Rise of Cyber Frauds in Digital Banking

Rise of Cyber Frauds in Digital Banking

With the wave of digitization, there is drastic increase in the usage of mobile internet. The fraudulent financial transactions are rising at par too. (Approximately $20 billion I.e. Rs 1.26 lakh crore as per a report from Assocham) Financial fraud is a big business now and the figures are shooting higher in every aspect.

With the rise of young digital savvy population, banks are striving hard to accustom to the customers’ digital wallets. Even the customers are trying to get acquainted to the cashless life and in the process the vulnerabilities of the banking applications are keeping the techies on toes. The risks include phishing, identity theft, card skimming, etc.

Currently, 74% of the population has smart phones and it has given a steady rise in the usage of banking apps too. Even Reserve Bank of India has given a statistics where we come to know that the volume of mobile banking transactions have increased from Rs 1,819 crore in 2011–12 to approximately Rs 1,01,851 crore in 2014-15. It includes cashless transactions, customer feedback, bill payments or even marketing of new products. Technology has become the biggest driver of change where most financial bodies are preferring paperless transactions.

Simultaneously, online frauds in the banking sector are escalating towards alarming figures. These include digital identity thefts, online banking frauds like hacking or mysterious siphoning of funds by stealing customer data under unknown circumstances and more. In order to avoid it, the banks are insisting on educating the customers about the guidelines of secured transacting via smart phones or other devices online. Two-factor authentication is the most common among them.

Recently, more than 30 organizations around the globe have been victimized with some latest wave of attacks where the cyber crooks used compromised websites or “watering holes” to infect the users visiting those websites with some unknown malware. The banks are clueless with such incidents because there are hardly any traces or evidences of those malicious activities. The attackers redirect the visitors to some exploit kit which can install malware on those visitors. Investigations are still on to check whether these malware have historical backgrounds.

According to eScan, a timely reminder of the growing threats faced by financial institutions can save numerous fraudulence. The users or customers need to be equally alert about these concerns. There are several guidelines which can change the scenario

1) Never disclose/ write your log in details anywhere

2) To do any online transaction, never hand over your smart phone to strangers like restaurant staff, supermarket attendant, mall employee, fuel station staff etc.

3) Ensure that you have installed a reputed mobile antivirus and regularly scan your smart phone for the presence of any suspicious app or detect and mitigate any suspicious activity.

4) Lastly, there has to be a regular supervision of your banking statements so that the discrepancies (if any) can be informed to the concerned bank.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Leave a comment

IoT: The Threat

IoT Devices Hack

We have already experienced the havoc created by Mirai Botnet, which infected Internet facing IoT devices and initiated one of the largest DDOS attacks ever recorded.

We have embraced IoT due to the sheer fact that it has enabled us to control the devices through Internet be it the refrigerator or the camera and in many cases the printer. Printers have seen a transformation not just with respect to advancements in printing technology but also a transformation in the way with which we connect to them. Such has been advancements that we now have Internet Enabled Printers which can be used for accepting print jobs over the Internet.

Very recently, a hacker exploited more than 1,00,000 printers and issued rogue printing jobs and according to him more than 3,00,000 printers are exploitable. It is interesting to note that, even though the hacker hasn’t leaked out the source-code for the exploit, however, the very fact that there are vulnerable devices out in the open would motivate  enterprising criminals to add these devices into the ever growing list of vulnerable IoT devices and use them for nefarious purposes.

There are a couple of points which have to be taken into consideration while dealing with IoT:

1: Vendors have to implement robust firmware update so as to mitigate the threat posed by vulnerabilities as and when they are discovered and shared with the vendors by the researchers.

2: As a responsible netizen, we have to ensure that we change the default password of the devices that we use.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , | Leave a comment

Data URI Schema : Phishing Attacks targeting GMail Users


Recently, there has been a wave of Phishing Scam targeting Google users. The Spam delivers either a pdf file or a word document which contains a link and in some cases just the plain simple email containing the link. It is also to be noted that some of the best researchers have been fooled by the method.

The link is actually an html body embedded in an URI ie. data:text/html also known as Data URI Schema and is supported by all modern day browsers.

One can even convert their browser into an instant notepad and all you need to do is to Copy Paste the code into the Browser URL Bar and hit Enter.

data:text/html, <html contenteditable>

or Display a RED Dot

data:text/html,<img src=”data:image/png;base64,iVBORw0KGgoAAAANSUhEUg
NBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==” alt=”Red dot” />

This isn’t a new method, however, what is new is that spammers are now actively targeting GMail users.

The code presented over here has been sanitized, as we closely observe the Data URI , it contains a script which has been encoded using Base-64 .

Sanitized Code:

Sanitized Code

Sanitized Code

After we decode the string, we come across a Packer Function, these functions are generally used to obfuscate the underlying code, however, from reversing point of view, it is important to know that, for any packer, in most of the cases, it is imperative that it should use “eval” , an inbuilt JavaScript function to evaluate / execute JavaScript code / expressions.

Over here the eval function is clearly visible, however there are numerous other packers which would try to hide eval either by splitting or by various other means – over here, we replace eval with alert which when executed would give us the unpacked code in an alert.

Sabitized Code with Packer Function

Sabitized Code with Packer Function

We repack the code using Base64

Re-Packed JavaScript Code

Re-Packed JavaScript Code

When we copy-paste the Data-URI into the browser URL bar we are able to view the pre-packed code. From this code it is quite evident that an iframe has been used to display the phishing page, which is retrieved from http://_rosettatranslation.top however, this wont happen in this case since

  1. The domain _rosettatranslation.top cannot exist, as it begins with an underscore.

Unpacking Packed JavaScript

Unpacking Packed JavaScript

Packers have been used extensively by Drive-by Downloads, DGA (Domain Generation Algorithm), Exploit Kits etc. in order to serve malicious pages. Sometimes it is easy to extract the code in an harmless manner and sometimes it takes a lot of ingenuity to extract / reverse.

According to Google it is the prerogative of the end user to ensure the sanity / validity of the contents of the URL Bar , however google users always have the option of implementing Two Factor Authentication , as rightly suggested by Google.

However, when the targeted site doesn’t use TFA, or is a Corporate Login Page , a spear phishing campaign has been initiated, the user has to be real attentive.

In past many years, there have been various methods to deliver the spam and entice the user to visit the malicious pages, although what hasn’t changed is the phishing page, due to which, whenever such attempts are made against a computer system protected by eScan’s eScan Smart Web-Filter, they get Detected and Blocked.

Since, the present campaign is targeting Gmail users , here are some tips to keep you safe:

  1. Stay Alert, be aware of the contents of the Browser’s URL Bar, ensure that the URL always begins with HTTP/HTTPS and if it begins with data then be extra careful.
  2. Browser shows distinct color coded warnings while visiting HTTP/HTTPS sites
  3. Use / Implement Two Factor Authentication whenever and wherever possible.

Readers may choose to read more about SURL / SMART Phishing Filter over here.

RBI Phishing

Statistical URL Analyzer

MalwareMustDie – BH EK version 2

SURL Analyzer – to Believe or not

CitiBank – A Phishing attempt

Statistical URL Analyzer – with MetaSploit

Statistical URL Analyzer – with MetaSploit and SET

eScan-14: Dynamic Phishing FiltereScan – 14: Filtro de Phishing Dinámico


Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | 2 Comments

RAAS – SATAN on the prowl

Much has been talked about Ransomware As a Service in our previous blog-posts and today we look into SATAN, a new Ransomware as a service which is hosted on the DarkWeb.

The site provides wannabe criminals an interface to create the ransomware. According to creators of SATAN, for every ransom paid by the victim, 30% will be deducted by the creators of SATAN and 70% will be given back. They even offer to lower their commission when the rate of infection and payments is higher.

Satan Home-Page

Satan Home-Page

Once you login after creating the account you will be provided with the various options to create the Ransomware, ie. The Ransom, Multiplier Amount and Days, which effectively means after the specified days have elapsed the ransom would increase.

The Dashboard also shows the number of infections, how many victims have paid, the address of the BTC wallet where the 70% would be transferred et al.

SATAN - Dashboard

SATAN – Dashboard

Moreover, it also provides a notification about not uploading the created Ransomware to Virustotal or to various other online scanners. However, this was not what the creators had expected. At the time of writing, almost all of the Antiviruses have created the signatures and have started detecting the binaries as malicious.

eScan’s scan engine detects this as Gen:Trojan.Heur.FU.lqZ@a8i5xyi, however, since the inception of PBAE(Proactive Behavioural Analysis Engine), we have always verified the success of our detection algorithm and this time too, we have defeated SATAN.



SATAN, when it infects the computer system, will encrypt the files and will add “STN” as the extension. The list of file extensions attacked by SATAN hasn’t changed from the other Ransomware and is actively targeting, MS Office Files, Images, PDFs etc.

eScan’s PBAE has protected its users from yet another Ransomware.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , | Comments Off on RAAS – SATAN on the prowl