Billion Dollar Bank Hackers Use Old Phishing Technique


Last week the internet security firm Kaspersky Lab released a report on a highly-successful group of cybercriminals who targeted banks and may have stolen up to a billion across 100 financial institutions worldwide. While Kaspersky Labs did not name the victimized organizations, the report indicates they were mostly located in China, Russia and the United States. The attacks included a lengthy reconnaissance phase, with the criminals masquerading as legitimate users for long periods of time. The FBI and Secret Service said the U.S. financial system has not been affected, so perhaps the criminals were uncovered before they could strike.[1]

The malware the cyber criminals used, opened a back door into the company’s computer networks, allowing them access to learn the organizations’ systems. It even gave the hackers the ability to monitor webcams and embedded cameras in laptops to conduct long-term observation of employees. Once the criminals were familiar with the network, they were able to steal money in a variety of different ways depending on the organization. With some banks, they manipulated ATM machines to dispense cash at predetermined times, which were then picked up by money mules. At others, they artificially inflated the balance on legitimate accounts, then transferred the money to other banks in a different country.

As sophisticated and patient as they were, the hackers relied on email spear phishing to launch the initial phase of their attack. It’s an old-school technique favored by hackers because it works.

What is Spear Phishing?

Have you ever gotten an email asking you to “verify” your bank, eBay or PayPal account? Those emails are a form of phishing. When you click on a link in the email, it takes you to a web page that looks very much like the real thing, but is run by criminals attempting to steal your information.

Spear phishing works much the same way, except the emails are targeted toward a specific person or small group of people instead of broadcast to thousands. In today’s world of social media, it’s not difficult for criminals to find the names and email addresses of people within an organization. Once they have the person’s name and email address, the criminals simply write a convincing email that supposedly came from their boss or the company CEO. They attach the malware and instruct the employee to open the attachment in the message.

In this case, some of the emails were sent from compromised employee accounts. Once the bank employee opened the attachment, the embedded malware used a vulnerability in certain versions of Microsoft Office or Microsoft Word to infect the users’ computer.

How Can You Prevent Spear Phishing in Your Organization?

Instruct employees not to open email attachments they were not expecting, no matter who the message comes from. If an employee receives an email with a suspicious attachment from someone they know, have them double-check with the supposed sender before they open it.

Always install security updates and patches to computer operating systems and the programs your organization uses as soon as possible. In many cases, your IT staff can push updates out to computers on the network remotely.

Learn more about internet scams and security. Subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit for more terms and definitions.


Android & PC Tie For First Place In Malware


A report published last week by Alcatel-Lucent revealed malware on mobile devices has caught up to the infection rate on traditional PCs. The report was created by the telecommunications company’s Motive Security Labs and used data compiled from fixed and mobile networks using their Motive Security Guardian software. The software is deployed in networks around the world, and monitored traffic from nearly 100 million individual devices.

The report revealed 0.68% of mobile devices were infected with some type of malware. This may not sound like much, but with 2.3 billion mobile broadband subscriptions this estimate puts the number of infected smartphones and tablets at approximately 16 million. The report notes the estimate is probably conservative due to lack of coverage in China and Russia, where mobile malware infections are higher than average.

Android Makes Up Over 99% of Mobile Malware Infections

That the Android operating system makes up most mobile malware infections should come as no surprise. Its open source environment and the ability for users to install apps from third-party sources makes it easier for cyber criminals to distribute their malware. Apple and BlackBerry mobile devices have a more restricted app environment, and Windows Phone simply lacks the numbers to make a dent.

Another part of the problem is Android devices receive updates less frequently than PCs. In the United States, most Android devices run a version of the OS that is customized for each manufacturer, model and carrier. When Google releases a new version of the stock OS, the device manufacturer must test and tweak the OS for each supported device and carrier.

Top 20 Mobile Malware Infections of 2014

The report also gave information on the top 20 malware programs installed on Android devices. Six of the top 20 list consists of spyware apps that can monitor phone calls, SMS/MMS messages and track the user’s location via GPS data. Three spots went to adware programs. The rest of the list is made up of a wide variety of malicious apps.

Some apps open back doors into the device and allow the attacker to steal data for identity theft. A few are apps that send SMS messages to premium numbers to charge users on their phone bill. Others allow attackers to use the device as a proxy for illicit internet activity. There’s even a bot app that makes the mobile device part of a botnet, a type of malware usually targeted at PCs. New on the list this year are two ransomware programs, which claim to encrypt the information on the device and attempt to extort money from the user.

Mobile Malware is Growing in Sophistication

In the past mobile malware mainly consisted of adware, but some of the malware on the list have features previously targeted exclusively toward traditional computers. As the number of mobile devices grows and the device become more powerful, they will become an increasingly attractive target for hackers.

What Are Drone Operators All Waiting For?


Last week I talked about drone operators who don’t follow the rules. This week I’ll talk about legal drones, existing regulations and the new rules that are due out soon.

Commercial Use

Current FAA regulations prohibit the commercial use of drones, but companies can apply for a special permit. According to Reuters, as of February 3rd the FAA has received 342 requests but only granted 24. The most recent batch of approvals include companies that use aerial drones for filming movie and television footage, taking aerial photographs and surveys, monitoring flare stacks on oil rigs and checking farmers’ fields.

Companies are also interested in using drones to make deliveries. Amazon has applied for a commercial permit to test a drone delivery system, but has yet to receive approval. Online retailer Alibaba conducted a trial delivery program in China last week, using drones to deliver 450 packages of tea to volunteer customers in three cities.

Personal Use

The regulations that currently cover personal drones were created for model aircraft. Hobbyist operators can use them for non-commercial purposes. For example, an operator can use their drones to take pictures for their own enjoyment. If they plan on selling the pictures, they must apply for a permit.

They cannot fly higher than 400 feet above ground level, must remain at least 5 miles from an airport unless the operator notifies the control tower in advance and they must stay out of restricted zones. Restricted zones can be permanent such as around government buildings and military bases or temporary like the 30-mile radius no-fly zone around the stadium during the Super Bowl. Open stadiums often have temporary no-fly zones around them during events.

New Regulations Overdue

The slow pace of FAA approvals and prohibition of wider commercial use has frustrated many companies and private owners, but relief may be coming soon. The FAA turned a draft of their newly-revised rules over to the White House on October 23rd. The new rules were expected in 2014, but Transportation Secretary Anthony Foxx told reporters last month the new rules would be released soon. It’s not certain if the drone crash on the White House lawn has affected the release date.

One thing is certain… With more relaxed regulations, drones will become more common in the United States airspace. But not everyone wants drones flying overhead. When drones fly into restricted zones, organizations will need a reliable method to detect them and recognize the operator. The Berkeley’s Yellowjacket®-Tablet civilian drone detection system gives authorities the tools they need to identify unauthorized drones and the devices used to control them.


On February 22-23, we will be taking part in many cybersecurity presentations at Connected World CyberSecurity Conference in Birmingham, AL. BVS is both a sponsor and presenter at this event and we will be flying a drone for a live drone detection presentation using Our Yellowjacket®-Tablet with direction finding antenna. Please join us.

How Can We Prevent The Next White House Drone Crash?


Current Federal Aviation Administration regulations require civilian drones to stay under 400 feet in altitude and at least five miles from airports and other restricted areas. Unfortunately, not all drone operators follow the regulations.

Drones at the White House

On Monday, January 26th at 3:02 AM a Secret Service officer on duty at the White House spotted a drone flying overhead without setting off alarms. The drone crashed on the edge of the property, triggering a security lockdown and search. The operator turned out to be an undisclosed inebriated off-duty government employee flying a personal drone. He turned himself in several hours later,claiming he lost control of the drone and did not mean to fly it into a restricted area. His actions led DJI (the manufacturer of that particular drone model) to initiate a 15 mile radius no-fly zone around the White House to be included as a mandatory firmware update for all DJI drones.

He is not the first drone operator caught near the White House. On August 19th a drone operator was arrested after he crashed it into a tree just outside the White House grounds. Another was detained on July 3rd after Secret Service agents caught him flying a drone a block away.

Identification Difficulties

One of the major issues with drones is lack of traceability. There are no registration requirements, so finding the operator of a crashed drone is nearly impossible. Even when the drone is in the air, Finding the operator is difficult. If the operator is concealed inside a building or vehicle, locating them without using the right tools is like looking for a needle in a haystack. Fortunately, wireless threat detection tools such as Berkeley’s Yellowjacket-Tablet Wi-Fi Analyzer can catch a drone pilot red-handed by using realtime RSSI measurements and MAC address identification.

Drones Pose Air Safety Hazard

Even more alarming are reports of close encounters between civilian drones and low-flying aircraft. In November 2014, the FAA released list of 25 incidents that occurred starting June 1st. The incidents were reported by pilots and several involved passenger aircraft where the drone was spotted less than 200 feet away during takeoff or landing. The pilots reported seeing drones as high as 4,000 feet.

Drones are small and most weigh under 10 pounds, but the aircraft’s speed and the delicate construction of propellers and jet engines make a drone strike very dangerous. Impacts with birds of similar size have caused airplane crashes, including the U.S. Airways flight that landed in the Hudson River in 2009. According to wildlife organization Bird Strike Committee USA, a 12 pound bird striking an aircraft traveling at 150 MPH generates the same force as a 1,000 pound weight dropped from 10 feet. A drone of similar size would have the same effect and could easily set off a chain of events resulting in a crash.

Drone Payload Concerns

Some civilian drones have payload capacities up to 30 pounds, easily enough to carry contraband and even explosives or chemical weapons. In 2013 German police recovered a drone and bomb-making materials from right-wing terrorist groups. Just last week Mexican police in Tijuana recovered a crashed drone attempting to fly a load of drugs into the U.S. Here in the United States, criminals have used drones to fly drugs and prohibited cell phones into prisons.

Drones have the potential to improve our lives, but they also pose risks to security and public safety that should be addressed. Shutting down drone operators who disobey the law and put others at risk should be a top priority.

Source Links:

Deep Dark Web Of The Internet Iceberg


The World Wide Web is a vast and always changing network of web pages. In the early days of the web there were no search engines, and people relied on finding information using pages with long lists of HTML links. It was cumbersome and links were often outdated.

The development of automated search engines made it much easier for users to find information. Modern search engines like Google, Yahoo and Bing use programs called spiders that crawl the web and find links between the main page on a site and its linked subpages. These publically viewable pages are part of the Surface Web, but they’re just the tip of an iceberg.

What’s Below the Surface Web?

While the web is growing constantly, cybersecurity experts know the vast majority of web pages are inaccessible to search engines. Hidden pages include unpublished blog posts, forums that force users to log in before they can view the contents and news sites that archive their stories for paid subscribers only after a specific amount of time. Subpages on public web servers that are not linked to other pages do not show up in search results, but if someone knows the page URL they can access the page directly by typing it into their browser’s address bar. Collectively these resources hidden from search engines are called the Deep Web.

The information locked away in the Deep Web is valuable. Doctors could access information currently hidden in archived databases about new research and medical procedures. Aerospace engineers could find data on how to build safer airplanes. Unfortunately, cyber criminals also use the Deep Web for communication and to hide their illicit activities. The Deep Web contains pages where criminals use a type of digital currency called Bitcoin to trade and sell everything from stolen credit card numbers to illegal drugs.

Navigating the Deep Web

So if the Deep Web isn’t indexed by normal search engines, how do users navigate it? The answer lies in browser software called The Onion Router, or Tor for short. Tor allows users to access .onion sites. It also anonymizes users by bouncing their web traffic through a randomized series of encrypted servers located around the world. This makes Tor users much more difficult to track online.

Like the Deep Web itself, Tor does have legitimate uses. The software was developed by the United States government to protect whistleblowers, dissidents who live under repressive political regimes and others who would be in danger if their identities were compromised.

Some governments censor the Surface Web, blocking certain web sites and monitoring their citizens’ online activities. Facebook recently established a direct connection to Tor, allowing users in these areas anonymous access to their site. It also protects those who simply value their privacy and aren’t doing anything illegal but don’t want their browsing habits tracked.

To learn more about the Deep, Dark Web, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit for more terms and definitions.

My Phone Is Held Hostage By Ransomware, Now What?


Ransomware is a type of malware that holds your data hostage. It has been a problem with computers for many years, but it’s only recently started showing up on mobile devices. When you activate the program or app, it blocks you from accessing the data on the device and displays a message demanding payment by untraceable methods like Bitcoin or MoneyPak.

How does it spread?

On mobile devices, ransomware usually spreads via email, from visiting malicious web sites that host pornography or installing pirated apps. Recently malware developers have gotten smarter. Some ransomware apps can now spread via text message. When a device is infected, the malicious app will send an SMS to everyone in the device’s contact list with a message tricking the recipients into clicking on a link. When the reader opens the link, they are directed to install the malware on their devices, thus repeating the process with a new round of victims.

What should you do if you do if your device is infected?

First of all, don’t pay the ransom. If you do send money all you’re doing is rewarding criminals, and there are no guarantees you’ll get your information back anyway.

Reboot the device into safe mode. Just like a computer, safe mode boots the Android device with just the bare minimum operating system. This prevents the malicious software from running at startup and allows you to remove it. The instructions on activating safe mode vary from device to device, so check the manual and the manufacturer’s web page for specific instructions.

Once you have access to the operating system, you can uninstall the malware or run an antivirus app that will remove it for you.

How do you prevent malware from attacking your Android device?

Do not click on any links you were not expecting in emails or text messages. If the message comes from someone you know, contact them before opening the link.

Make sure the “Unknown sources” check box is left blank. The option is usually disabled by default, but sometimes users enable it to install legitimate apps that are not available from Google. The location can vary, but it is usually found under Settings > Security. Disabling this option will prevent the device from installing apps from sources other than Google’s Play Store.

Keep backups of your local data. With many apps, the data is stored on a remote server instead of your device. When you open the app, it downloads the information it needs through your data connection. If you do have applications that store data on the device or memory card, make sure to keep a backup of the information on your computer.

For rooted Androids, there are applications that will create an image of everything on the device and save it in a file you can transfer to your computer or upload to cloud storage.

To learn more about ransomware, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit for more terms and definitions.

Can The FBI Attract Ethical Hackers?


In today’s online world, cyber attacks can be nearly as devastating as traditional warfare. In addition to cyber terrorism, hackers have stolen identification and credit card information from millions of Americans in cyber attacks on large businesses. Local law enforcement often doesn’t have the skills or manpower to handle these cyber crimes, and jurisdiction becomes a problem when the victimized organization has locations in several areas. When the scale of the problem is too big or too complex for the target organization or local law enforcement to handle, they often turn to the Federal Bureau of Investigation for help.

The FBI has recognized the increased demand for agents trained in cybersecurity and has posted a job listing on The listing is open until January 20th, and while it doesn’t specify the number of positions open, a statement released alongside the listing stated there were “many.”

Why is the FBI seeking cyber special agents?

Tracking down sophisticated cyber criminals and terrorists with foreign government backing requires totally different skills than solving the offline crimes the FBI has always handled in the past. For example, if a gang of criminals robs a bank the agents might interview witnesses, review surveillance footage and look for physical evidence. But what if the gang of criminals stole the money electronically using a computer in another country? No one stuck a gun in a teller’s face, but the bank still lost money and the criminals need catching.

What kind of people is the FBI looking for?

The job listing gives a long list of experience requirements related to cybersecurity, including network administration, ethical hacking or white hat, computer programming, database administration and digital forensics. The applicant must have a minimum four-year degree from an accredited college or university or foreign equivalent. It lists degrees relating to computers, mechanical engineering or information security but does not bar applicants with non-technical degrees as long as they can demonstrate technical work experience.

In addition to the computer-related skills and background, applicants must be eligible for Top Secret security clearance and be between the age of 23 and 37, though some military veterans are exempt from the age restriction. The applicant must meet the same physical requirements and pass the fitness tests required of all FBI Special Agents.

What does this mean for us?

It’s a positive move for the businesses, organizations and local law enforcement agencies that rely on the FBI’s assistance for solving cyber crimes. More agents with better training and a wider pool of specialized skills to draw on means faster resolutions and a greater chance of cyber criminals and terrorists being brought to justice.

To learn more about FBI’s relationship with hackers, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

ISIS Hacks CENTCOM And You Are Next

Cyber Caliphate
On Monday, January 12th, the official Twitter account & YouTube channel for US Central Command or CENTCOM were hacked by ISIS supporters. Pro-ISIS propaganda appeared on @CENTCOM Twitter homepage warning “American Soldiers, we are coming, watch your back. ISIS.”
@CyberCaliphate account is currently suspended but claims to have hacked the US Central Command Twitter account. Besides the typical threats, there were links to documents that appeared to be confidential files stolen from American military computers. One of the Tweets was a list of US military personnel including a phone number listed as belonging to the former General of the former chief of both CENTCOM and the National Security Agency. The hackers also published a document from MIT referring to U.S. intelligence, surveillance, and reconnaissance regarding China.
All of the accounts involved have been suspended until an investigation concludes they can be safely re-activated. You might remember that just 1 week earlier, Cyber Caliphate  hacked the Twitter accounts of Fox & CBS News claiming there would be more attacks in the future.
You Are Next
By all accounts, terrorist groups like ISIS as well as anarchist hacktivist groups like Anonymous are waging a successful war against the powers that be. This might not directly affect your average citizen or small business but the methods they use to wage war all come back to best security practices that we all need to follow. Anyone on the grid or internet is vulnerable to the same kinds of attacks from these or any groups.
Here are a set of tips to follow that apply to Twitter as well as any password protected account on the internet you would like to keep private.
1) Use Strong Passwords to prevent being the victim of hacks. Twitter encourages a Minimum of 10 characters but longer is better. I recommend 15 characters minimum using upper/lower/numbers/symbols. Do not use common dictionary words and do not reuse passwords across multiple web sites.
2) NEVER use personal information such as phone numbers or birthdays.
3) Use login verification (also called two step authentication) whenever available. This additional step can be annoying but is another layer of security protection.
For many more tips like these, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

Sony’s Dirty Laundry Reveals MPAA Attack Plans


Most of the information from the Sony Pictures Entertainment hack leaked so far has been embarrassing for the company, but not directly related to Internet security. However, last week some leaked emails revealed the Motion Picture Association of America (MPAA) is trying to find ways to effectively delete sites that host pirated content from the Internet using Domain Name Server (DNS) takedowns. To understand why this is a security concern, you need to know a little bit about how the DNS system works.

What is a Domain Name Server?

The Internet functions using IP addresses, a string of numbers that is easy for machines to understand but not very user-friendly for humans. Your computer or mobile device needs the help of a server that can match these IP addresses to a name of the destination you can remember. The DNS is usually maintained by internet service providers, but some organizations such as Google offer a public DNS anyone can use.

When you type an address like into your browser or click on a link in our newsletter, your computer or mobile device queries a DNS and receives the IP address it needs to get here. If the DNS cannot match the URL to an address, you get an error message instead of the page you expected.

What is a DNS Takedown?

Currently copyright holders can take down pirated content by ordering the hosting site to remove it. An example would be requesting YouTube take down a copyrighted video or a web hosting company to delete a user’s account. A DNS takedown would go a step further, ordering the DNS owner to remove the site from the server’s IP address tables. Servers at different companies communicate freely with one another, so changes made on one DNS could propagate to other servers across the Internet in as little as a few hours.

Removing the listing is the equivalent of removing the building address numbers off a business. Someone trying to locate the place would find it very difficult unless they knew the exact location, or in this case the IP address.

Are DNS Takedowns Legal?

The legal grounds for DNS takedowns are shaky. The Digital Millennium Copyright Act (DMCA) of 1998 both makes it illegal to distribute copyrighted material without permission and protects the sites hosting pirated content as long as they respond immediately to takedown requests. The Stop Internet Piracy Act (SOPA) of 2011 would have made DNS takedowns legal, but it was defeated in Congress after a major outcry from both private businesses and the general public.

The MPAA is working on an argument that would include DNS filtering under the DMCA, forcing DNS operators to remove the DNS entries of sites hosting pirated content without a court review.

The Problem with DNS Takedowns

The major concern is this system could be ripe for abuse, with organizations or individuals filing false copyright infringement claims to harm their opponents or silence critics. Smaller DNS operators may be overwhelmed with the number of requests and just rubber stamp them out of concern for losing their protection.

Imagine if your biggest competitor could make your web site disappear overnight, and there was nothing you could do about it. It could be devastating for businesses that rely extensively on their web sites for income or leads.

Visit Berkeley’s for more terms and subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

FBI Officially Names North Korea as Source of Sony Hack


To the surprise of practically no one, the Federal Bureau of Investigation has officially announced the involvement of the North Korean government in last month’s hack on Sony Pictures Entertainment. While the FBI announcement stated it could not list all of the reasons for the link due to the need to protect “sensitive sources and methods” it listed several links that will be familiar to regular readers of this blog.

  • Infrastructure associated with IP addresses known to be used by the North Korean government communicated with computers with IP addresses written directly into the malware used in the attack.
  • The malware had significant similarities with malware employed in previous attacks linked to North Korea.
  • The tools used in the Sony hack were similar to an attack on South Korean banks and media organizations in March of last year that was traced back to North Korea.

The FBI report also expressed concern that the attack was aimed at a private entity not connected to government activity, since most officially sanctioned hacking is limited to targeting foreign governments or their contractors.

While the North Korean government continues to maintain it is not behind the attack, in a press conference on Friday President Obama stated, “We’ve got no indication that North Korea was acting in conjunction with another country.”

Even though North Korea is a nation of poverty with very limited Internet access and the citizens are practically isolated from the rest of the world, the government maintains a cyber-espionage department called Bureau 121. According to North Korean defectors, positions in Bureau 121 are highly sought after, and the people admitted are hand-picked and trained at an age as young as 17. This gives the North Korean government the ability to wage cyber-warfare at a level far beyond what most third-world countries are capable of. In fact, North Korea considers cyber-attacks an effective method of making up for its lack of traditional military strength.

Unlike most countries that engage in cyber-espionage, Bureau 121 will target any public or private entity that raises the ire of the North Korean government. The most likely reason for the attack on Sony Pictures was the upcoming (and now cancelled) release of The Interview, an action-comedy movie based around a fictional plot to assassinate leader Kim Jong-Un. The state-controlled media called the film “an act of war” and messages from the hackers who claimed responsibility for the attack lauded Sony’s decision to pull the film.

While the United States government has promised a response to the attack, it’s not clear what it will be. A military response is unlikely, and severe trade restrictions against North Korea are already in place. This situation definitely bears watching.

Visit Berkeley’s for more terms and subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.