Friday, December 29, 2017

Implications of the EU General Data Protection Regulation

The European Union (EU) General Data Protection Regulation (GDPR) will go into force in May 2018. This is a comprehensive change to data protection regulations in the EU, but it will also require foreign companies that collect data on EU citizens to comply with its provisions. The GDPR establishes requirements in many areas that go beyond existing regulations or the security practices of U.S. companies. The greatest potential impact on U.S. companies and cybersecurity personnel is the schedule of penalties that can be imposed for data breaches or other failures to comply with the GDPR. Fines of up to $24 million or 4% of worldwide annual turnover for the year of the infraction can be levied against a company. This creates a possible opportunity for hackers that breach the data holdings of a major corporation. They can threaten to expose the breach, which would trigger huge fines unless the hackers are paid a substantial ransom to keep quiet...READ MORE
 
Wapack Labs has cataloged and reported on data protection regulations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM 

Thursday, December 28, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Dec 28, 2017

On 28 December 2017, Wapack Labs identified 32 ‘new’ unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: December 28, 2017

Wapack Labs identified connections from 811 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkholed domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members.

Sunday, December 24, 2017

Happy Holidays From Wapack Labs!



May this Holiday Season and the New Year bring you Peace and Happiness. Have some fun, enjoy our video, stay safe, and see you online! All our best - The Wapack Labs Team.

 Happy Holidays from Wapack Labs

The Wapack Labs Team
www.wapacklabs.com
1-844-4-WAPACK (1-844-492-7225)

Friday, December 22, 2017

Hackers Compromised Russian Bank And Used SWIFT for Withdrawal

On 15 December 2017, a Russian bank lost somewhere between $100,000 and $1 million US dollars after hackers sent SWIFT wire transfers abroad to Europe, Asia, and America. The bank was compromised (medium confidence) by a hacker group who sent malicious attachments to a number of different banks a few weeks prior. SWIFT was not compromised, but was used as a tool to siphon money from the compromised bank. The bank is going through ownership reorganization. Prior to this incident, it was receiving financial regulator warnings regarding its cyber security posture...READ MORE

Wapack Labs has cataloged and reported on attacks targeting banks and SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, December 21, 2017

Terdot Banking Trojan

TLP AMBER ANNOUNCEMENT:

Terdot is a multipurpose banking trojan developed using Zeus source code leaked in 2011. The latest version of Terdot surfaced in 2016 and incorporates new surveillance capabilities. Now that the Terdot trojan features cyber espionage capabilities it is more likely to be sought after by attackers. Like its predecessor Zeus, some of Terdot's features and configurations indicate a high likelihood of Russian origins. This report examines Terdot’s new capabilities, infrastructure, attribution and delivery mechanisms...READ MORE

Wapack Labs has cataloged and reported on banking trojans in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Dead Russian Social Media Accounts Hacked

Social media accounts originally belonging to the deceased were recently observed promoting pro-Putin messages in Russia. The Russian social network, VK (formerly Vkontakte), reported that accounts were hacked. Social media accounts whose owners are no longer living and other abandoned accounts with weak password security were used in this campaign. Because they were deceased or abandoned accounts, account owners could not react to possible security warnings. Social media networks have different processes for deactivating deceased users. Abandoned accounts may be especially vulnerable to brute force attacks and may later be used in malware or disinformation campaigns. This use of hacked accounts poses a risk of international-level account hijacking on a variety of social media networks...READ MORE

Wapack Labs has cataloged and reported on social media hijacking in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Monday, December 18, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 

Compromised Email Accounts 
Reporting Period: Dec 18, 2017

On December 18, 2017 Wapack Labs identified 35 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 

Reporting Period: December 18, 2017

Wapack Labs identified connections from 723 unique IP addresses, which are checking in with one of the many Wapack Labs sinkholes.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members.

Wednesday, December 13, 2017

Fraudulent Banking Website Part of Larger BEC Infrastructure

TLP AMBER ANNOUNCEMENT:

Business Email Compromise scams (BEC or BES) are a lucrative way for cybercriminals to gain high value credentials and commit fraud. Losses resulting from BEC scams surpassed 5 billion dollars this year and rising. BEC scams target groups and individuals by masquerading as legitimate services and organizations. Recent activity in Iceland involves the use of a fake website with ties to a larger infrastructure of domains designed for use in BEC scams. In this incident over 100 people were victimized with the use of the fake website, tricking victims into giving up financial credentials. These scams are difficult to defend against because they rely on social engineering and deceit instead of malware that can be detected by early warning software. The best defense against BEC scams is information sharing and networking...READ MORE

Wapack Labs has cataloged and reported on Business Email Compromise scams in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, December 12, 2017

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 

Reporting Period: Dec 11, 2017 

Wapack Labs identified connections from 723 unique IP addresses, which are checking in with one of the many Wapack Labs sinkholes. 
 
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 
 
 
This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
 
Compromised Email Accounts 
Reporting Period: Dec 11, 2017
 
On December 11, 2017 Wapack Labs identified 113 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.
 
Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com  
 
Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 
 
 
This TLP AMBER report is available only to Red Sky Alliance members. 

NoobBoy Downloader Campaign

TLP AMBER ANNOUNCEMENT:
 
Starting in mid-October 2017, a new variant of macro downloader malware was leveraged in large-scale fraud driven email campaigns. The attacks appear to target the supply chain of multiple industries and have used an assortment of payloads, including keylogger malware. The common use of the macro variant as well as shared infrastructure and network artifacts indicate a common actor. Wapack Labs has dubbed this activity "NoobBoy" for future tracking. NoobBoy attacks appear to target the supply chain in the shipping, energy and infrastructure sectors. Companies targeted include international companies participating in global markets, including an equipment manufacturer who supplies equipment globally and an oil, gas and mineral resource company that participates in the global marketplace...READ MORE

Wapack Labs has cataloged and reported on macro downloader malware and campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal.   

WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members.

Friday, December 8, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 

Compromised Email Accounts
Reporting Period: Dec 08, 2017

 
On December 08, 2017 Wapack Labs identified 73 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users. 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.
 
This TLP AMBER report is available only to Red Sky Alliance members.

China's Cyberspace Administration and Cyber Security Law

TLP AMBER ANNOUNCEMENT:
 
The Cyberspace Administration of China (CAC) was formed in 2014 as the principal Chinese government entity responsible for Chinese Internet content control. The current CAC Director, Xu Lin, is a close political ally to Chinese President Xi Jinping. The CAC likely directly reports to a committee chaired by President Xi and all official actions indicate that the regime is very serious about exerting significant control over the Chinese Internet. Most CAC enforcement activity has focused on Internet political control, in which "cyber security" involves censorship of any dissent. There is no indication that the CAC is enforcing controls over foreign corporations on data flow out of China, hardware requirements for acquisition and use inside China, or security inspections of foreign companies. As the designated agency to implement and enforce the cyber security law, the CAC has become the central entity in the Chinese Internet monitoring and censorship regime...READ MORE

Wapack Labs has cataloged and reported on Chinese Internet control in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
 
This TLP AMBER report is available only to Red Sky Alliance members.

Russian Troll Handlers

TLP AMBER ANNOUNCEMENT:
 
Fake social media accounts controlled by a Russian APT group were focusing on spreading leaks aligned with the Russian agenda. At the same time, another group not only supported candidate Trump, but also spread divisive content from all political affiliations and even organized anti-Trump events in the US. Russian troll operations continued through 2017. It is likely that the group continues its operations in the US and that the associated accounts are dedicated to information warfare. Their cover identities, however, are being changed and the operations are being scaled down compared to the 2016 US presidential campaign...READ MORE 

Wapack Labs has cataloged and reported on Russian social media trolling in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members.

Thursday, December 7, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts 
Reporting Period: Nov 27 to Dec 04, 2017

On December 04, 2017 Wapack Labs identified 41 'new' unique email accounts compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Dec 04, 2017

Wapack Labs identified connections from 2637 unique IP addresses, which are checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wednesday, December 6, 2017

BINs Sold at Hacker Shop

TLP AMBER ANNOUNCEMENT:
 
A new hacker/carder shop was discovered by Wapack Labs. The shop sells credit card data, hacking tools and compromised dating accounts. It accepts Bitcoins, and Perfect Money, which are automatically exchanged to Bitcoins via an exchange service. The shop has advertised via direct e-mails to hackers since October 2017 and an advertisement was detected on a hacker forum in November 2017. This hacker/carder shop is currently a medium threat and has thousands of items listed for sale. Financial organizations whose BINs match those of the compromised credit cards for sale, should take notice...READ MORE

Wapack Labs has cataloged and reported on hacker and carder shops in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 


 This TLP AMBER report is available only to Red Sky Alliance members. 

Underground Market Selling Stolen Credit Cards

Wapack Labs recently identified a new private underground market. The market is targeting Amazon buyer gift cards and is also selling cloned credit and debit cards. The market only accepts Bitcoin as payment for these stolen goods and ships worldwide. It offers unique discreet shipping methods of cloned credit cards at different price points: $15 to mail the card in a birthday card, $25 to stuff the card inside a teddy bear, $50 to hide the card inside a calculator, and $100 to hide the card in non-working smartphone. They also offer a service that involves sending the product to abandoned houses or to a neighbor’s house. These physical delivery methods show diverse stolen credit card smuggling innovations. Each cloned card has a $4,000 - $7,000 balance with the correct PIN and a daily $500.00 cash withdrawal limit or $3,000.00 on line spending limit...READ MORE

Wapack Labs has cataloged and reported on underground markets and credit card theft in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

FREE Webinar: Cyber Fraud for Christmas, December 7th, 9AM EST

Wapack Labs presents a well-timed online event -- CYBER FRAUD FOR CHRISTMAS. December 7th, 9AM EST. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.

REGISTER NOW TO JOIN US.

  • Post Data Breach ID Fraud & Mitigation's
  • Cyber Fraud: Skimmers and ATM Malware
  • Social Engineering And Scams Around Holidays And Major Events
  • Typosquatting – What’s in a Name?
  • Evolutions in Business Email Scams
  • Block Chain-Related Fraud
  • Scripting for Analysis & Hunting

Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting.

Jump in for an hour or the entire webinar, click this link to the AGENDA & REGISTRATION page.

REGISTER NOW, only 100 online seats available. Bridge information will be provided after you register. No tickets needed.


Friday, December 1, 2017

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Nov 27, 2017

Wapack Labs identified connections from the following 300 unique IP addresses (full list of 3615 IPs is on a corresponding .csv file), which are checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members.