december 4 th 2015 intelligence briefing not protectively marked
TRANSCRIPT
December 4th 2015
Intelligence Briefing
NOT PROTECTIVELY MARKED
Current ThreatsSWRCCU Investigation UpdatePhishing email
Action Fraud Reports from the South West RegionHacking Extortion
MiscellaneousCiSPNew non-protectively marked briefing
NOT PROTECTIVELY MARKED
Investigation Update
The South West Regional Cyber Crime Unit are currently investigating a malware attack against a company based in Devon. Whilst we originally thought and reported that this malware was the banking trojan Shifu, analysis has now identified it to be Dridex.
An element of the attack which is of note was that the company initially reported that the hard drive had been wiped by the malware. Analysis has revealed that the hard drive was not wiped - the malware caused the Master Boot Record (MBR) to move sectors making it look as though the hard drive had been wiped.
It has also been reported elsewhere that a new version of Dridex leaves an image file of Russian President Vladimir Putin on the hard drive, although this did not occur in this case.
If organisations come across any of these characteristics then please report via Action Fraud and let us know in order for an accurate picture of the scale of the threat to be developed.
NOT PROTECTIVELY MARKED
Investigation Update (cont)
The SWRCCU has reported on Dridex many times over the last year. Media reporting suggested that the Dridex infrastructure had been disrupted but we are continuing to see Dridex infections targeting Councils and businesses throughout the South West on a regular basis.
In order to reduce the chances of becoming a victim of this banking malware please consider:Have anti-virus installed and up-to-date.Keep operating systems up-to-date and patched.Ensure software is up-to-date, for example internet browsers, Java and Adobe.Restrict the type of websites staff/ you can access.Prevent employees from using their own devices at work eg USB devices Remove any banking Smartcard from the reader when you are not conducting a transaction, logging on or making amendments as a system administrator. Log out from online banking when finished with banking tasks.Look out for unusual prompts at login. Change passwords often.Ideally organisations should utilise a stand alone machine for all online banking kept separate from their email platform.
NOT PROTECTIVELY MARKED
Phishing Email The National Fraud Intelligence Bureau (NFIB) has been made aware of a phishing attack whereby an email containing two attachments has been sent in order to socially engineer the end user into unpacking compressed files. The malicious emails claim to come from counter terrorism departments at national police forces, including Dubai Police Force. Attached to the e-mail is a PDF file and a .jar file. The PDF is not harmful, but is included as a decoy file. The malware is in the archive .jar file. To make the emails seem legitimate, the criminals have included the names of people employed by the police forces in the signature and included names of employees at the organisation being targeted.
The email reads “We got a terror alert regarding your business area. Be advised to follow the protective measures (Security Tips) as attacked to keep yourself, your company and your family secured.” Organisations targeted with the malware have generally been in the energy, defence, finance, government, marketing and IT industries based in Bahrain, Turkey and Canada. Although at present the email has not been seen in the UK, with recent events it is thought that this may well spread to other countries.
NOT PROTECTIVELY MARKED
Phishing Email (cont):
Prevention Do not click or open unfamiliar links in emails or on websites Check the legitimacy of the email with the company that has supposedly sent it. It is a good idea to find a telephone number for them independently from the email as the phone number provided may be fake or go straight to the suspect. Ensure you have up-to-date anti-virus software and perform regular scans. If you have clicked or activated the link you should seek professional advice from a reputable company.
NOT PROTECTIVELY MARKED
Hacking Extortion An individual from the Bristol area reported being a victim of an extortion whereby he engaged in live video chat of an explicit nature with a person purporting to be a female. ‘She’ then contacted the victim demanding that $300 be paid via Western Union to prevent the video being shared with friends/ family and work colleagues. Advice:There is no guarantee that paying the demand would prevent further demands or that the criminal will not post the video anyway.
In order to avoid becoming the next victim:Do not get lured into compromising situations such as removing clothes or performing intimate acts online. You do not know who may see the images.Always remember that what goes online often stays online.Be wary about who you invite or accept invitations from on social networking sites. Do not accept friend requests from complete strangers… you wouldn’t do this in real life.Update your privacy settings on social networking accounts so only people you know can view your account.Do not include any sensitive, private or personal information in profiles.If you use online dating sites, choose those that offer the ability to email prospective dates using a service that conceals both parties’ true email addresses or consider setting up a separate email account that does not use your real name.
NOT PROTECTIVELY MARKED
CiSP - 30,000 Individual Cyber Crime Threats Shared
The Cyber Security Information Sharing Partnership (CiSP), which is co-run by the National Crime Agency and Cert-UK, has flagged and shared the details of 30,000 cyber crime threats.
The customised alerts that are sent out allow members to take remedial action and modify their organisations to prevent cyber attacks.
If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact us as we can sponsor you.
A regional South West CiSP is being planned which will launch March 2016; more details will be shared in due course.
NOT PROTECTIVELY MARKED
Additional Briefing Dissemination
This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction.
If you know anyone else who would like to receive this, please send us their e-mail address and we will add them to the distribution list.
Any comments or queries please email South West Regional Cyber Crime Unit at:
[email protected] 372 2446
NOT PROTECTIVELY MARKED