Posts

Showing posts from November, 2020

Analysis of the threats targeting Point of Sale systems

Image
  Background A point of sale (POS) system refers to the critical piece of software used by customers to execute a payment for goods or a service. This also includes the physical devices in stores, where POS terminals and systems are used to process card payments. These are often the primary targets of financially motivated organised cybercrime groups (also known as eCrime advanced persistent threats). Successful intrusion of a POS system can lead to the theft of vast amounts of financial data from customers. This can be used for immediate gain or sold on underground markets for fraud. A combination of hard-to-detect data-exfiltration malware; legacy hardware - which is difficult to patch; and general OS vulnerabilities, mean that this particular threat is common and can be difficult to defend against. Organised Cybercrime APT groups such as FIN6, FIN7, and FIN8 are currently some of the most significant threats to large retailers, restaurant chains, hotels, the leisure industry, and to

Gathering Intelligence on the Qakbot banking Trojan

Image
Background:  The Qakbot banking Trojan is one of the top-tier malware families on the current threat landscape. It is distributed in mass spam campaigns, steals confidential information, and has also provided access to ransomware operators. Preventing and detecting this threat has become a priority for many organisations as a successful infection can lead to a costly cyber incident. In this blog, I aim to share more information on this malware, provided by open sources, and highlight the intelligence gathering process it takes to combat this threat. Qakbot (also known as Quakbot or Qbot) has been around since 2008. It has targeted the customers of various financial institutions worldwide. While Qbot's targeting has mostly remained the same - with the aim of stealing bank details and enabling wire fraud - its propagation methods have changed across various campaigns. Despite its age, Qakbot still remains a significant threat with established connections in the organised cybercrime u

One persistent Phish

Image
For the last three months I have personally received the same phishing email masquerading as a PayPal 'your account has been suspended' notification, trying to steal my login credentials: The email arrives from "service@paypal.com" and looks very convincing for the average user.  Here is the current phishing chain the threat actors are currently using in these types of attacks: Fortunately, there are several steps involved in this attack. Hopefully this will give unsuspecting users more of a chance to recognise they are being targeted. Flow of the phishing chain (NB the credential harvesting page is replace with the YouTube video): The interesting part of this attack to me, is that it leveraged one of MySpace's domains to redirect users to the next stage. However, if you try to visit one of the links - without clicking on the button in the URL - it will redirect you to the same YouTube video. Example YouTube comment from these videos: Interestingly, I also used UR