Posts

Analysis of the threats targeting Point of Sale systems

Image
  Background A point of sale (POS) system refers to the critical piece of software used by customers to execute a payment for goods or a service. This also includes the physical devices in stores, where POS terminals and systems are used to process card payments. These are often the primary targets of financially motivated organised cybercrime groups (also known as eCrime advanced persistent threats). Successful intrusion of a POS system can lead to the theft of vast amounts of financial data from customers. This can be used for immediate gain or sold on underground markets for fraud. A combination of hard-to-detect data-exfiltration malware; legacy hardware - which is difficult to patch; and general OS vulnerabilities, mean that this particular threat is common and can be difficult to defend against. Organised Cybercrime APT groups such as FIN6, FIN7, and FIN8 are currently some of the most significant threats to large retailers, restaurant chains, hotels, the leisure industry, and to

Gathering Intelligence on the Qakbot banking Trojan

Image
Background:  The Qakbot banking Trojan is one of the top-tier malware families on the current threat landscape. It is distributed in mass spam campaigns, steals confidential information, and has also provided access to ransomware operators. Preventing and detecting this threat has become a priority for many organisations as a successful infection can lead to a costly cyber incident. In this blog, I aim to share more information on this malware, provided by open sources, and highlight the intelligence gathering process it takes to combat this threat. Qakbot (also known as Quakbot or Qbot) has been around since 2008. It has targeted the customers of various financial institutions worldwide. While Qbot's targeting has mostly remained the same - with the aim of stealing bank details and enabling wire fraud - its propagation methods have changed across various campaigns. Despite its age, Qakbot still remains a significant threat with established connections in the organised cybercrime u

One persistent Phish

Image
For the last three months I have personally received the same phishing email masquerading as a PayPal 'your account has been suspended' notification, trying to steal my login credentials: The email arrives from "service@paypal.com" and looks very convincing for the average user.  Here is the current phishing chain the threat actors are currently using in these types of attacks: Fortunately, there are several steps involved in this attack. Hopefully this will give unsuspecting users more of a chance to recognise they are being targeted. Flow of the phishing chain (NB the credential harvesting page is replace with the YouTube video): The interesting part of this attack to me, is that it leveraged one of MySpace's domains to redirect users to the next stage. However, if you try to visit one of the links - without clicking on the button in the URL - it will redirect you to the same YouTube video. Example YouTube comment from these videos: Interestingly, I also used UR

Analysing a Phishing C&C server

Image
  I recently uncovered a phishing command and control (C&C) Simple Mail Transer Protocol (SMTP) server hosted on the same page that the kit was deployed on. Surprise surprise, they were targeting PayPal. The Leaf PHP Mailer: The phishing page has all the features you would largely expect to see of a phishing C&C. The main features the attackers require is a way to send out hundreds, if not thousands, of fake emails maquerading as a service such as PayPal to a long list of target email address. Other features the Leaf PHP mailer also offers includes adding HTML code to the phishing email.  Blacklist checker: The blacklist checker enables the phisher to check whether their host is blocked by spam lists and to maintain a record of how likely their phishing emails are likely to land in inboxes. Once an IP address appears on too many list, the operator can transfer to a new host and start the process again.  The CAPTCHA: Nowadays, a large number of credential harvesting phishing pag

OSINT Challenge: Key West

Image
 One way to improve your OSINT skills is to practice. Practice makes perfect as they say.  #OSINT challenge. Find the exact coordinates of this webcam in Key West, Florida. RT for reach https://t.co/ZLpAGeHvVU — Jake Creps (@jakecreps) September 10, 2020 Thanks @JakeCreps, I'll take it from here. Let's start by visiting the stream, the initial piece of intelligence provided: I immediately noticed the "CIDBW0008" and it looks like a possible address or unique identifier to me. A quick search of "CIDBW0008" brought me to: Clicking on one of these links brought me to a Facebook page that also shares this live video feed, giving us a new location "Galleon Marina": I then searched up "Galleon Marina": This location lines up with the title of the intital YouTube stream's location. I then searched 'Front Street' from the title: Via scanning around on Google Street Maps, I was able to find the two buildings present in the stream: W

Intelligence & Analysis report: Attacks leveraging the Cloud

Image
“ The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are linked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications or deliver content or a service such as streaming videos, web email, office productivity software or social media. ” - Microsoft Azure Cloud services are increasingly being leveraged by cybercriminals and advanced persistent threat groups in attack campaigns. These cloud services include consumer accounts for OneDrive, Google Drive, DropBox, compromised SharePoint and GSuite accounts, as well as the Discord CDN. These are leveraged to host malicious files, phishing pages, redirector links, and other parts of attack campaigns. These services are often used for business operations and are regarded as safe by default by most detection systems. Any threat actor can leverage these services for free or could compromise user accounts. The most com

Fantastic APTs and Where to Find Them

Image
  Sophisticated computer security breaches in some of the most heavily defended networks around the world have been orchestrated by so-called Advanced Persistent Threats (APT) groups. Many of these APTs operate on behalf of a nation state’s intelligence agency or military. They can even be private sector hacking groups, hired for specific operations. An APT group specialises in gaining access, maintaining it, and executing post-exploitative activities while remaining undiscovered. There are also many types of APT attack campaigns. This can include, but is not limited to, intelligence gathering operations, intellectual property theft, sabotage and data destruction, and exploitation for financial gain. Intelligence gathering, cyber-espionage One such APT that exemplifies this type of behaviour is known as the Naikon APT group. In May 2020, Check Point disclosed new evidence of an ongoing cyber-espionage campaign against several national government entities in the Asia Pacific (APAC) regi