Security Week 16: Theft of Digital Identity

    Last week, Kaspersky Lab held the next Security Analyst Summit conference. The event traditionally reveals information about the study of the most complex cyber attacks discovered by specialists of the Laboratory and other companies. Today we have a brief overview of the presentations, and we will start not with APT, but with financial fraud in cyberspace. The GReAT team report shows that the theft of money on the network goes to a new level, and attackers are trying to circumvent even the advanced antifraud systems.

    To block a suspicious operation when an attacker already has access to a payment system, online banking or credit card information, if there is a model of normal behavior of the client on the network: where does he get to the network, from which computer, which browser uses and etc. In total, more than a hundred different indirect features help to distinguish the real owner of a bank account from a cybercriminal, even if the correct payment details are entered. A logical consequence of the introduction of such systems was the appearance on the black market of not credit card numbers, but rather, copies of the victims' digital identity.


    The study shows an example of the underground exchange Genesis Store. At the time of publication, over 60 thousand digital personalities were put up for sale there. Examples of lots in the screenshot below:


    Lot value is calculated automatically; if the kit contains a password for online banking, the price will be more expensive. The average price tag is from 5 to 200 dollars. Once purchased, your digital identity can be downloaded through the Chrome plugin. If you get the IP address in the victim’s home region, then making payments to the bank will not seem suspicious. For those who want to save, the same resource offers to download an artificial set of identifiers. The technology is quite simple, but it sounds impressive: it is not a password theft, it is, in fact, cloning people - so far only online and only in terms of systems to combat financial fraud.

    Let's move on to APT. A clear trend in modern targeted attacks is the reduction in radius of destruction. A good example is the ShadowHammer attack ., theoretically capable of hitting tens of thousands of laptops and computers with Asus hardware, but in fact it was active only on a limited list of several hundred MAC addresses.

    The TajMahal campaign ( news , research ) operates more than 80 malicious modules, but it was extremely difficult to detect. Researchers found only one confirmed victim - a diplomatic mission in one of the countries of Central Asia. Among the features of the attack is the ability to steal data from removable media, but only according to the list of files of interest sewn into the code. The more accurate the attack and the smaller the list of victims, the longer the toolbox is able to survive - before it is detected and blocked by defensive decisions.


    Lookout experts told ( news , a post on the company’s blog) at the Kaspersky SAS conference about the Exodus spyware. In early April, the Security Without Borders group spoke about this Trojan : they found 25 versions of a spyware utility in the Google Play app store. Lookout found a version of Exodus for iOS, signed by an official developer certificate.

    The program (both in the version for Android and iOS) was distributed on phishing sites that mimic the pages of mobile operators in Italy and Turkmenistan. Users were informed that the software was supposedly necessary to connect to Wi-Fi access points. In fact, the Trojan could send personal information from the phone to the remote server: contacts, photos, video, GPS data. There was even the possibility of remotely turning on the microphone.


    Interesting studytalks about the problems (acquaintances in Russia) with replacing a SIM card for subsequent access to network services and stealing money through online banking. For Brazil, there are even quotes on the black market for the issuance of a new SIM card - from 10 to 40 dollars, depending on the carrier (phones of famous people will cost more). In Mozambique, card substitution is usually made with the aim of accessing the very popular ($ 5 billion turnover per year) electronic payment system M-Pesa, in addition to traditional online banking. They are fighting against such a cybercriminal there in a rather original way: all mobile operators in real time exchange data with banks. This allows you to automatically block all payments using the phone number for which the SIM card has recently been replaced. The blocking period is short - up to two days,

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: