In a recent statement from SRI (Romanian Intelligence Service) shows that during this period a cyber attack what it aims at customers of Internet Banking platforms.
By all accounts, the clients of Romanian banks, who access the Internet Banking service from their PC through Chrome, Microsoft Edge or Firefox, have a very good chance of making themselves known access credentials (personal access data on the financial-banking platform) to those who launched the attack. In this way, malicious people will have access to bank accounts, authentication data to e-mail services si financial data. Note that Internet Banking applications are not affected.
SRI brings some recommendations for all customers of banks that use Internet Banking services:
"- use of anti-virus solutions and constantly updating their signatures;
- avoid opening attachments in archive form if their provenance is uncertain and if they have not been previously checked with anti-virus detection solutions;
- avoid opening attachments or links from suspicious emails;
- operating system update and avoiding the use of operating systems that no longer receive support from the manufacturer;
- notification to the bank when you notice banking transactions that do not belong to you;
- disable autorun some MS Office routines (macro-hate);
- avoiding manual macro executionfixes may. "
* full press release is available on sri.ro.
The group that launched this cyber attack uses one of the most successful malware from the last decade. Qbot.
Qbot is part of a family of malware (viruses) which over the years has undergone many changes at the source code level, being perfected by cybercrime and made "invisible" to most antivirus software.
In the early days of Qbot, it was used as a simple Trojan virus, able to enter hidden under various forms of files in a system Windows, to then be able to extract confidential data, including users, authentication passwords on Internet Banking platforms.
In recent years, Qbot malware has gained in addition to the potential to Trojan virus, and that of worm (The worm), able to propagate itself in a network after initially managing to penetrate a computer in it. Moreover, the current threat puts antivirus software companies in difficulty. Qbot can be controlled remotely from a command and control server (CC), where it regularly receives updates capable of hiding it and easily passing control of antivirus software. Including digital signatures, which are detected being "safe" by antivirus. In other words, if a software has a digital signature, it does not necessarily mean that it is secure, as well as a website with HTTPS (SSL) may have a malware application at source or for download. The worst part is that digital signatures of applications and security HTTPS of websites causes the browser, operating system or antivirus not to send user alerts. An article on “HTTP / HTTPS" find here.
In the early days of Qbot, it was delivered by code PowerShell. Its release depended on the code from Visual Basic (VBS) which the victim was to execute. At that time, companies that frequently used e-mail services were targeted. Becoming a common method of infiltrating malware applications, PowerShell codes have been closely monitored by antivirus software, and Qbot has been modified, making delivery by other methods more difficult to intuit and detect.
Currently, Qbot malware can be executed automatically or manually by the victim, via a file MS Word cu macro (set of instructions / routines). This file comes in the e-mail, in the form of an "official" and "trusted" message, which for the most part is not suspicious of antivirus software. If you do not open these files, you will be safe. following SRI advice, you can keep your sensitive / sensitive data safe.
Don't forget that the best antivirus software are: caution, attention si awareness.