Report

Weekly Threat Report 24th October 2016

Created:  25 Oct 2016
Updated:  25 Oct 2016
This report is drawn from recent open source reporting.

Threat assessment and trend analysis

Online Shoppers getting more than they bargained for.

A recent study has revealed an increase in the number of e-commerce websites infected with card-‘skimming’ malware.

Attackers have reportedly been exploiting unpatched software vulnerabilities in commonly used e-commerce software to modify the site’s source code. The modified JavaScript code then exfiltrates card details in real-time. These details are transferred to an off-shore collection server, with both the customer and merchant typically left unaware. Skimmed credit card details are often then sold on the Dark Web for approximately £24 a card.

Online skimming is a new form of card fraud which is a rapidly growing trend. It is reported that an initial scan of 255,000 online stores worldwide identified 3,501 infected sites in November 2015. Ten months later the number of compromised sites had risen to 5,925. The list of compromised sites is diverse, with a number of UK sites reportedly victims of this attack methodology. The capability of the malware used in these attacks has also developed. In 2015 all reported cases involved minor variations of the same code base.  However, a number of distinct malware families are now said to have been identified.

Due to the low sophistication, low cost and quick financial returns, we assess it is likely card skimming will continue to grow in popularity among cybercriminal groups.

Banks under-reporting cyber incidents

According to reporting, the number of cyber attacks on UK banks is increasing, yet this is not reflected in the number of incidents reported to regulators.

UK Financial Institutions are not legally bound to report all cyber incidents to their regulators; the Financial Conduct Authority (FCA) requires only events which have had a material impact to be reported. However, it is claimed that this is allowing banks to limit the number of incidents they publicly disclose. Commercial disadvantage and fear of punishment are some of the reasons stated for this self-limiting disclosure.

However, valuable lessons are routinely shared between financial organisations. The global banking system is heavily interconnected, with the security of individual organisations integral to the efficient functioning of the sector. Information sharing on threats, vulnerabilities and attack methodology is necessary to enhance the collective resilience of financial institutions and other vital sectors, more widely.

Targeted Advertising – protecting our personal data

We are all using services seemingly for free; services such as social media platforms, free wifi and even those handy Apps that provide a torch or compass on your phone. However, users may not be aware that they are paying for ‘free’ Apps with their personal data.

These companies mostly make their money by selling data about the user, so that advertisers can be smarter about how they use their budget and reach their target audience.

The internet advertising industry is massive; digital advertising spending in the UK has grown 800% in the last ten years to over GBP 7bn and accounts for 40% of all advertising share. Mobile advertising is 23% of all digital advertising and is growing fast. Social media advertising alone is around GBP 1bn.

Targeted advertising allows advertisers to reach a specific group of potential customers without wasting money, time and effort on those outside their target demographic, They are able to do this because website, mobile Apps and communication service providers sell them not only the space to advertise but also the attributes of the audience; this could be age, gender, ethnicity, location and even likes and dislikes.

While this might seem harmless or even beneficial, cybercriminals could potentially exploit this personal data, if not well secured, for identity theft or to socially engineer further targeted attacks. To mitigate the risk it is prudent to be aware of what you are allowing your service providers to access, obtain Apps from reputable sources, evaluate the permissions that they request, and only allow access to personal data if necessary.

 

Vulnerabilities

IoT botnets take down US DNS services

On Friday 21 October, several US websites including Twitter and PayPal were taken down by a DDOS attack against the Domain Name System (DNS) provider, Dyn. Because many companies globally use the services provided by Dyn, they may have been impacted without necessarily being the intended victim.

It was reported that the Internet-of-Things (IoT) botnet known as Mirai was involved in the attack, though this may only have made up portion of the actual DDOS traffic. IoT botnets are growing trend with many household ‘smart’ products operating using default username and passwords. Specific malware scours the internet to seek out and spread to potentially millions of unsecured devices, which are then used to launch DDOS attacks such as this.

While the internet is by its nature resilient and carries significant redundancy, this flexibility disappears if sites depend on single platforms for core services, such as DNS provision.

 

Please log in to CiSP for more information on all of these issues. Register now at www.ncsc.gov.uk/cisp.

Was this report helpful?

We need your feedback to improve this content.

Yes No