Posts

Websites want me to remove my Ad-blocker

More and more sites I visit is detecting that I use an ad-blocker and asking me to either pay a daily or monthly fee to access their content, or whitelist the site in my system.  If the content is valuable which is not available free from other sites I would not mind having a small subscription and get a regular feed.  To remove my ad-blocker or white-list a site may result in your 

Possible threat from an ad being delivered

system being compromised. This is due to ads being delivered may contain harmful code from fraudsters and users with malicious intent buying ad space from ad re-sellers.  As can be seen from the image, anti-virus is blocking a potential risk from an ad delivering site trying run run a java-script on the workstation.

Websites wanting ad to be displayed on your system have no clue on what risk they are deliver to the unsuspecting users.

In the future, ads will be blocked more at the enterprise level on all platforms as it is realized that the threat is bigger than thought before.  This is all to the fraud syndication embracing technology for another compromise to the defense layer.

I would recommend to not allow any ads while browsing the Internet or at least have current and good anti-virus on your system and do not log onto your system with a privileged account.

 

Bank Re-branding – Criminal Exploitation

ABSA Bank, from whom Barclays has dis-invested, re-branded the bank with a new logo and with some fanfare.  As expected the criminals are waiting for such events to exploit bank clients during the ‘transition’ phase.  The interesting fact here is that the compromised sites with the Phishing exploit code is mostly in South Africa.  This shows that the fraudsters are actively thinking about their attack vectors.  If an unsuspecting ABSA client clicks on the Phishing email and he is directed to a local site, it will see valid and the risk of account compromise is higher.

Compromised site

One of the emails received contained a link to a local (.co.za) site called http://absaonlineupgradeservicesecure(.)co(.)za and reviewing the registration details, it is noted that this site was registered on behalf of a client through MWEB.

Planning process

Having obtained the source code from a compromised site, the analysis was quite simple and it seems that the ‘hackers’ are not that complete by closing access to the compromised site.  On one

Possible fraudster source in Ghana

of the sites, we noted a text file that contained the results of the Phished users.  There were also many test IP addresses which possibly virtual shows the source of the hackers.  This was noted to be from Ghana.

Within the text file, there was account numbers with PIN.  This information was forwarded to fraud@absa.co.za with all personal contact details in case they needed to complete this for verification.  No communication received after a week. (update: Communication received after 9 days)

The problem exists that it is not possible to educate all of the users to NOT CLICK on a link as the Internet was designed to click links. 

Two approaches to combat cybercrime must be followed and that is one from the end-user and the other from the bank.  This is not an exhaustive list, but will help to secure the eBanking process and make life for fraudsters more difficult.

End-Users (Bank clients) needs to be educated and this is an ongoing process.

Text file of compromised accounts on the compromised server

The bank can use technology to combat online fraud and some of the steps include:

  • Monitoring for increased access of the bank logos in relations to referenced pages.  This will only indicate a possible new Phishing campaign and allow the active monitoring to be placed in a higher level of readiness
  • Monitoring of client accounts from outside normal IP addresses.  For example if the source IP is outside South Africa (in this case), additional authentication should be required.
  • The bank should get actively involved with fraud notifications.  I have had two experiences now where two different banks do not respond.  The other was a possible fraud on a credit card and one of the options was block and phone the client back.  This never was done. (Not ABSA here)
  • The positive for ABSA here is the 2nd level access which the user selected passphrase is broken up into multiple selections.  This makes it more secure against actual compromise.
  • Banks also need to supply 2-factor authentication at all times to ensure that a physical token (mobile phone as an example) is required at all times.  I did experience problems with ABSA while travelling outside the country with the SecureCheck mobile app. Acknowledgement never was delivered and could not do any transactions.

This does not exclude the fact that the fraudsters may use other methods, such as a phone call or social engineering, to obtain information that is lacking to complete the fraud.

We have to acknowledge that some major changes has to take place in order to make it more secure for the end-user.  Combating fraud is a leap-frog exercise where bank security specialists have to be highly skilled and dedicated.