By Homer Pacag, Security Researcher at Trustwave
Using malware infected spam (or malspam for short) to attack targets is one of the oldest tricks in the cybercriminal book, but attackers frequently use old techniques with new twists to catch victims out.
In August, our threat detection team uncovered an unusual, new approach to malspam in a campaign that appeared to be exclusively targeting banks.
We first spotted the campaign in mid-August, and it reappeared again later in the month. The attack used the ever-popular technique of sending a malware-infected fake invoice to targets to trick them into opening the file and executing hidden malware.However, this came with a new development we hadn’t seen before.
Rather than the usual infected Word or PDF documents, the attackers instead used Microsoft Publisher, a program generally reserved for editing a document’s layout rather than composing and editing a simple file like an invoice. Seeing a .pub document with a filename like “Payment Advice” was unusual enough to prompt a more in-depth investigation from our team.
The hidden malware
Opening the attached .pub will prompt the user to “Enable Macros”, which may appear as “Enable Editing” or “Enable Content” in some older versions of Microsoft Publisher. Accepting the command will activate a hidden download link for a self-extracting archive containing a backdoor tool known as the FlawedAmmyy RAT (Remote Access Trojan).
FlawedAmmyy has been used in attack campaigns since 2016, usually targeting specific companies in industries such as the automotive sector. A large attack was detected in July 2018, this time using PDF documents.
Based on the leaked source code of a remote access admin tool, the malware has several abilities including a remote desktop tool and a file system manager. Once a machine has been infected with FlawedAmmyy, the attacker is able to remotely take control and perform a number of malicious actions. They can begin exfiltrating data or installing further malware with other capabilities and can use the compromised machine to email other users at the organisation under the guise of the commandeered email address.
What makes this attack different?
The use of .pub files rather than normal.docs or PDFs makes this campaign rather unusual. We can’t be certain of the attacker’s motivation for the switch up, but it appears to come as part of a prolonged campaign using different techniques. With further investigation, it quickly became apparent that this group have been repeatedly experimenting with their attack method in recent months.
A week after the initial discovery, we found the campaign had re-emerged, this time with the Windows Publisher files being embedded within a PDF. Hiding executable items inside a PDF is a popular tactic with this group, and the same technique was used for most of the previous FlawedAmmyy attacks.
After some further digging, we were able to identify several different cases likely stemming from the same attackers. They all used the FlawedAmmyy malware embedded in documents and were exclusively targeting banks, but frequently changed other elements, such as using different subject lines and other file types like Excel IQY.
It also appears that the campaign originates from the notorious Necurs botnet, which has been responsible for several very large-scale malware distribution campaigns over the last couple of years, for example WannaCry which hit the NHS in May 2017. However, this most recent example is notable for being of a much smaller scale and only targeting domains belonging to banks.
Should banks be worried?
The amount of evidence we have uncovered so far indicates that this group is very persistent in their goal of infecting a banking organisation with the FlawedAmmyy malware. This is unsurprising as compromising an endpoint device within a bank with the remote access trojan is something of a holy grail for a cybercrime group. A successful infection would potentially allow for further attacks, including stealing large amounts of confidential data, transferring funds, or even accessing the banking system itself.
After the recent spree of different attack patterns, we can anticipate that the attackers will continue to experiment with different combinations of file types and text until they are finally able to successfully infect a bank with malware.
Banks around the world should be on their guard for the appearance of this attack. As with past malspam attacks, this latest campaign relies on poor user awareness to succeed. Banks should consider strengthening their security training so that all users are aware of the threat posed by unknown files in their inbox. There should be a clear policy in place about handling and reporting and suspicious emails.
Taking it a step further, banks should also ensure they have the ability to closely inspect inbound document files at the email gateway. This will enable them to detect hidden files and macros that have been embedded within apparently benign files. It may also be advisable to block files like Excel IQY at the email gateway as they are increasingly being used to evade security measures and execute malware downloads.
Research also contributed by Phil Hay, Research Manager, Trustwave
BOJ to highlight climate risks as key theme of bank tests this year – sources
By Leika Kihara and Takahiko Wada
TOKYO (Reuters) – The Bank of Japan will for the first time highlight climate change risks as among key themes in its bank examinations this year, sources said, joining major peers moving to gain research clout on the effects of global warming.
In guidelines on the examinations due next month, the BOJ will clarify its readiness to coordinate with Japan’s banking regulator in analysing the impact of climate risks on financial institutions, said three sources familiar with the matter.
The central bank will also beef up cooperation with the regulator, the Financial Services Agency (FSA), in studying European examples and specific ways to measure financial risks associated with climate change, they said.
The moves are part of Japan’s efforts to follow in the footsteps of an increasing number of countries working on or considering stress-testing financial institutions on climate risks.
“For the BOJ, green QE is still off the radar. The more approachable and near-term focus is to assess climate change risks on the financial system,” one of the sources said, a view echoed by two other sources.
“Climate change is a key theme for the BOJ this year,” another source said, adding that stress-testing climate risks on financial institutions is “not imminent, but something Japan needs to aim for in the future.”
The BOJ conducts hearing and on-site monitoring in voluntary examinations on financial institutions. But it does not have regulatory authority, which falls under the FSA. Neither the BOJ nor the FSA stress-tests banks on climate risks.
Officials of the two institutions have been discussing climate change as among topics that could affect Japan’s banking system. But progress toward stress-testing financial institutions has been slow because of a lack of data and models.
The BOJ began to gear up efforts on climate change after Prime Minister Yoshihide Suga last year pledged to make “green” investment a key pillar of his growth strategy.
The Biden administration’s focus on battling climate change, and the Federal Reserve’s decision in December to join an international central banks’ group focused on climate risks, also prodded the BOJ to engage more, the sources said.
But actual roll-out of stress tests will take at least another year as policymakers work out guidelines and details, including whether they will ask banks to conduct a “self-assessment,” the sources said.
(Reporting by Leika Kihara and Takahiko Wada. Editing by Gerry Doyle; Editing by Chang-Ran Kim)
ECB watching yield surge but not controlling curve: Lane
FRANKFURT (Reuters) – The European Central Bank is monitoring the recent surge in government bond borrowing costs but will not try to control the yield curve, ECB chief economist Philip Lane told a Spanish newspaper on Friday.
Yields have soared, particularly over the past week, partly driven by rising U.S. Treasury yields. Verbal intervention by key ECB officials, including ECB chief Christine Lagarde, has failed to stem the rally.
“At this stage, an excessive tightening in yields would be inconsistent with fighting the pandemic shock to the inflation path,” Lane said in an interview with Expansión.
“But at the same time, it is crystal clear that we are not engaged in yield curve control, in the sense that we want to keep a particular yield constant,” he added.
Ten-year Bund yields, a key benchmark for the 19-country euro zone, now yield -0.223%, up from around -0.60% at the start of the year.
Lane added that while inflation is indeed rebounding, the increase was not yet what the ECB was looking for after a decade of undershooting its target.
“What we’re seeing now is not a significant and persistent change in the path of inflation,” he said, arguing that price growth was still too low and required ECB stimulus.
Lane predicted that the bloc would start rebounding from its pandemic-induced slump already in the second quarter and the impact of the current lockdowns would be less severe than a year ago.
(Reporting by Balazs Koranyi; Editing by Shri Navaratnam and Ana Nicolaci da Costa)
Can banks acquire customers with biometric payment cards?
By Michel Roig, Senior Vice President, Head of Busines Line Payments & Access, Fingerprints
When it comes to banking, consumers are traditionally loyalists and often stay with their ban ks from early adulthood through to retirement. In fact, one 2018 study found that just 4% of U.S. consumers switched primary banks that year.
Yet increasingly, consumers want more from their bank than just a place to store their money. The era of ‘one bank for life’ is coming to a close, so banks will have to keep improving the customer experience to stay competitive. In an industry where customer retention and acquisition are critical, finding opportunities to offer consumers value-added products and services is key.
One such opportunity is the biometric payment card. With early adopters of the technology already rolling out the cards to their customers and 51% of consumers willing to switch banks to get their hands on the tech, now is the time for banks to get serious about biometric cards. From boosting brand image and adding value for customers to, ultimately, increasing revenue, let’s take a look at the business case for biometric payment cards.
Improving the payment experience
Contactless cards are the most-used payment method in store, with 77% of consumers using their card weekly or even daily. Consumers praise contactless payments for their user-friendliness and 63% of consumers would like to use the payment method even more in the future.
Despite its popularity, however, some serious pain points remain. Our recent survey found that 51% of consumers worry about the lack of security if their contactless card were to be lost or stolen. This worry has increased from 38% in 2018 – a clear sign that security is a primary concern for consumers. Beyond security, the limitations on contactless transactions are also a point of frustration for many. 1 in 4 are confused about the maximum amount they can spend without entering their PIN at PoS terminals, and that you sometimes need to enter the PIN despite being under the cap, and an equal amount consider the payment cap too low for their usual in-store payments.
Banks that introduce biometric payment cards can enable their customers to tap and pay for any amount, every time, while at the same time improving the security.
Moreover, biometric payment cards are a way to harmonize the payment experience. Consumers are already used to unlocking their smartphone with a fingerprint sensor. With mobile payments and banking apps on the rise, biometric authentication is now increasingly common in consumer finance. By offering biometric technology in payments cards, banks can offer their customers the same convenience and security they are used to from their mobile banking.
Boosting brand image
Aesthetic and innovative design is increasingly a key consideration, particularly among affluent, executive, and millennial consumers. It is no surprise, then, that over 60% of these demographics would switch banks to receive a biometric payment card. But also, a large proportion of the more mainstream segments would consider switching banks to get this card, which shows the excitement of this technology across different consumer demographics, both for functional and emotional reasons.
What exactly are consumers looking for in their payment card, then? Our 2020 research found that ‘modern’ and ‘personalized’ cards are the highest-rated design traits for consumers. Most importantly, they want a card they feel they can show off and that is intuitive to use.
This is where biometric payments cards can help banks boost their brand image. Beyond the security and convenience that biometric cards offer, the technology brings a sense of futuristic innovation to consumers’ favorite payment method. By offering consumers this latest technological advancement banks can stay ahead of the curve, thereby increasing customers’ loyalty and, crucially, attracting new customers.
Attracting new customers is of course a good way to increase revenue, particularly considering 43% of consumers are willing to pay extra for a biometric payment card. 56% of banks have also said they would bundle this technology with other value-added services, creating the competitive offerings that consumers are looking for these days.
Creating these value-added services is not only important for driving revenue from customer acquisitions, but also for reducing the cost of losing customers. To regain a lost customer takes 5 times to cost of keeping one, and with consumers increasingly ‘shopping around for banks’, retaining them with up-to-date and value-adding services is crucial.
Besides supporting customer acquisition and retention, biometric technology itself can also increase revenue by reducing fraud and increasing transaction volumes. Not to mention the savings from reduced ‘lost PIN management’ internally!
Timing is everything
Biometrics is growing across payment methods. The technology is certified by major payment networks and already has received recognition from industry bodies, such as EMVCo. Consumers are used to the technology from unlocking their banking apps and verifying mobile payments, but mobile payments won’t work for every situation or demographic. Only 2% of consumers use their mobile for everyday in-store payments and in fact, 74% of active mobile payment users are also interested in having a biometric payment card. Card and mobile go hand-in-hand and work in harmony across online and physical payments, different situations and locations.
With biometric card trials moving to commercial roll-out this year, it won’t be long before this new tech is a consumer expectation. Timing is everything in business, and for banks looking to stay ahead, now is the perfect time to level up their payment card and offer their customers the convenience and security of biometric payments.
Why digital must be at the top of a retailer’s strategy
By Chris Burnside, Account Manager, Specialty Retail, UK & Nordics Global Sales & Verticals, Worldline COVID-19 is constantly shifting consumer...
Bitcoin slumps 6%, heads for worst week since March
By Ritvik Carvalho LONDON (Reuters) – Bitcoin fell over 6% on Friday to its lowest in two weeks as a...
Stock markets roiled by global bond whiplash
By Tom Arnold and Wayne Cole LONDON (Reuters) – Global stocks fell on Friday, with Asian shares down by the...
British insurer RSA profit rises ahead of takeover
LONDON (Reuters) – British insurer RSA’s 2020 operating profit rose 15% to 751 million pounds ($1.05 billion), it said on...
Britain’s Sainsbury’s gives staff third pandemic bonus
LONDON (Reuters) – Britain’s second largest supermarket group Sainsbury’s will award its staff a third bonus for their efforts during...