Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Saturday February 23 2019, @04:00PM   Printer-friendly
from the [...] dept.

Submitted via IRC for SoyCow1984

Hackers Use Compromised Banks as Starting Points for Phishing Attacks

Cybercriminals attacking banks and financial organizations use their foothold in a compromised infrastructure to gain access to similar targets in other regions or countries.

In a report released today and shared with BleepingComputer, international security company Group-IB specialized in preventing cyber attacks describes a so called cross-border domino-effect that can lead to spreading an infection beyond the initial target. The report is based on information from incident response work conducted in 2018 by the company's team of computer forensics experts.

The incident response activities at various financial institutions revealed that in some cases the attacker used their access to send emails to other banks and payment systems.

"So the threat actor definitely carried out attacks beyond its initial targets," a company representative told us.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by bzipitidoo on Saturday February 23 2019, @05:46PM (2 children)

    by bzipitidoo (4388) on Saturday February 23 2019, @05:46PM (#805665) Journal

    I've seen enough bad email messages from banks that leave me doubting they have any clue at all about online security. They're full of links, for customer convenience of course. But to me, that screams that it is an attack. Once or twice I even called to make sure an email that looked suspicious really was from the bank. I am pretty cautious about following links in emails, as that's exactly what the attackers want. "Click here to log into your account" Yeah, right. Admittedly, manually typing the link into the URL bar is not 100% guaranteed either, but it's a whole lot safer than clicking a mystery link in an email.

    Other parties bear some blame for the situation. Browsers and email clients don't exactly make it easy to tell spoofed links from real ones, though they have gotten better. The design of HTML's anchor tag, <A>, which allows the displayed text to have no relationship whatsoever to the URL, turned out to be a big mistake. For that matter, the design of the URL naming system leaves much to be desired. Heck, even the web designers admitted the "//:" was unnecessarily verbose. As for JavaScript, when you need more security, best just to turn it off. And if the bank's site can't work without JavaScript, maybe you ought to change banks.

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Saturday February 23 2019, @10:43PM

    by Anonymous Coward on Saturday February 23 2019, @10:43PM (#805774)

    IT in the adult world is not giving cause for embarrassment relative to your peers. For banks, that means following whatever recommendations a recognized board of experts puts out, such as password requirements, aging, security questions etc.

    Though I prefer my encoded answers to security questions over having to use google 2fa.

  • (Score: 2) by Pino P on Sunday February 24 2019, @03:47PM

    by Pino P (4721) on Sunday February 24 2019, @03:47PM (#805950) Journal

    And if the bank's site can't work without JavaScript, maybe you ought to change banks.

    Let's say I want to establish a bank account. These are among the requirements:

    • Account holders in my city can deposit cash or personal checks received from friends or relatives, such as a check received through the mail in a birthday card
    • Viewing statements, paying bills, and transferring money requires neither JavaScript nor WebAssembly nor downloadable native proprietary software

    Last I checked, depositing cash or checks required the use of an ATM or branch, and deposits were less likely than withdrawals to work at a different bank's ATM network.

    How likely is it that a banker in any branch of a bank with local ATMs will be familiar with whether or not the bank's website requires script? And even if some bankers are technical enough to understand this (or at least knowledgeable enough to forward your question to the right person), how likely is it that at least one local bank will work without script?