watch you at an ATM or hear your phone conversations with the bank
  • Shred your bank statements and receipts
  • Never click on links in emails received from your bank.
  • Lock your mobile device with a PIN if it is used for banking

While much of this is entirely sensible in terms of personal security, some of it could prove to be counter-productive and much if relates more to problems that would be best solved by the financial institutions themselves rather than pushing the obligation to the customer.
If you would like your customers to use a distinct PIN for every bank card, then simply withdraw the function that allows users to change their passwords. Oh and while you’re at it, please make cards that support longer PIN length and enforce it. Of course making this change will have the unfortunate side effect that many customers will resort to writing down their PINs in order to keep track of them all…
If you want to make it difficult for others to see PIN details being entered at ATMs, then redesign your ATMs! They are currently operated in full public view with no shielding whatsoever over the PIN entry pad.
If you want to reduce the risk associated with telephone banking being overheard, then allow all sensitive information to be verified using the keypad of the telephone and do not allow your customer service team to ask for that information to be given verbally. It makes me uncomfortable that I am divulging it to anyone at all, let alone that someone might overhear.
If paper statements pose a risk, then stop issuing paper statements, if a customer is obliged to shred them anyway then they serve very little purpose. If receipts pose a risk, then ensure that no sensitive information is contained on them. Shredding receipts suddenly doesn’t seem so clever when you have to return faulty goods.
Never click on links in mails from your bank. This is absolutely correct, but wouldn’t it be nice if your bank actually stopped sending you mails with links in them? Are you listening Marketing departments?
Finally, mobile banking… This one’s quite a can of worms. Over the years, banks have steadily introduced more and more security mechanisms to counter online account fraud; first it was username and password in full, then it was selected characters, then on-screen keyboards, then 2nd factor authentication tokens, now some banks have thankfully introduced transaction verification technology. All because they recognise the risk from fraud. However, now banks are introducing mobile payment apps and mobile banking apps, how are these secured? Simply by entering a PIN in full to unlock the app. How have all these important authentication lessons been forgotten?
When you consider that it only takes about 13 minutes to get past a 4 digit PIN on most mobile devices then it’s apparent how woefully inadequate this device PIN should be seen for protecting access to your bank account and we all know the perils of entering a password in full, anywhere.
While the guidance given by banks is entirely reasonable it seems that there is much more that banks could and should be doing to assist their customers in remaining secure through changes to in-house procedure and technology.
In the case where your bank refuses you compensation for fraudulent transactions, remember this, the bank is obliged to investigate every claim of fraud individually. They must provide you with any evidence of negligence if they are refusing your claim and they must prove that you are at fault in order to be able to refuse.
Image Credit: redpotted’s Flickr photo stream, used under Creative Commons

Skype worm spreading fast

Ransom by redtype

Ransom by redtype

It’s Monday morning and the bleary-eyed start of a new week. Criminals are taking advantage of our post-weekend lassitude by starting a Skype based campaign aimed at spreading malicious software.
Many users have reported receiving messages from friends in their Skype contact lists. So far, socially-engineered messages have been seen in both English and (Bavarian accented (seems my German accent recognition is way off “Moin” is north German, thanks guys )) German, saying either:

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”


“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”


Regardless of the language used, the link is the same, although of course this can easily be modified. The shortened URL eventually redirects to a download on hotfile.com which pulls down an archive named “Skype_todaysdate.zip” containing a single executable file of the same name. We detect this initial downloader as TROJ_DLOADER.IF
The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.
These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. These are only some of the functionality of this pernicious worm, in the 24 hours since discovery, Trend Micro have blocked more than 2800 associated files.
Some infections will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.


This malware is still under investigation and TrendLabs have posted initial findings here. Until then, please remember not to click on unexpected links, no matter how bleary-eyed you may be.