Tag Archive for Malware

Scary SS7 Flaw Strikes Banks

Scary SS7 Flaw Strikes BanksLost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.

Telephone system Signaling System 7 The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was  a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.

According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.

Central office equipmentGerman Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.

O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.

Ford Road CO in Dearborn Mi is the Oregon officeTwo-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are.  2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.

Cris Thomas, a strategist at Tenable Network Security warns in the article:

Two-factor authenticationWhile this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…

Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016  and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.

man-in-the-middle attackIn 2014 security researchers first  demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.

Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times.  In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.

Carriers should use SS7 firewall to secure the SS7 networkThe Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.

Of course the TLA’s would never use this “flaw” in SS7 to spy on us.

The Guardian says that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself beyond not using the services.

PoliticianThey recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.

For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

protect yourself Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

What to Think About Before You Click

What to Think About Before You ClickReaders of the Bach Seat know that the Internet can be a risky place. The typical advice to stay safe on the Intertubes is to think before you click. But why should you care and what should you think about before you click on a link in your email or on Facebook?

Email is the leading source of attacks at home and at work. Kaspersky reports that over 2/3 of emails sent in 2014 were SPAM. Merely clicking on a SPAM link can lead to password and data theft, and even “drive-by” malware downloads. In order to stay safe at work and at home ESet wants you to ask yourself these questions before you click on any link:

1.Do you trust the person posting the link? Do you trust the person sending or posting the link? People have gotten better at distinguishing good emails and links from bad. Nonetheless, you still need to be alert, so the first question to ask yourself is:

  • Do I trust the person sending or sharing this link? If you don’t recognize the name, the email account, or the content, delete it.

2. Do you trust the platform? Here’s what we mean by “platform”: A link shared on your company’s private Intranet is likely to be safe. But anybody can send you an email — so be skeptical.

social media sites have been hit by copious amounts of spam.Pay special attention to Twitter (TWTR) and Facebook (FB), as both social media sites have been hit by copious amounts of spam. Online security experts have found that many social media accounts are fake and pose a risk to anyone they come in contact with.

  • Researchers say that an average of 40% of Facebook and 20% of Twitter accounts claiming to represent a Fortune 100 brand are fake. 99% of malicious URLs posted on social media channels led to malware or phishing attacks.

3. Does this link coincide with a major world event? Cybercriminals seize any opportunity to get someone to click a link. They commonly use news events like natural disasters, Olympics and World Cups to lure victims to identity-theft or malware sites.

4. Do you trust the destination? Look at tDo you trust the destination?he link that has been shared. Does it go to a website you recognize? If you don’t trust, or don’t know, the destination, don’t click the link.

5. Is it a shortened link? The rise of social media, especially Twitter, has prompted people to shorten links for convenience. Bad guys can easily shorten scam links, making them harder to spot.

  • With shortened links, the advice is clear; ask yourself the above four questions and if you’re unsure still, use LongURL and CheckShortURL, to restore the shortened link to its original length.


Even if you follow this advice, you still need to be alert. If, for whatever reason, you’re unsure, you could pick up a phone and call them (Did you remember that you can talk to people on phones?) to verify that they did indeed send that information and maybe talk about something else too.


Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

2016’s Most Dangerous Celeb Online

2016's Most Dangerous Celeb OnlineThe 10th annual McAfee Top 100 Most Dangerous Celebrities to Search for Online Study published by Intel Security, was recently released. The annual report uncovers which celebrities are the most dangerous to search for on the intertubes. These dangerous celeb’s results can expose fans to viruses, malware and identify theft while searching for the latest information on today’s pop culture stars. Intel’s (INTC) used its McAfee site ratings software to find the number of risky sites generated by searches on Google, Bing and even beleaguered Yahoo.

Intel Security“Consumers today remain fascinated with celebrity culture and go online to find the latest pop culture news,” said Gary Davis, chief consumer security evangelist at Intel Security. “With this craving for real-time information, many search and click without considering potential security risks. Cybercriminals know this and take advantage of this behavior by attempting to lead them to unsafe sites loaded with malware.”

This year’s most dangerous celebrity online is Amy Schumer. The comic joins recent most dangerous celebrity online alumni Jimmy Kimmel, Jay Leno and Emma Watson. According to Intel Security, a search for the “Trainwreck” actress has a 16.1% likelihood of returning results that direct fans to sites with viruses and malware.

2016's most dangerous celebrity online is Amy SchumerJustin Biber is the second most dangerous online celebrity. As for the “Sorry” singer, there’s a 15% chance that Beliebers could connect with a malicious website.

The rest of this year’s Top 10 list included:
3. Carson Daly 13.4%
4. Will Smith 13.4%
5. Rihanna 13.3%
6. Miley Cyrus 12.7%
7. Chis Hardwick 12.6%
8. Daniel Tosh 11.6%
9. Selena Gomez 11.1%
10. Kesha 11.1%

Cybercriminals exploit celebrity fandom for abuseIntel says there are two big truths cybercriminals try to exploit to leverage celebrity fandom for abuse. The first is that consumers want convenience. As people rely less on cable and, instead, search for the content they want online, they’ll find many third-party sources for their favorite music or videos.
But unofficial sources are often dangerous. Links can send users to unsafe sites, where sneaky tactics for stealing data and usernames are awaiting. The popular torrent file format for downloading files also allows cybercriminals to sneak viruses onto devices.
Exploit today’s social media obsessed cultureThe second truth attackers are exploiting is the desire for gossip – now. In today’s social media obsessed culture, fans want real-time information related to their favorite celebrities. It isn’t uncommon for a celebrity to have a photo, post or comment shared around the world in a matter of seconds. Those posts often spark a wave of searches. With all that traffic, cybercriminals can trick fans into visiting a faux-gossip website infested with malware to steal passwords, credit card information and more. This method is particularly effective on social media channels, like Facebook, Twitter and WhatsApp where the standards for trust are low.
In addition to recommending anti-virus software, Intel, whose products include McAfee software, urges consumers to have a skeptical mind when surfing the web. But don’t worry. No one is asking you to give up your celebrity infatuation here are a few things you can do to make sure you’re entertained safely:
  • Trusted video streaming servicesWatch media from original sources. Are you looking for the latest episode of Amy Schumer’s TV show, Inside Amy Schumer? Stick to the official source at comedycentral.com or well-known and trusted video streaming services like Hulu to make sure you aren’t clicking on anything malicious.
  • Be wary of searching for file downloads. Out of all the celebrity-related searches we conducted, “torrent” was the riskiest by far. According to Intel A search for ‘Amy Schumer Torrent’ results in a 33% chance of connecting to a malicious website. Cybercriminals can use torrents to embed malware within authentic files making it tricky to detect safe from unsafe downloads. It’s best to avoid using torrents especially when there are so many legitimate streaming options available.
  • Keep your personal information personalKeep your personal information personal. Cybercriminals are always looking for ways to steal your personal information. If you receive a request to enter information like your credit card, email, home address or social media login Intel says don’t give it out thoughtlessly. Do your research and make sure it’s not a phishing or scam attempt that could lead to identity theft.
  • Use security protection for browsing. Many software products can scan webpages you’re browsing – alerting you to malicious websites and potential threats. This can keep you safe as you study up on all the latest gossip.


The stars are new, but the game is the same. In addition to applying some critical thinking to your web browsing, the same advice from 2015, 2014, 2013, 2012, etc. stands……

Maybe I will get more hits after putting these pop names in here.


Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.


Malware Steals Your Cash At ATM

Malware Steals Your Cash At ATMOn September 2, 1969, America’s first automatic teller machine (ATM) started dispensing cash to customers at Chemical Bank in Rockville Center, New York. Since then ATMs have been a trusted avenue for many banking transactions. However, the Business Insider warns that the next time you pull cash out of the ATM, or “Tap the Mac” you should take extra care. BI reports that Internet security firm Kaspersky Lab has announced the return of a newer and more dangerous version of the Skimer malware.

THacked ATMhe report characterizes Skimer as an especially dangerous malware that turns whole ATMs into card-skimming machines. The malware first appeared in 2009 and has been distributed at ATMs all over the world.

The majority of ATM fraud takes place through card skimming. Card skimming is usually physical, as criminals typically install an illegal card-reading device into ATMs, film people entering their PINs on keypads, and then create duplicate cards for sale and use, reports the New York Times. Fortunately, users can uncover these card skimmers because they’ll spot a problem with the card reader or notice an unusual camera.

Gas pump skimmerSkimer is particularly problematic because it is software based. The article explains the threat is undetectable to the common ATM user since there is no physical sign of the ATM being tampered with. The Russian based program lets criminals access an ATM remotely, install the malware, and then gather data such as PINs, card numbers, and account numbers over the course of time. A “money mule” can then insert a special magnetic stripe card into the ATM to access the stolen data, take out money, or print card numbers onto a receipt.

The attack begins by gaining access to the ATM system either through physical access, or via the bank’s internal network. Then Backdoor.Win32.Skimer malware is installed which infects the core of the ATM. The ATM core is responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards. After that, the ATM has become a skimmer. The compromise allows the attackers to withdraw all the funds in the ATM or grab the data from cards used at the ATM, including customers’ bank account numbers and PIN codes.

KasperskyKaspersky is trying to help banks detect Skimer and is providing techniques for identifying affecting machines and securing their ATM networks in the future. Sergey Golovanov, principal security researcher at Kaspersky Lab explains it is possible for banks to stop Skimer.

We have discovered the hardcoded numbers used by the malware, and we share them freely with banks … they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware

To prevent ATM attacks, Kaspersky recommends that banks:

  • Perform regular AV scans,
  • Use whitelisting technologies,
  • Have a good device management policy,
  • Enable full disk encryption,
  • Protect the ATM’s BIOS with a password,
  • Only allow HDD booting,
  • Isolate the ATM network from any other internal bank network.

ATM fraud continues to growDespite a way to control Skimer, ATM fraud continues to grow according to BI. A recent FICO study found the number of compromised ATMs in the U.S. surged 546% from 2014 to 2015, thanks in large part to the slow EMV migration of debit cards and ATMs. The article speculates that EMV upgrades would stop Skimer. The resistance to EMV means ATM fraud could grow even more from 2015 to 2016.

John Heggestuen, at BI Intelligence, explains that EMV cards are being rolled out with an embedded microchip for added security. The microchip carries out real-time risk assessments on a person’s card purchase activity based on the card user’s profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.

EMV cardsRetail card fraud cost U.S. retailers approximately $32 billion in 2014, up from $23 billion in 2013. To solve the card fraud problem across all channels, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud. In the article, BI’s Heggestuen describes some of the other technologies that financial institutions are utilizing to reduce fraud risks.

Encryption of payments data is being widely implemented. Encryption degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.

Point-to-point encryption electronically changes sensitive payment data from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions.

Point-to-point encryption
Tokenization increases transaction security. Tokenization assigns a random value to payment data, making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often “multiuse,” meaning merchants don’t have to force consumers to re-enter their payment details. Apple Pay uses one emerging form of tokenization.tokenization
3D Secure is an imperfect answer to user authentication online. One difficulty in fighting online fraud is that it is hard to confirm that the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data as well as payment data to complete a transaction online.


The best recommendation to protect yourself from Skimer and other ATM threats is to use ATM’s at your bank or credit union. These ATMs are harder for thieves to install any type of skimmers or malware on because of the higher traffic and monitoring. ATMs located outside a financial institution like at a 7-11 are highly suspect.


Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Schools Face RansomWare Risk

Schools Face RansomWare RisKMore than 2,000 machines at K12 schools are infected with a backdoor in unpatched versions of JBoss that could be used at any moment to install ransomware such as Samsam. TargetTech defines ransomware as malware designed for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment in Bitcoins for the decryption key.

TolosRansomware has typically been spread through drive-by downloads or spam emails with malicious attachments. One of the latest victims of Samsam was MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.

PCWorld reports that the Cisco (CSCO) Talos threat-intelligence organization, announced that roughly 3.2 million machines worldwide are at risk. The article says that many of those already infected run Follett’s Destiny library-management software, used by K12 schools worldwide. According to Cisco, Follett responded quickly to the vulnerability,”Follett identified the issue and immediately took actions to address and close the vulnerability”.

JBossIn a presser, Follett offers patches for systems running version 9.0 to 13.5 of its software and says it will help remove any backdoors. The author states that Follett technical support staff will reach out to customers found to have suspicious files on their systems. Follett even offers SNORT detection rules on the presser page.

Snort is a highly regarded open-source, freeware network monitoring too which detects attack methods, including denial of service, buffer overflow, CGI attacks, stealth portscans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to syslog, a separate ‘alerts’ file, or to a pop-up window.

BitcoinJBoss the vulnerable underlying system is described as an open-source Red Hat product which serves as an application server written in Java that can host business components developed in Java. Essentially, JBOSS is an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality.

PCWorld reports that compromised JBoss servers typically contain more than one Web shell. Talos advises that it is important to review the contents of a server’s jobs status page. “This implies that many of these systems have been compromised several times by different actors,” the company said.

Backup your filesWeb shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit are listed in Talos’s blog post.

Companies that find a Web shell installed should begin by removing external access to the server, Talos said in the article. The security firm recommends quick action.

Ideally, you would also re-image the system and install updated versions of the software … If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.


I have worked with a number of customers on their library automation projects. The cost of these systems is as usual in the data. There is a great deal of time and effort that goes into creating the proper MARC records, especially for books that are out of print and kiddie books. If these files get locked up by the ransomware, the system is useless and expensive to replace.

K12 schools are notoriously cheap, but the advise is the same as always,

  1. Keep your software UP TO DATE
  2. Use a real virus scanner on your servers and administrative stations
  3. Back Up – Back Up – Back Up – With a good backup, you can just blow the machine away, re-install and restore the data. and be back in business.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.