Banking Trojans & Site Vulnerabilities Lurk in the Shadows
Major data breaches grab the headlines, while CUs and consumers deal with behind-the-scenes online headaches.
The DanaBot banking Trojan is back, and has expanded beyond banking to compromise email servers by enabling it to harvest email addresses and send out spam straight from the victim’s mailbox. The latest variant of the malware achieves this by injecting JavaScript code into the pages of specific web-based email services. Among the targets are all email solutions based on based on Roundcube, Horde, and Open-Xchange.
According to Bleeping Computer, malware analysts at ESET found that one of the webinject scripts used by DanaBot can send out malicious messages from the owner’s account, as replies to emails in the inbox. This tactic accomplishes two goals: establishing trust between the sender and the recipient thus increasing the chance of the message bypassing spam protections, and the likelihood of the recipient open the malicious attachment.
“Previously the DanaBot focused on mainly harvesting banking credentials by a similar means to the new threat, essentially by compromising the bank’s web portal,” Will LaSala, director, security solutions and security evangelist at Chicago-based cybersecurity company OneSpan. “It would steal usernames and passwords. The new functionality appears that they are focusing on just harvesting email addresses, from all sorts of different companies.”
LaSala further explained the change in direction of the DanaBot shows that attacks that started in banking are moving beyond banking. “Attacks such as Marriot, British Airways and Newegg were for private information and on the black market, this private information is valuable. Private information helps criminals open new accounts and appear legitimate.” He added, the more private information that is stolen, the more difficult it will be for organizations to protect themselves from fraudulent accounts. “This showcases the fact that all forms of internet communication need to be protected and companies should be vigilant in patching security holes as soon as they can.”
Meanwhile last week Krebs on Security broke the news that major jewelry chains Jared and Kay Jewelers have fixed a website vulnerability that exposed the sensitive order information for all their online customers.
In mid-November 2018, KrebsOnSecurity heard from a Jared customer who discovered that slightly modifying a link within a confirmation email, and then pasting that into a Web browser, revealed another customer’s order. this vulnerability, exposed sensitive personal information including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
The CISO at Signet – which operates over 3,500 stores primarily under the name brands of Kay Jewelers, Zales, Jared, H.Samuel, Ernest Jones, Peoples, Piercing Pagoda, and JamesAllen.com – said they fixed the problem for all future orders–but didn’t address the data exposure on past orders until contacted by Krebs. Signet said the problem affected only orders made online through jared.com and kay.com.
Bryan Becker, application security researcher at San Jose, Calif.-based WhiteHat Security, commented: “Vulnerabilities and weaknesses in websites are incredibly common— even among high profile organizations, such as Jared and Kay Jewelers. Many businesses are still unaware of the risk factor of their websites, or have delayed taking appropriate action due to funding issues or prioritization.” Becker said in the case of Jared and Kay Jewelers, lax security exposed a great deal of personally identifiable information to any adversary taking advantage of common web vulnerabilities. “This opens individuals up to identity fraud, order theft and more.”
Becker suggested, “Year-round, but especially during the uptick in online holiday shopping activity, companies must be proactive, not just reactive, in regards to application security. Continuous testing and auditing of applications is now a requirement, not an option.” Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites and databases. “Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle, with proper security training and certifications.”