Turla Crutch attacks Ministry of Foreign Affairs in an EU country, misuses Dropbox in cyber-espionage, ESET discovers

ESET researchers discovered a previously undocumented backdoor and document stealer used for cyber-espionage. ESET has been able to attribute the program, dubbed Crutch by its developers, to the infamous Turla APT group. It was in use from 2015 until at least early 2020. ESET has seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets. These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts controlled by Turla operators.

“The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” says Matthieu Faou, an ESET researcher who investigates the Turla APT group. “Furthermore, Crutch is able to bypass some security layers by abusing legitimate infrastructure – here, Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.”

 In order to have a rough idea of the working hours of the operators, ESET exported those hours at which they uploaded ZIP files to the Dropbox accounts they operate. For this, researchers collected 506 different timestamps ranging from October 2018 to July 2019, as this should show when the operators were working and not when the victims’ machines were active. The operators are likely to operate in the UTC+3 time zone. 

ESET Research was able to identify strong links between a Crutch dropper from 2016 and Gazer. The latter, also known as WhiteBear, is a second-stage backdoor used by Turla in 2016-2017.

Turla has been an active cyber-espionage group for more than 10 years. It has compromised many governments, especially diplomatic entities, all around the world, operating a large malware arsenal that ESET has documented over the last few years.

For more technical details on how Turla Crutch attacks and collects sensitive information, read the blog post “Turla Crutch: Keeping the ‘back door’ open” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 

 

Mobile payment apps: How to stay safe when paying with your phone?

Are mobile payements and digital wallets safe? Are the apps safer than credit cards? What are the risks? Here is what to know.

 By Amer Owaida

While cash transactions aren’t going anywhere anytime soon, the convenience of electronic payment solutions has been steadily growing in popularity over the years. According to a recent survey by the US Federal Reserve, cash payments accounted for just 26% of all payments. Meanwhile, credit and debit cards and electronic payment methods were used for 65% of all payments.

The COVID-19 pandemic has also triggered changes in how people shop, with e-commerce experiencing a surge in demand due to either governments limiting interaction between people to curb the spread of the disease or by people isolating themselves and doing most of their shopping online.

As convenience is king, the surge of both cashless payment methods and online shopping, as well as the use of smartphones for shopping, has led to the increased adoption of mobile payment methods. Apple Pay, Google Pay, PayPal, Venmo, and WeChat Pay prove to be among some of the most popular mobile payment apps. However, they may come with their own sets of risks, and threat actors like to utilize them in their scams as well.

Risks

Since we’re mainly focusing on mobile payment apps, it stands to reason that one of the greatest risks is losing your smartphone, which houses most of your sensitive information and your payment data if you use payment apps. If you haven’t secured it properly, criminals could rack up charges on your cards or use your payment apps to go on a shopping spree. Besides ending up with either an empty bank account or overcharging your balance, the incident may damage your credit rating with the bank, which may make taking out a loan or mortgage difficult in the future.

Smartphones, like other computing devices, can also be infested by malware. Depending on the type, it can carry out various kinds of malicious activities; keyloggers can record and transmit every finger tap on your smartphone to the cybercriminals allowing them to gain hold of your passwords or account credentials you use to access your payment apps. Alternatively, they can deploy fake apps that masquerade as something else and attack your payment apps. Just one example – ESET researchers discovered a trojan masquerading as a battery optimization tool, which targeted users of the official PayPal app and attempted to transfer €1,000 (roughly US$1,200)  to the attacker’s accounts.

Full article on:  https://www.welivesecurity.com/2020/11/30/mobile-payment-apps-how-stay-safe-paying-phone/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

 

SIM swap scam: What it is and how to protect yourself

Here’s what to know about attacks where a fraudster has your number, literally and otherwise

By Amer Owaida

SIM swap scams have been a growing problem, with fraudsters targeting people from various walks of life, including tech leaders, and causing untold damage to many victims. Here’s why you should be on the lookout for attacks where someone can upend your life by first hijacking your mobile phone number.

How SIM swap fraud works

Also known as SIM hijacking and SIM splitting, SIM swapping can be described as a form of account takeover fraud. To make the attack work, the cybercriminal will first gather information on their mark, often through trawling the web and searching for every tidbit of data the potential victim may have (over)shared. The victim’s personal information can also be gleaned from known data breaches or leaks, or via social engineering techniques, such as phishing and vishing, where the fraudster wheedles the information directly out of the target.

With enough information in their hands, the fraudster will contact the target’s mobile phone provider and trick its customer service representative into porting their telephone number to a SIM card owned by the criminal. More often than not, the scammer’s story will be something along the lines that the switch is needed due to the phone being stolen or lost.

Once the process is done, the victim will lose access to the cellular network and phone number, while the hacker will now receive the victim’s calls and text messages.

What makes the scams so dangerous?

Commonly, the point of this type of attack is to gain access to one, or more, of the target’s online accounts. The cybercriminal behind the attack is also banking on the assumption that the victim uses phone calls and text messages as a form of two-factor authentication (2FA).

If that’s the case, the fraudsters can wreak unseen havoc on their victim’s digital and personal lives, including cleaning out their bank accounts and maxing out their credit cards, damaging the victim’s standing and credit with banks in the process.

The hackers could also access their victim’s social media accounts and download sensitive messages or private conversations that could be damaging in the long run. Or even post insulting messages and statuses that could cause major reputational damage to their victims.

How to protect yourself

Start by limiting the personal information you share online, avoid posting your full name, address, phone number. Another thing you should avoid is oversharing details from your personal life: chances are that you included some aspects of it in your security questions that are used to verify your identity.

When it comes to using 2FA, you might want to reconsider SMS text messages and phone calls being your sole form of additional authentication. Instead, opt for using other forms of two-factor authentication such as an authentication app or a hardware authentication device.

Phishing emails are also a popular way for cybercriminals to obtain sensitive information. They do so by impersonating a trusted institution, relying on the assumption that you won’t hesitate to answer their questions or scrutinize the emails too closely. While many of the phishing emails will be caught by your spam filters, you should also educate yourself on how to spot a phish.

Telecom companies are also working towards protecting their clients. Verizon, for example, launched a feature called ‘Number Lock’ that should protect its customers against potential SIM-swapping attacks, while AT&T, T‑Mobile, and Sprint offer the option of additional authentication in the form of PIN codes, passcodes, and additional security questions. You should check with your provider to learn how to enable such features, should they offer them.

In summary

While SIM swap scams are ever-present and a threat to everybody, there are ways to protect yourself. Taking one or more of the several steps outlined in the article can help you lower your chances of falling victim to such an attack. Additionally, you can contact your bank and telecommunications providers to inquire about any supplementary security services you can enable to lock down your accounts.