8 Steps to Protect Your Organization from Fake Response Malware

What is a fake response malware?

A fake response malware is a type of malware that intercepts and modifies responses from web servers or an application server. This can be used to steal sensitive data, such as passwords and credit card numbers.

Fake response malware works by intercepting the communication between a browser or application and the server. When a user uses the application, the app sends a request to its server. The server then sends a response back to the application. The fake response malware intercepts this response and modifies it before it is sent to the application. This allows the malware to steal sensitive data, such as passwords and credit card numbers.

Recent media articles pertaining to malware attack on the payment switch application of one oldest co-operative and losses been reported is disturbing for us at SISA.

SISA on 20th December 2017 had issued a global advisory warning banks that cyber criminals were identified who were using fake response malware to inject malicious script to payment switch servers for generating fake response messages to the request received from payment brands.

However, considering the resurfacing of this attack, more importantly, as part of our PFI activity the intruder is there in the system for more than a year. Hence, we can’t prevent a breach, but at-least, we will be able to stop lateral movement and egress point. Unless there is egress, the intruder hasn’t succeeded.

A typical fake response malware attack unfolds in several stages:

• Initial Compromise: The attacker gains access to an individual’s email account through various means, such as phishing emails or credential stuffing attacks.
• Observation and Research: The attacker silently monitors email communications, studying the victim’s writing style, behavior, and relationships within the organization.
• Deceptive Response: Armed with gathered insights, the attacker inserts themselves into an ongoing email thread and crafts a deceptive response, mimicking the victim’s communication style.
• Social Engineering: The attacker’s deceptive response often contains malicious links, attachments, or requests for sensitive information, leveraging social engineering techniques to manipulate recipients into complying.
• Data Exfiltration or Further Exploitation: Upon receiving the victim’s sensitive information or executing malicious links, the attacker may proceed to exfiltrate data, distribute malware, or gain further access to the organization’s network.

Detecting and mitigating fake response malware

As fake response malware becomes more sophisticated, traditional cybersecurity measures may not be sufficient to detect and mitigate these attacks effectively. Here are some strategies to strengthen your defense against this threat:

• User Awareness and Training: Educate employees about the dangers of phishing emails and social engineering tactics. Encourage them to be cautious when responding to unusual or unexpected emails, especially those involving sensitive information.
• Multi-Factor Authentication (MFA): Implement MFA for email accounts and other critical systems. This extra layer of security can significantly reduce the risk of unauthorized access.
• Email Authentication Protocols: Utilize email authentication protocols like SPF, DKIM, and DMARC to prevent email spoofing and unauthorized use of your domain for phishing attempts.
• Email Security Solutions: Invest in advanced email security solutions that can detect and block malicious emails, links, and attachments before they reach users’ inboxes.
• Security Awareness Training: Conduct regular cybersecurity security awareness training for employees to keep them informed about the latest cybersecurity threats and best practices.

We are recommending the following immediate steps to secure the payment switch applications and network environment:

1. Enable multi-factor authentication for any users to login to the Switch Application Server
2. Enable IP table to restrict only authorized systems access to the switch server
3. Reset the password of all privileged users in the Switch Application Server
4. Reach out to your Payment Forensic Investigator (PFI), authorized by the payment brands and listed on PCI Council website, within 24 hours of any suspicion
5. Conduct a credential based vulnerability assessment scan. A non-credential based vulnerability assessment scan has limitations in identifying all the vulnerabilities present in the servers/network components.
6. Conduct web application penetration testing for all web-interfaces present in the network. All applications which have a web-interface, whether internal or external needs to be tested.
7. Instruct your Security Operations Centre to identify any similar Indicators of Compromise (IOCs). Also as part of the S-SOC operations, have thread hunting activity carried out for this particular IOC.
8. Ensure PCI DSS certification for scoped environment and deploy PCI S3 validated application by Authorized QSA’s listed on PCI Security Standard council website.