Information Technology

Image: Clay Banks

A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments.
This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card’s PIN code.
The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone.
However, in reality, the attacker is actually paying with data received from a (stolen) Visa contactless card that is hidden on the attacker’s body.
How the attack works
According to the research team, a successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.
The Android app is installed on the two smartphones, which will work as a card emulator and a POS (Point-Of-Sale) emulator.

Image: ETH Zurich
The phone that emulates a POS device is put close to the stolen card, while the smartphone working as the card emulator is used to pay for goods.
The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).
“Our app does not require root privileges or any fancy hacks to Android and we have successfully used it on Pixel and Huawei devices,” researchers said.
[embedded content]
Attack caused by an issue with the Visa contactless protocol
At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa’s contactless protocol.
These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.
“The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” researchers said.
“The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal,” they added.
“The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer’s device (e.g., a smartphone).”
These modifications are carried out on the smartphone running the POS emulator, before being sent to the second smartphone, and then relayed to the actual POS device, which wouldn’t be able to tell if the transaction data was modified.
This security issue was discovered earlier this year by academics from the Swiss Federal Institute of Technology (ETH) in Zurich.
ETH Zurich researchers said they tested their attack in the real world, in real stores, without facing any issues. The attack was successful at bypassing PINs on Visa Credit, Visa Electron, and VPay cards, they said.
A Visa spokesperson did not return an email seeking comment on the research paper’s findings, which ZDNet sent on Thursday, but the ETH Zurich team said they notified Visa of their findings.
Second attack discovered, also impacting Mastercard
To discover this bug, the research team said they used a modified version of a tool called Tamarin, which was previously used to discover complex vulnerabilities in the TLS 1.3 cryptographic protocol [PDF] and in the 5G authentication mechanism [PDF].
Besides the PIN bypass on Visa contactless cards, the same tool also discovered a second security issue, this time impacting both Mastercard and Visa. Researchers explain:
“Our symbolic analysis also reveals that, in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the ApplicationCryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction. Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank will detect the wrong cryptogram, but the criminal is already long gone with the goods.”
Unlike the first bug, the research team said it did not test this second attack in real-world setups for ethical reasons, as this would have defrauded the merchants.
Additional details about the team’s research can be found in a paper preprint entitled “The EMV Standard: Break, Fix, Verify.” Researchers are also scheduled to present their findings at the IEEE Symposium on Security and Privacy, next year, in May 2021. More

Earlier this week, US authorities arrested and charged a Russian national for traveling to the US to recruit and convince an employee of a Nevada company to install malware on their employer’s network in exchange for $1 million.
While no court indictment named the targeted company, several news outlets specialized in covering the electric cars scene speculated today that the attack had very likely targeted US carmaker Tesla, which operates a mega-factory in Sparks, a town near Reno, Nevada.
While Tesla had not returned requests for comment on the topic, in a tweet earlier today, Tesla CEO Elon Musk officially confirmed that the hacking plot did, indeed, target his company.
“Much appreciated. This was a serious attack,” Musk wrote, answering to one of the multiple news reports speculating that Tesla was the supposed target.
Employee went to the FBI early in the recruitment process
The entire attack was a rare case where hackers decide to use so-called “malicious insiders,” a term the cyber-security industry uses to describe rogue employees.
According to court documents, a 27-year-old Russian man named Egor Igorevich Kriuchkov reached out to one of Tesla’s employees via WhatsApp, after the two had previously met four years ago, in 2016.
Kriuchkov said he was vacationing in the US and arranged for the two to meet, with the Russian hacker traveling to Reno for this purpose.
Throughout multiple meetings, Kriuchkov revealed to the Tesla employee that he was working with a Russian-based hacker group and proposed the employee to install a piece of custom-built malware on Tesla’s internal network. 
Kriuchkov said the malware, which the group spent $250,000 to build, would exfiltrate data from Tesla’s network, and upload it to a remote server. The plan was to steal sensitive Tesla files and then threaten to release the data unless Tesla paid a huge ransom demand.
The employee, who the FBI described as a Russian-speaking immigrant, notified Tesla and the FBI about the proposal after his first meeting with Kriuchkov.
Subsequent meetings were recorded and documented in the indictment, including the employee negotiating his cut from $500,000 to $1 million, and how the Russian-based hacker gang delayed the Tesla hack for later this fall as they breached another company and they needed to focus on the current target.
FBI agents arrested Kriuchkov as he tried to leave the US via Los Angeles over the weekend, and charged him on Monday. If found guilty, Kriuchkov could face up to five years in prison for his role in the scheme. More

The New Zealand Stock Exchange (NZX) is still suffering from the aftermath of distributed denial of service (DDoS) attacks that hit the exchange earlier this week.
On Friday morning, the NZX said its markets would open as normal, following ongoing work to put in place additional measures to maintain system connectivity and address the severe DDoS attacks. 
Two hours later, however, the NZX said it was experiencing connectivity issues which appeared to be similar to those caused by the DDoS attacks from earlier this week.
“Given the current issue, we have extended the pre-open for the NZX main board and Fonterra shareholders market. The NZX debt market was placed into a halt at 9:58am [NZST],” the exchange said. “The NZX derivatives market remains open.”
See also: DDoS extortionists target NZX, Moneygram, Braintree, and other financial services
The exchange was aiming for business as usual on Friday, after keeping the NZX main board, NZX debt market, and Fonterra shareholders market offline on Thursday and closing the NZX derivatives market at 11:00am NZST.
The exchange’s website is currently offline.
NZX was on Tuesday struck down by a DDoS attack, which resulted in the exchange halting trade in its cash markets from 3:57pm NZST.
A joint statement made earlier this week by NZX and its network service provider Spark said the DDoS attack came from offshore, via Spark’s networks, to impact NZX system connectivity.
The NZX has since been repeatedly targeted by the attacks.
Earlier on Thursday, ZDNet reported the attacks were attributed to a criminal gang that has launched DDoS attacks against some of the world’s biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks.
The NZX and Spark were hopeful markets would resume normal operations on Wednesday.
NZX said it has been continuing to work with Spark, and national and international cybersecurity partners, including GCSB, to address the attacks. 
The exchange said it has been in close contact with market participants and that it “appreciates the support and level of understanding during the periods of disruption to trading”.
MORE FROM NEW ZEALAND More

The United States government has filed a lawsuit today seeking to seize control over 280 Bitcoin and Ethereum accounts that are believed to be holding funds North Korean hackers stole from two cryptocurrency exchanges.
Court documents did not identify the hacked exchanges, but officials said the two hacks took place in July 1, 2019, and September 25, 2019.
During the first incident, North Korean hackers stole $272,000 worth of alternative cryptocurrencies and tokens, including Proton Tokens, PlayGame tokens, and IHT Real Estate Protocol tokens, while in the second, hackers stole multiple virtual currencies, worth in total more than $2.5 million.
US officials said they used blockchain analysis to track down stolen funds from two hacked exchange portals back to the 280 accounts.

Analysis of the July 2019 hack
Image: US DOJ

Analysis of the September 2019 hack
Image: US DOJ, court documents
According to court documents, the US says North Korean hackers used a technique known as “chain hopping” to launder the stolen funds. The technique, also known as “blockchain hopping,” refers to taking funds from a type of cryptocurrency and exchanging it into another (i.e., converting Stellar to Ethereum, or converting Tether to Bitcoin).
The DOJ says North Korean hackers usually stole funds from one exchange, transferred the funds to another exchange where they chain hopped several times and eventually gathered all funds into the 280 BTC and ETH accounts they tracked down.
Per the court documents, many of these 280 addresses are currently frozen at the cryptocurrency portals where they were set up. The accounts were frozen immediately after the hacks, as cryptocurrency exchange portals cooperated with each other to track down funds and freeze accounts before the funds were converted back into fiat (real) currency, and all traces lost for good.
Now, the US government wants to formally take control of these accounts in order to return funds to the hacked exchanges or users (in the case of exchanges that have shut down since the hacks).
The US Department of Justice said these two hacks are connected to other North Korean hacks and money laundering operations they exposed in March 2019, when they charged two Chinese nationals for helping the North Korean hackers launder their proceeds through Chinese companies.
In September 2019, the US Treasury sanctioned three North Korean hacking groups and move to freeze financial assets associated with their shell companies. Treasury officials said the three groups engaged in the hacking of cryptocurrency exchanges in order to steal funds to send back to the Pyongyang regime, which would then use the stolen assets to fund its weapons and missile programs. More

Facebook has filed lawsuits today in both the US and the UK against MobiBurn, a UK software company that provided advertising tools for mobile app developers.
In particular, MobiBurn provided an advertising software development kit (SDK) that allowed app developers to embed ads inside their applications and monetize user behavior.
But in a lawsuit filed today, Facebook claims the SDK contained malicious code that illegally collected the personal data of Facebook users.
Facebook said the data was collected when users installed any mobile app that contained the MobiBurn advertising SDK. When this happened, the code would activate and collect a person’s name, time zone, email address, and gender.
“Security researchers first flagged MobiBurn’s behavior to us as part of our data abuse bounty program,” said Jessica Romero, Facebook’s Director of Platform Enforcement and Litigation.
MobiBurn declined to participate in an audit
However, while Facebook was handling this report internally, these findings also made it into the press in November 2019, when CNBC run an article detailing MobiBurn’s practices.
The same article also accused OneAudience, another company that provided an advertising SDK, for engaging in similar practices.
A day after the CNBC report, both SDK makers posted messages on their websites claiming they only provided the tools but were not involved in the data collection, shifting blame to the mobile app developers who abused their SDKs.
Both companies also discontinued their respective SDKs.
However, at the time, as part of its internal investigation, Facebook also wanted both SDK makers to cooperate and submit to an audit, so Facebook could confirm their statements and make sure the companies deleted any Facebook user data they had illegally obtained.
Both companies declined to cooperate. Facebook sued OneAudience in February, and, today, the social network is following through with its lawsuit against MobiBurn.
A MobiBurn spokesperson did not return a request for comment, neither this week nor in November 2019, when we first reached out to the SDK maker.
Second lawsuit also filed today
But Facebook also sued a second company today. The social network also sued Nikolay Holper for operating Nakrutka, a website that sold Instagram likes, comments, and followers.
Facebook said that Holper operated a network of Instagram bot accounts, which he advertised through the Nakrutka website.

Before filing today’s lawsuit, Facebook said it tried several other methods to dissuade Holper from continuing running the site, such as sending a formal warning, cease and desist letters, and by disabling Holper and Nakrutka’s accounts on Instagram.
Nakrutka is the second such service that Facebook has sued this year. In June, Facebook also sued MGP25 Cyberint Services, a Spanish company that provided the same types of services as Nakrutka.
Since early 2019, Facebook’s legal department has been filing lawsuits left and right against various third-parties abusing its platform. Previous lawsuits include:
March 2019 – Facebook sues two Ukrainian browser extension makers (Gleb Sluchevsky and Andrey Gorbachov) for allegedly scraping user data.August 2019 – Facebook sues LionMobi and JediMobi, two Android app developers on allegations of advertising click fraud.October 2019 – Facebook sues Israeli surveillance vendor NSO Group for developing and selling a WhatsApp zero-day that was used in May 2019 to attack attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.December 2019 – Facebook sued ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware. February 2020 – Facebook sued OneAudience, an SDK maker that secretly collected data on Facebook users.March 2020 – Facebook sued Namecheap, one of the biggest domain name registrars on the internet, to unmask hackers who registered malicious domains through its service.April 2020 – Facebook sued LeadCloak for providing software to cloak deceptive ads related to COVID-19, pharmaceuticals, diet pills, and more.June 2020 – Facebook sued to unmask and take over 12 domains containing Facebook brands and used to scam Facebook users.June 2020 – Facebook sued MGP25 Cyberint Services, a company that operated an online website that sold Instagram likes and comments.June 2020 – Facebook sued the owner of Massroot8.com, a website that stole Facebook users’ passwords. More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Iranian government hackers have impersonated journalists to reach out to targets via LinkedIn, and set up WhatsApp calls to win their trust, before sharing links to phishing pages and malware-infected files.
The attacks have happened in July and August this year, according to Israeli cyber-security firm ClearSky, who published a report today detailing this particular campaign.
The hackers are believed to be members of Iranian super group CharmingKitten, also known as APT35, NewsBeef, Newscaster, or Ajax, according to Ohad Zaidenberg, ClearSky Lead Cyber Intelligence Researcher.
Zaidenberg says the recent campaign targeted academia experts, human rights activists, and journalists specialized in Iranian affairs.
The ClearSky researcher said hackers contacted victims first via LinkedIn messages, where they posed as Persian-speaking journalists working for German broadcasting company Deutsche Welle and Israeli magazine Jewish Journal.
After making contact, the attackers would attempt to set up a WhatsApp call with the target and discuss Iranian affairs in order to gain the target’s trust.
Following this initial call, victims would eventually receive a link to a compromised Deutsche Welle domain that either hosted a phishing page or a ZIP file containing malware capable of dumping and stealing their credentials.
Iranian hackers impersonated journalists before
Zaidenberg said the group’s recent operation is an escalation of other attacks carried out in late 2019 and early 2020, when the same group also posed as journalists, this time working for the Wall Street Journal, to reach out to targets.

Image: ClearSky
However, in previous attacks, CharmingKitten only used emails and SMS to reach out to victims, but never called their targets.
“This TTP [technique, tactic, procedure] is uncommon and jeopardizes the fake identity of the attackers (unlike emails for example),” Zaidenberg wrote in the ClearSky report published today.
“However, if the attackers have successfully passedthe phone callobstacle, they can gain more trust from the victim, compared to an email message.”
Zaidenberg also points out that the tactics CharmingKitten used were nowhere near original. North Korean hackers have been using this particular tactic for years, such as organizing fake job interviews on Skype to breach Chile’s ATM network, or setting up fake interviews via phone or WhatsApp calls with employees working at various defense contractors. More

Credit: ZDNet

Think the Microsoft-TikTok negotiations can’t get any weirder? Walmart says hold my beer.CNBC first reported on August 27 that Walmart is teaming with Microsoft on a potential bid for TikTok’s U.S., Canadian, Australian and New Zealand operations. Microsoft confirmed earlier this month that it was in the bidding for TikTok.Walmart??Walmart is trying to compete with Amazon. As CNBC noted, Walmart is looking to launch a membership program that’s an alternative to Amazon Prime. Walmart told CNBC via a statement that TikTok’s integration of e-commerce and advertising was of interest, as were TikTok’s creators, but didn’t say how and if TikTok would become part of Walmart+.Walmart is a Microsoft customer (or, as Microsoft prefers to call the company, a “partner.”) In 2018, Microsoft and Walmart announced a strategic five-year partnership via which Walmart committed to using Azure, Microsoft 365, Microsoft AI, Microsoft’s Internet of Things (IoT) tools and technologies to modernize its retail operations. As is the case with a number of big Azure customers, Amazon is Enemy No. 1, as AWS is for Azure.
In early August, via a blog post, Microsoft officials said they planned to continue discussions with TikTok’s parent company, ByteDance, about taking over parts of TikTok’s operations. Microsoft execs said they’d complete the discussions no later than September 15, 2020, and during that time, Microsoft plans to continue discussions with the U.S. government, including President Donald Trump, who has ordered ByteDance to divest itself of its U.S. TikTok operations in the name of security.
Since early August, Oracle has joined the bidding for TikTok, with one report today claiming Oracle would actually be announced as the victor within 48 hours or so. (The 48 hours bit is connected to TikTok’s new CEO quitting yesterday and hinting a deal for TikTok was imminent.)
Microsoft originally was interested simply in TikTok becoming a Microsoft cloud customer (it currently uses a combination of its own and Google Cloud’s datacenters to run its services here), according to a recent New York Times report. But once Trump got involved in a plan to oust TikTok from the U.S., Microsoft’s plans regarding TikTok changed. 
TikTok has potential advertising and data-source value to Microsoft. Microsoft doesn’t have much of a consumer presence beyond Xbox/gaming at this point, as it has pivoted to become first and foremost an enterprise company under CEO Satya Nadella. More

QBot Trojan operators are using new tactics to hijack legitimate, emailed conversations in order to steal credentials and financial data. 

On Thursday, cybersecurity researchers from Check Point published research on the new trend, in which Microsoft Outlook users are susceptible to a module designed to collect and compromise email threads on infected machines. 
QBot, also known as Qakbot and Pinkslipbot, is a prolific form of malware estimated to have claimed at least 100,000 victims across countries including the US, India, and Israel. Originally identified in 2008, the Trojan is considered a “Swiss Army knife” malware as it acts not only as a typical information-stealer, but is also able to deploy ransomware — and contains other dangerous capabilities. 
See also: This new, unusual Trojan promises victims COVID-19 tax relief
A new variant of QBot, detected in several campaigns between March and August this year, is being deployed as a malicious payload by operators of the Emotet Trojan. The researchers estimate that one particularly extensive campaign in July impacted roughly 5% of organizations worldwide.
The malware lands on a vulnerable machine via phishing documents containing URLs to .ZIP files that serve VBS content, calling the payload from one of six hardcoded encrypted URLs. 
Once a PC has been infected, a new and interesting module in the modern QBot variant described by Check Point as an “email collector module” extracts all email threads contained within an Outlook client and uploads them to the attacker’s command-and-control (C2) server.  
The hijacked threads are then used to propagate the malware further. By jumping on legitimate threads, unwitting readers might think messages sent by the attackers are legitimate, and therefore, are more likely to click on infected attachments. 
CNET: Google court docs raise concerns on geofence warrants, location tracking
Subjects tracked by the team include tax payment reminders, job recruitment content, and COVID-19-related messages. 
QBot is able to steal browsing data, email records, and banking credentials. One of the Trojan’s modules downloads Mimikatz to harvest passwords.
The malware is also able to perform browser web injections and install malicious payloads including ransomware such as ProLock. In addition, QBot connects infected machines as slave nodes in a wider botnet, which could be weaponized to conduct distributed denial-of-service (DDoS) attacks, Another new feature of QBot is the ability to remotely fetch and install updates and new modules. 
TechRepublic: Local governments continue to be the biggest target for ransomware attacks
A QBot malspam campaign launched this month, focused on US and European targets including government, military, and manufacturing entities. 
“These days Qbot is much more dangerous than it was previously — it has active malspam campaigns which infects organizations, and it manages to use a third-party infection infrastructure like Emotet’s to spread the threat even further,” the researchers say.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More