Wednesday, December 13, 2017

Fraudulent Banking Website Part of Larger BEC Infrastructure

TLP AMBER ANNOUNCEMENT:

Business Email Compromise scams (BEC or BES) are a lucrative way for cybercriminals to gain high value credentials and commit fraud. Losses resulting from BEC scams surpassed 5 billion dollars this year and rising. BEC scams target groups and individuals by masquerading as legitimate services and organizations. Recent activity in Iceland involves the use of a fake website with ties to a larger infrastructure of domains designed for use in BEC scams. In this incident over 100 people were victimized with the use of the fake website, tricking victims into giving up financial credentials. These scams are difficult to defend against because they rely on social engineering and deceit instead of malware that can be detected by early warning software. The best defense against BEC scams is information sharing and networking...READ MORE

Wapack Labs has cataloged and reported on Business Email Compromise scams in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, December 12, 2017

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 

Reporting Period: Dec 11, 2017 

Wapack Labs identified connections from 723 unique IP addresses, which are checking in with one of the many Wapack Labs sinkholes. 
 
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 
 
 
This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
 
Compromised Email Accounts 
Reporting Period: Dec 11, 2017
 
On December 11, 2017 Wapack Labs identified 113 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.
 
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com  
 
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 
 
 
This TLP AMBER report is available only to Red Sky Alliance members. 

NoobBoy Downloader Campaign

TLP AMBER ANNOUNCEMENT:
 
Starting in mid-October 2017, a new variant of macro downloader malware was leveraged in large-scale fraud driven email campaigns. The attacks appear to target the supply chain of multiple industries and have used an assortment of payloads, including keylogger malware. The common use of the macro variant as well as shared infrastructure and network artifacts indicate a common actor. Wapack Labs has dubbed this activity "NoobBoy" for future tracking. NoobBoy attacks appear to target the supply chain in the shipping, energy and infrastructure sectors. Companies targeted include international companies participating in global markets, including an equipment manufacturer who supplies equipment globally and an oil, gas and mineral resource company that participates in the global marketplace...READ MORE

Wapack Labs has cataloged and reported on macro downloader malware and campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal.   

WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members.

Friday, December 8, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 

Compromised Email Accounts
Reporting Period: Dec 08, 2017

 
On December 08, 2017 Wapack Labs identified 73 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users. 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
 
This TLP AMBER report is available only to Red Sky Alliance members.

China's Cyberspace Administration and Cyber Security Law

TLP AMBER ANNOUNCEMENT:
 
The Cyberspace Administration of China (CAC) was formed in 2014 as the principal Chinese government entity responsible for Chinese Internet content control. The current CAC Director, Xu Lin, is a close political ally to Chinese President Xi Jinping. The CAC likely directly reports to a committee chaired by President Xi and all official actions indicate that the regime is very serious about exerting significant control over the Chinese Internet. Most CAC enforcement activity has focused on Internet political control, in which "cyber security" involves censorship of any dissent. There is no indication that the CAC is enforcing controls over foreign corporations on data flow out of China, hardware requirements for acquisition and use inside China, or security inspections of foreign companies. As the designated agency to implement and enforce the cyber security law, the CAC has become the central entity in the Chinese Internet monitoring and censorship regime...READ MORE

Wapack Labs has cataloged and reported on Chinese Internet control in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
 
This TLP AMBER report is available only to Red Sky Alliance members.

Russian Troll Handlers

TLP AMBER ANNOUNCEMENT:
 
Fake social media accounts controlled by a Russian APT group were focusing on spreading leaks aligned with the Russian agenda. At the same time, another group not only supported candidate Trump, but also spread divisive content from all political affiliations and even organized anti-Trump events in the US. Russian troll operations continued through 2017. It is likely that the group continues its operations in the US and that the associated accounts are dedicated to information warfare. Their cover identities, however, are being changed and the operations are being scaled down compared to the 2016 US presidential campaign...READ MORE 

Wapack Labs has cataloged and reported on Russian social media trolling in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members.

Thursday, December 7, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts 
Reporting Period: Nov 27 to Dec 04, 2017

On December 04, 2017 Wapack Labs identified 41 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Dec 04, 2017

Wapack Labs identified connections from 2637 unique IP addresses, which are checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wednesday, December 6, 2017

BINs Sold at Hacker Shop

TLP AMBER ANNOUNCEMENT:
 
A new hacker/carder shop was discovered by Wapack Labs. The shop sells credit card data, hacking tools and compromised dating accounts. It accepts Bitcoins, and Perfect Money, which are automatically exchanged to Bitcoins via an exchange service. The shop has advertised via direct e-mails to hackers since October 2017 and an advertisement was detected on a hacker forum in November 2017. This hacker/carder shop is currently a medium threat and has thousands of items listed for sale. Financial organizations whose BINs match those of the compromised credit cards for sale, should take notice...READ MORE

Wapack Labs has cataloged and reported on hacker and carder shops in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 


 This TLP AMBER report is available only to Red Sky Alliance members. 

Underground Market Selling Stolen Credit Cards

Wapack Labs recently identified a new private underground market. The market is targeting Amazon buyer gift cards and is also selling cloned credit and debit cards. The market only accepts Bitcoin as payment for these stolen goods and ships worldwide. It offers unique discreet shipping methods of cloned credit cards at different price points: $15 to mail the card in a birthday card, $25 to stuff the card inside a teddy bear, $50 to hide the card inside a calculator, and $100 to hide the card in non-working smartphone. They also offer a service that involves sending the product to abandoned houses or to a neighbor’s house. These physical delivery methods show diverse stolen credit card smuggling innovations. Each cloned card has a $4,000 - $7,000 balance with the correct PIN and a daily $500.00 cash withdrawal limit or $3,000.00 on line spending limit...READ MORE

Wapack Labs has cataloged and reported on underground markets and credit card theft in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

FREE Webinar: Cyber Fraud for Christmas, December 7th, 9AM EST

Wapack Labs presents a well-timed online event -- CYBER FRAUD FOR CHRISTMAS. December 7th, 9AM EST. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.

REGISTER NOW TO JOIN US.

  • Post Data Breach ID Fraud & Mitigation's
  • Cyber Fraud: Skimmers and ATM Malware
  • Social Engineering And Scams Around Holidays And Major Events
  • Typosquatting – What’s in a Name?
  • Evolutions in Business Email Scams
  • Block Chain-Related Fraud
  • Scripting for Analysis & Hunting

Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting.

Jump in for an hour or the entire webinar, click this link to the AGENDA & REGISTRATION page.

REGISTER NOW, only 100 online seats available. Bridge information will be provided after you register. No tickets needed.


Saturday, December 2, 2017

Announcing: Red Sky Small Business Alliance and a day of Education

In the last few years we've had more and more experiences with small business —banks, credit unions, port operators, supply chain companies, local NH companies, etc. —primarily in the area of fraud —account takeover, card not present, new accounts, business email scams, etc., and it's only getting worse as fraud crosses information security boundaries and many are left simply not knowing where to turn.. 

Heading into '18, we decided to extend a hand. We wanted to do something for/with small business. Small business by the SBA is defined as 1-500 employees, or a manufacturer, up to 1500. 

Announcing the Red Sky Small Business Alliance. Red Sky Small Business Alliance is a no-cost community of companies who need cyber help. Risk assessments, architecture support, log reviews, incident response support, forensics, best practice, and more. We have someone that can help.

If you're a small business, please join us this Thursday for a day of Fraud related educational presentations as we announce the newest Wapack Labs service, the Red Sky Small Business Alliance. The day is offered at no charge. We'll start the day with a brief intro to the new Alliance, followed by one of our most popular speakers and talks, Elizabeth (Liz) Shirley, the head of our Fusion Intelligence Team.

We have 100 seats available for the day. Come in for the day, or in and out as you desire. Registration is on EventBright. 

When:     Thursday December 7th
Time:      9-4 EST
Where:   A bridge will be provided after registration

The Red Sky Small Business Alliance presents a well-timed online event -- 'CYBER FRAUD FOR CHRISTMAS'. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.


Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting
Sign up now, only 100 online seats availableBridge information will be provided after you register. No tickets needed.

AGENDA

9:00 to 9:15 AM -- Introduction
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

9:15 to 10:00 AM -- Post Data Breach ID Fraud & Mitigations
Liz Shirley | Technical Director, Intelligence & Analysis

10:00 to 10:15 AM -- Cyber Fraud: Skimmers and ATM Malware
Chris Alexander | Cyber Analyst

10:15 to 11:30 AM -- How The Cyber Grinch Stole Christmas: Social Engineering And Scams Around Holidays And Major Events
Technical Support scams, viruses/phishing pages, and holiday scams.
Jesse Burke | Advanced Cyber Analyst

11:30 to 11:45 AM -- Typosquatting – What’s in a Name?
Scott Hall | Jr. Cyber Analyst

11:45 to 12:15 PM -- Evolutions in Business Email Scams
Aure Hakenson | Cyber Analyst

12:15 to 1:00 PM Hacking People’s Lives with Google Sync
In reference to the recent Google Docs hack that went around, we will cover some of the unseen and convenient features that Chrome offers. If an account is compromised, these features can be used to exploit the end user and other accounts tied to the browser and email..
Sean Hopkins | Senior Security Engineer, H2L Solutions

1:00 to 2:00 PM -- Block Chain-Related Fraud
Yuri Polozov | Eurasia Desk Analyst

2:00 to 3:30 PM -- Threat Intelligence University (TIU) – Scripting for Analysis & Hunting
Chris Hall | Co-Founder, Principal Engineer

3:30 to 3:45 PM -- Closing Remarks
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

Friday, December 1, 2017

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Nov 27, 2017

Wapack Labs identified connections from the following 300 unique IP addresses (full list of 3615 IPs is on a corresponding .csv file), which are checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wednesday, November 29, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts 
Reporting Period: Nov 20-27, 2017

Between Nov 20-27, 2017 Wapack Labs identified the following 313 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members.