NEWS - September 12, 2012

"Cambridge security researchers have discovered serious problems with how ATMs authenticate transactions, though an industry group has shrugged off the method as too complex for scammers to use."

Security researchers say they have found a vulnerability in the ubiquitous chip-and-PIN system that could effectively allow bank cards to be cloned.

In a paper (PDF) presented to a cryptography conference in Belgium on Tuesday, the University of Cambridge researchers said the flaw undermined banks' claims that the chip-and-PIN or 'EMV' system was prohibitively expensive to clone.

"We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit," the researchers said in the paper's abstract.

The researchers said their work began after hearing of the case of a Mr Gambin, "a Maltese customer of HSBC who was refused a refund for a series of transactions that were billed to his card and which HSBC claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29 June 2011".

Method

Continued : http://www.zdnet.com/chip-and-pin-flaw-blamed-for-cloned-bank-cards-7000004130/

Also:
A picked pocket in Mallorca reveals crack in chip-and-PIN security
Chip and skim flaw lets crooks fake credit card transactions
Chip And Pin Flaw Uncovered By Cambridge Boffins
Chip and PIN payment card system vulnerable to "pre-play" attacks

Despite seemingly endless pontification, it's still too early to definitively say whether there's a connection between the Shamoon malware and recent attacks on Middle Eastern oil firms, yet some of the attackers' intentions may be getting clearer.

Research suggests the creators behind the recent Shamoon malware weren't high profile programmers but instead "skillful amateurs" who may have had politically driven motivations.

A new post by Kaspersky Lab researcher Dmitry Tarakanov on the firm's Securelist blog helps break down the malware's technical details and shortcomings further.

In one part of the analysis Tarakanov notes that the malware's author used a capital "S" instead of a lowercase "s." This "silly error" lead to a "spring" function failure and made it impossible for the malware to drop a file, let alone execute one.

Elsewhere, two files, "f1.inf" and "f2.inf," are produced by the malware that pose a fragment of a JPEG of a burning U.S. flag - the presence of the image should be easily noticed and according to Tarakanov was meant to be found. The image continues to populate itself, overwriting the hard drive with the JPEG, crudely filling the entire disk with data.

Continued : https://threatpost.com/en_us/blogs/research-paints-shamoon-creators-skillful-amateurs-091112

Also: Coding Errors in Shamoon Malware Suggest It May Be Work of Amateurs

From the ESET Threat Blog:

For years, cyber criminals have organized their operations and traded resources through discussion forums and auction sites. One popular item to trade is access to virus infected PCs for cash. These trading schemes are often called pay-per install (PPI) programs. We have recently started an investigation on a new type of pay-per install program, this time threatening Android devices.

We began our investigation by looking at domain names and malicious files related to what appears to be a Russian web forum used by the cyber criminals for marketing and supporting their PPI scheme. The forum started operating at the end of 2011. From the information we could gather, actors who successfully install malicious software on Android devices get paid between 2 and 5 US dollars per installation. This is much higher than the typical price for Windows PCs. As shown in the image below, taken from the front page of this web forum, the administrators of this program have even prepared graphics to attract as many crooks as possible. [Screenshot]

The software that is installed on Android devices is usually in the Android/TrojanSMS malware family. These malicious programs send SMS messages to premium rate numbers, bringing monetary profit to the malware operators. Our colleagues at Quickheal have blogged about one of these applications. [Screenshot]

Continued : http://blog.eset.com/2012/09/12/dancing-penguins-a-case-of-organized-android-pay-per-install

"Wide variaiton between vendors with Microsoft top"

How securely antivirus software has been configured varies widely between products with users of Microsoft's Security Essentials (MSE) the most likely to run protection using optimal settings, software certification firm OPSWAT has found.

Using numbers crunched from PC's running the company's OPSWAT's AppRemover tool (140,000 installations), MSE systems had realtime protection enabled in 94.6 percent of cases, slightly ahead of Avast, McAfee and Avira.

By contrast, Kaspersky Lab's Internet Security users only activated this important setting 65.5 percent of the time, with Norton Internet Security and Norton AntiVirus users not much better.

MSE users were also the best at updating frequency, with 94 percent updating in the previous week. Just under 65 percent of For Norton AntiVirus and McAfee VirusScan users had updated in the previous 60 days, something that would render the protection offered by the software moot.

Continued : http://news.techworld.com/security/3380737/antivirus-programs-often-poorly-configured-study-finds/

The U.S. Federal Trade Commission has begun mailing 93,086 refund checks totalling nearly US$2.3 million to consumers who were allegedly charged hidden fees by a fake work-at-home service that used Google's name to advertise.

The online work-at-home operation, which operated under the names Google Money Tree, Google Pro and Google Treasure Chest, deceptively used Google's name and logo, the FTC said in a Tuesday press release. The operation promised that consumers could earn $100,000 in six months after signing up to receive a work-at-home kit for a shipping fee of under $4, according to the FTC and court records.

The operation was not affiliated with Google, the FTC said.

The operation didn't tell consumers that, by ordering the work-at-home kit, they were disclosing their account information and would be charged an additional $72.21 each month, the FTC said.

Under a settlement with the FTC, the defendants are banned from selling products through so-called negative option transactions, in which the seller interprets consumers' silence or inaction as permission to charge them. The defendants are also prohibited from making misleading or unsupported claims while marketing or selling any product or service.

Continued : http://www.pcworld.com/businesscenter/article/262140/ftc_returns_23_million_from_online_workathome_scheme.html

The FTC Release: FTC Returns More than $2 Million to Buyers of the "Google Money Tree" Work-at-Home Scam

Also: "Google Money Tree" Work-at-Home Scam Victims Refunded by FTC

From TrendLabs Malware Blog:

Trend Micro and CSIS have released a joint white paper about the Tinba information-stealing malware. The paper contains a thorough technical analysis of the malware itself, as well as the architecture of its infrastructure, and its ties to other illegal activities.

What is Tinba?

Tinba got its name from its extraordinarily small size - its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy.

Tinba is delivered onto user systems via the Blackhole exploit kit, and is aimed primarily at users in Turkey. We estimate that there are more than 60,000 users affected by Tinba in Turkey.

The capabilities of this malware are broadly similar to other similarly sophisticated info-stealing malware families. Using web injects, it steals the login information from websites, particularly those located in Turkey. Some targets such as Facebook, GMX, Google, and Microsoft are hardcoded into the code of Tinba itself and are universally targeted by Tinba. Other institutions are targeted based on downloaded configuration files; frequent targets include key government portals and Turkish banks/financial institutions.

Continued : http://blog.trendmicro.com/the-tinbatinybanker-malware/