NAB : 60k bank account details leakage in just three character email slip up.

A large Australian bank exposed 60,000 of its customers’ account details after it unintentionally sent an email to the wrong recipient.

According to a report late last year, the issue started with a CC that wasn’t supposed to be there, causing a recipient outside the bank to get a copy of an email they weren’t supposed to see.

CC, of course, is short for the anachronistic term carbon copy, from the days when a carbon-impregnated film was slipped between two sheets of paper that were then typed at the same time.

The problem with CC in modern email is that everyone on the list gets a copy of everyone else’s email address, which is often not a good idea, especially if it’s a routine message to lots of different customers who aren’t supposed to learn everyone else’s identity.

National Australia Bank (NAB), which was one of the targets of sophisticated Android Malware in March 2016, disclosed the data leak in December.

It appears a former NAB employee sent confirmation emails to 60,000 new customers. All of the new account holders were migrants who had created accounts with NAB’s migrant banking team.

The confirmation emails provided them with their Bank State Branch (BSB) number, account number, and NAB number. They also contained several pieces of personal information including the customer's name, address, and email address.

On each email they sent out, the employee CC’ed NAB so that the bank could retain a copy. Or so they thought. They CC’ed nab.com instead of nab.com.au, a domain which the bank owns.

The mail server for nab.com is listed as Google, presumably because the domain is signed up to Gmail, but Google won’t help track down recipients in cases like this without a court order.

NAB’s executive general manager for international branches Peter Coad was quick to own up to the bank’s mistake. As quoted by the Australian National Review (ANR)

"We also take full responsibility and we sincerely apologise to our customers for this mistake. The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action.”

By digging into the data leak, NAB learned that Google hosts the server where the employee sent the email. The bank contacted Google and asked for its help in tracking down the data. The tech giant refused to do anything without a court order, so NAB filed a motion against Google.

Indeed, NAB is now working directly with David Weissenberg of Real Assets Limited–the owner of nab.com. Coad feels this strategy will help the bank get to the bottom of what happened to the data. As he told ANR in an updated report published:

"We understand that the email address to which the correspondence was incorrectly sent is not actively used and our customers’ emails have not been wrongfully used. Although this has been a complex process involving multiple international jurisdictions, all parties – including the email account owner – are taking this extremely seriously and NAB is working hard to resolve this matter.”

The result therefore seems to be that:

• The email was accepted by Google’s mail service, so in a formal sense it was delivered.
• The email didn’t reach any known user, so in an informal sense, it wasn’t received.

In short, it’s highly likely that no harm was done, because the email and its personal data will never be seen again, but it’s impossible to be sure.

What to do?

Sending emails to the wrong person is surprisingly easy to do by mistake: if a close-but-not-correct username or domain name doesn’t trip you up.

Here are some tips to reduce the risk in your organisation:

1. Use an automatic file encryption system to keep internal files safe from outside eyes, even if they are copied or emailed out.
2. Use an outbound email filter to block emails to commonly mistyped domains.
3. Create a culture that discourages sharing database dumps by email.

Organizations should use NAB’s example to try to reduce the risk of one of their employees sending an email to the wrong recipient. They can do so by encrypting emails that won’t automatically decrypt if they’re sent by email and by using an outbound email filter.

Ploutus-D : A new variant of ATM Malware infected systems in Latin America

Ploutus… Doesn't it sound a little familiar?

Let's have a look…

A sophisticated ATM Malware which was discovered in Mexico back in 2013 named Ploutus. It is one of the most advance ATM malware families we've seen in the last few years. Ploutus enabled criminals to empty ATM's using either an external keyboard attached to the machine or via SMS messaging, a technique which is never been seen before.

Recent identification of this previously unobserved version of Ploutus dubbed Ploutus-D was done by FireEye labs, that interacts with KAL's Kalignite multivendor ATM platform. The samples were identified targeting the ATM vendor Diebold. But the most worrying aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

If it is once deployed to an ATM, it makes it possible for a money mule to obtain thousands of dollars in minutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.

Let's see the improved introduction in the Ploutus-D:

1. Uses the Kalignite multivendor ATM Platform
2. Configured to control Diebold ATMs
3. Could run on ATMs running the Windows 10, Windows 8, Windows 7 & XP OS.
4. Has a different GUI interface
5. Comes with a Launcher, that attempts to identify and kill security monitoring processes to avoid detection
6. Uses a stronger .NET obfuscator called Reactor

Let's find out the similarities between Ploutus & Ploutus-D:

• Main purpose is to empty the ATM without requiring an ATM card.
• Attacker must interact with the malware using an external keyboard attached to the ATM.
• An activation code is generated by the attacker, which expires after 24 hours.
• Both were created in .NET.
• Can run as Windows Service or standalone application.

The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.

The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:

\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.

“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.

The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.

The Ploutus-D could allow crooks to steal thousands of dollars in minutes reducing the risk to be caught while stealing the money under the CCTV.

In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.

Can hackers change travelers' flight bookings?

German Cyber Expert warned after a remarkable hacking experiment saying "Almost anyone with basic computer skills can change online bookings and steal flights". Online booking often provides more convenience for passengers, but ageing computer systems used for the purpose are vulnerable to fairly primitive hacks.

The system used by millions of travellers each day which is inter-connected and is used to share data between travel agencies, airlines, passengers and websites is incredibly insecure. The attackers can easily modify other people’s reservations, cancel their flights and even use the refunds to book their own tickets.

German security firm SR Labs said that only a traveller's surname and a six-digit Passenger Name Record (PNR) is needed to enumerate the personal information about people as well as make changes to their bookings. Details such as names, addresses, credit card information and travel plans are all easily accessible by exploiting the insecure direct references of a traveller's surname and PNR exposed.

These outdated systems permits the travellers to check-in online and allows the price comparison websites to do their listings. But its reliance on surname and PNR is its weakest link.

The PNR being the most sensitive information should be protected from disclosures and during storage. But the PNR information isn't kept secret. It is printed on every piece of luggage. It used to be printed on boarding passes, until it disappeared and they replaced it with a barcode. Currently, the barcoded version of data can also be easily read, and travellers often make things easy for would-be hackers by simply throwing their boarding passes in the trash, or even posting photos of them online as part of their travel excitement.

The potential harm that could be caused with the combined use of surname and PNR is great enough, which can be further used to launch targeted phishing attacks. This isn't the first time though, however, in August, a researcher said the names, credit card numbers and flight data belonging to millions of airline passengers in Europe could be accessed due to online security gaps revealed at Germany’s largest wholesale ticket.

The newspaper even reported that every link to an itinerary receipt distributed by wholesale dealer Aerticket, ended with an 8-digit number. But, the itinerary reports were not stored securely on the server. An attacker can change the digits at the end of each itinerary receipt link, thereby allowing the user to view other travellers’ tickets, invoices, routes and credit card numbers.

LG Smart TV infected by Frantic Locker Ransomware !!

For several years, ransomware for Android phones has already been the hot topic and it was only a matter of time until such malicious programs could start affecting smart TVs, especially those that run Android.

On Dec. 25, Kansas-based software developer Darren Cauthon, reported that his wife accidentally infected his Android-based TV with ransomware on downloading a movie-watching app. Majority of the ransomware apps on Android are screen lockers which work by displaying the messages on the phone's screen and disallowing users from performing any actions until they pay some fee as ransom.

The ransom message that Cauthon received was something like below :

DEPARTMENT OF JUSTICE

FEDERAL BUREAU OF INVESTIGATION
FBI HEADQUARTERS
WASHINGTON DC DEPARTMENT, USA

AS A RESULT OF FULL SCANNING OF YOUR DEVICE, SOME SUSPICIOUS FILES HAVE BEEN FOUND AND YOUR ATTENDANCE OF THE FORBIDDEN PORNOGRAPHIC SITES HAS BEEN FIXED. FOR THIS REASON YOUR DEVICE HAS BEEN LOCKED.

INFORMATION ON YOUR LOCATION AND SNAPSHOTS CONTAINING YOUR FACE HAVE BEEN UPLOADED ON THE FBI CYBER CRIME DEPARTMENT'S DATACENTER.

Cauthon tried to fix the issue by rebooting the TV. Instead it booted to a ransomware with this above message. It demanded a ransom of $500 so he through of connecting to the LG support team to help him restore by performing a factory reset. On connecting, the LG technician replied that they could not disclose the instructions to customers and recommended him to come over and take a look for a fee of around $340.


Later on, the solution was provided to perform a factory reset of the LG TV :
"With the TV powered off, place one finger on the settings symbol then another finger on the channel down symbol. Remove finger from settings, then from channel down, and navigate using volume keys to the wipe data/ factory reset option."

This allows the TV to boot in recovery mode. This allows wiping the data partition, which deletes all user settings, apps and data and is the equivalent of a factory reset.

The ransomware app infected was only a screen locker and did not encrypt files. Smart TVs have USB ports and allow connecting external hard disk drives in order to watch personal videos or photo collections. So, this introduces a risk of getting the entire data to be encrypted and it could be a big risk especially if they're not backed up.

Can I get the private email address of any Facebook user ?

Recently, Facebook issued a bounty of $5000 last
week to bug hunter Tommy DeVass, a software developer from Virginia, for discovering a vulnerability which allowed an attacker to view the registered email address of any user.

DeVoss said that he was able to harvest the email addresses of the user accounts without letting the victim know about it, irrespective of the victim keeping their email addresses private. Post multiple communication mails, Facebook confirmed the discovery to be a vulnerability and claimed to award $5000.

The bug was discovered in the user-generated Facebook Groups module which allows a user to create an affinity group on Facebook. DeVoss discovered that an administrator of a Facebook Group could invite any Facebook member via Facebook’s system to have Admin Roles to perform functions such as edit post, add new members, etc.

The invitations created by the admin were sent to the invited recipient's Facebook Inbox messages and their email address associated with their account. Even if the Facebook user is his friend or not, DeVoss was able to get his registered email address.

When admin cancels the pending invitations to those recipients invited to be Facebook Group Administrators, the user is forwarded to a Page Roles tab that includes a Cancel Invitation button. Then, on switching to Facebook’s mobile view of the Page Roles tab, the admin was able to view the full email addresses (in plaintext in the URL) of anyone he wanted to cancel from becoming a Facebook Group Administrator.

This contradicts the Facebook’s privacy policy and Harvesting email addresses like this could lead to targeted phishing attempts or other malicious purposes.

Facebook has paid more than $5 million to 900 researchers in the 5 years and $611,741 to 149 researchers in the first half of 2016 itself.