Alerts

Below are some of the most recent cyber alerts that the Forum have been made aware of.
These will be updated regularly so check back for for more information.

Banking & Corporate Fraud
CEO Fraud – Medical Practices Targeted
Medical practices are increasingly being targeted by fraudsters using a strong social engineering approach. The fraudsters send emails purporting to be from senior partners requesting payments under the pretence of a highly sensitive or urgent transaction. Initial contact appears to be primarily made via email from an address similar to the one that the senior partner would use, although the suspect may telephone to complete the fraud if required.

Cyber

Stealth Ravens – DDoS Extortion
Action Fraud reports have identified a DDoS-extortion group named ‘Stealth Ravens’. Over the period of a week in late January, six medium to large companies received emails (from two different email accounts) claiming that unless they paid a demand of 10 Bitcoins before a specified date their public facing websites would be subject to full DDoS attacks. A demonstration DDoS was then performed on a company server for a brief period (however these did not impact on the companies’ public websites). None of the companies paid the demand and subsequently none of the DDoS threats were followed through with.

Dharma Ransomware
Ransomware continues to be a key threat for cyber crime over the past year. Dharma is a new type of ransomware that has been reported since 2016 but has increased dramatically since the start of the new year
Dharma ransomware encrypts files on the server and adds the extension .wallet to the encrypted files. A text file is then placed on the victim’s desktop which instructs victims how to pay a ransom (typically 1-4 Bitcoins) to decrypt their files.

Dridex Banking Trojan
The Dridex banking Trojan has made a return in 2017. So far seen sporadically in phishing emails, the Trojan’s aim is to steal financial information off victim’s desktops and servers. This financial information is then either sold online or used to commit further fraud.

Investment Fraud
Binary Options Fraud
Binary Options, including Forex and Contract for Difference (CFD) trading, continues to be the largest issue within investment fraud representing 55% of NFIB2E (Other Financial Investment) reports during January which stated a commodity.

Mass Marketing Fraud
Mobile Phone Lottery Fraud – Other Advance Fee Fraud
The Mass Marketing Fraud Desk highlighted the issue of a lottery fraud in January 2016. Victims are contacted by phone (text or call) by suspects purporting to be a mobile phone company and informed that they are a lottery winner. The reason being given that they are a ‘winner’ may include the victim’s phone number or SIM card number being randomly selected in a ballot. The prize is typically £50,000 and an administration fee of approximately £500 is required to obtain the ‘winnings’.
The mobile phone company have now advised the NFIB that a new approach of the suspects has been seen, whereby a fraudulent website is setup to compliment the SMS / call received by the victim.

.Loan Domain – Lender Loan Fraud
January recorded the first notable use of a .loan website domain for a lender loan fraud suspect. The .loan domain is classed as a generic top-level domain (gTLD), which is not restricted to specific users. The .loan domain was made generally available in August 2015 and was intended to provide a targeted keyword that connects businesses and people offering loans, credit, and related services with people looking for such services.
The use of the .loan domain may have been used to add credibility to the fraud; however it does not appear to be widely used by the legitimate lenders. Furthermore, options for disruption action by law enforcement are not specifically impeded by the use of a specialist gTLD.

Money Laundering
Online Shopping – Phishing Emails
There has been an increase in reports that state an online shopping platform is a suspect organisation. Victims are reporting that they receive an email that appears to be from this platform, but this is actually a phishing email from an unknown suspect in order to collect the victim’s personal information. The email usually states that the victim has purchased a product on this online shopping platform and that to process a refund they need to click a link. There were 56 reports received in December 2016 and 215 reports received in January 2017.

Volume Crime
Boot Sale App
A boot sale app which allows consumers to buy and sell online has been the subject of 85 reports since 2014. 74 of these have been reported between February 2016 and January 2017. Reporting levels doubled between October, November and December. There has been a slight decline in January; however this continues to remain higher than pre-September 2016. The total financial loss is currently £12,338.51 and the most sought after item being a phone. 43 of the victims have paid via bank transfer. Fraudsters can exploit the app from both the perspective of the buyer and the seller.
The Modus Operandi (MO) when the suspect is the buyer is as follows: The victim identifies an item for sale that they wish to purchase and contacts the seller who requests the victim pays via bank transfer prior to the goods being sent via post. The item is not received and the victim is left unable to contact the seller.
The MO when the suspect is the seller is as follows: The suspect contacts the victim agreeing to purchase the item advertised. The suspect agrees to purchase and sends the victim a spoofed PayPal email stating that the funds would be released when a tracking number has been provided. The victim sends the item to the suspect but the suspect does not pay the funds as promised.

 

Risk of Trojanised Android apps
A family of mobile malware known as ‘Dresscode’ has been masquerading as legitimate Android apps since April, according to cybersecurity researchers. Over 3000 apps with embedded Trojans, including games, skins and phone optimisation tools, have been identified on sale from Android app stores, including 400 in the Google Play store alone.

Reducing risks
Google Play claim to have taken the necessary actions to remove Dresscode-infected apps from their store. However, there are likely to be other outlets from which users may unwittingly download this malware. Nevertheless, there are measures you can take to reduce risks, including performing regular OS updates and only downloading apps from legitimate stores and trusted publishers.

New Ransomware ‘Satana’
A new form of Ransomware has been discovered by Kaspersky Lab dubbed Satana. The malware once it has gained access to a PC encrypts files and corrupts the Windows Master Boot Record (MBR) which prevents computers booting the operating system. It is reported as being similar to Petya, however when Petya encrypts the master file table, Satana encrypts the MBR. Petya relied on the help of a tag-along Trojan called Mischa, whereas Satana manages both tasks on its own. The ransom is said to be Bitcoins to the approximate value of £259.00 Kapersky state it is possible for advanced users to fix the MBR lock without needing to pay.

Weak passwords exploited
Interestingly, the Mirai source code reveals the username and password combinations used to brute force IoT devices, as well as the manufacturers targeted.  In total, there are just 68 username and password combinations written into the code. This is a small figure considering the huge number of IoT devices involved in the botnet which attacked the Kreb’s site.

Manufacturers have learned one important lesson from the Kreb’s DDoS incident – The use of factory set/default passwords limits the security of their devices, making them increasingly vulnerable to attack.

 

FALCON2Buying or selling a house?
Conveyancers are being urged to be on their guard for cyber criminals attempting to snatch proceeds of house sales from the rightful recipients. It is believed that the offenders initially hack into communications sent between the conveyancer and their client, before posing as one of the parties in the sale and sending an email confirming a change in the bank details to be used for deposit or transaction. The National Fraud Intelligence Bureau (NFIB) has received a number o0f reports of those involved in the buying or selling of houses being targeted by fraudsters.

SWIFT Improves Security
SWIFT, the global bank messaging system, which was recently targeted in a multi-million-dollar hack has beefed up its cyber security following the fraudulent attack. SWIFT overseas the international transfers of major financial institutions and has called in support major financial institutions and has called in support from specialist BAE Systems and Fox-IT to increase its ability to respond to threats and investigate incidents, working alongside its in-house team of cyber experts. The previous heist netted hackers $80m, they were however prevented from taking more as a result of a typo on one of the transfers they made from the New York Fed.

New Ransomware ‘Satana’
A new form of Ransomware has been discovered by Kaspersky Lab dubbed Satana. The malware once it has gained access to a PC encrypts files and corrupts the Windows Master Boot Record (MBR) which prevents computers booting the operating system. It is reported as being similar to Petya, however when Petya encrypts the master file table, Satana encrypts the MBR. Petya relied on the help of a tag-along Trojan called Mischa, whereas Satana manages both tasks on its own. The ransom is said to be Bitcoins to the approximate value of £259.00 Kapersky state it is possible for advanced users to fix the MBR lock without needing to pay.

What is Smishing?
Security experts have warned people about a spate of banking scams in which hackers send texts to phones in an attempt to steal money. This is known as ‘Smishing’ – a combination of phishing and SMS. A popular tactic of scammers is to send warnings about ‘suspicious’ activity on user’s accounts. These messages emphasise how important it is that the victim takes action immediately, normally by transferring their money into a new account. Often this threat appears serious enough to persuade people to click links or ring numbers, where the criminals are waiting to steal their passwords and other personal information. It is vital to be highly vigilant when banking via your phone. You should be very suspicious of clicking any links in a text message from your bank.

 

CSSCFake Mailboxes – Fraudsters are placing fake letter boxes on residential properties in an attempt to harvest mail.

Paypal Alert Fraudsters are increasingly exploiting the ‘family and friends’ personal transaction facility to defraud victims.

Spoof Vehicle Escrow Emails – Online shopping websites are being used by fraudsters to advertise vehicles for sale which do not exist.

DDoS Attacks – from the Economic and Cyber Crime Prevention Centre.

EurCSSCo 2016 Ticketing Fraud – The 2016 European Football Championships will begin shortly and those wanting to purchase last minute tickets are likely to be targeted by fraudsters.

Employment Fraud – Nannies and models are currently the most likely targets for employment fraud.

Counterfeit Cheques – The NFIB has seen an 84% increase in the number of counterfeit cheque frauds reported to Action Fraud.


Action Fraud LogoSmishing is when fraudsters obtain personal details of a victim by SMS text messages. SMS phishing uses phone text messages to deliver the bait to induce people to divulge their personal information. Fraudsters can go on to use this personal information to commit fraud.