CyberManipal.

Tech news from MIST

Cyber Puppeteer Kits: The New Financial Services Security Threat

Vulnerabilities
@RuchiraGarai

Ruchira Garai

September 16, 2021

Adversaries have evolved to target financial organizations in a new, effective way, introducing the cyber puppeteer kit. They are a substantial threat to an organization’s employees, customers, critical assets and more. A cyber puppeteer kit, also referenced as “live panels” among the threat actors that operate them, is a new breed of phishing kit designed almost exclusively to facilitate phishing attacks against the financial services industry. They are called cyber “puppeteer” kits because the workflows of these kits are unlike any other. They are advanced, very dynamic, and require live interaction between the victim and the threat actor. Here the threat actor is essentially “pulling strings” of the victim, guiding them through a series of pages to unwittingly authorize access to their account. The operator controls puppeteer kits through an administrative dashboard that they log into. This dashboard will notify the operator of new visitors to their phishing site and allow them to manually dictate what the victim should be prompted for in order to enable the attacker to gain complete access. During the victim workflow, the attacker takes the provided information and directly logs into the legitimate online banking platform, echoing back any security questions to the victim for them to answer. As this is near real-time, the operators can prompt the victim for whatever information they need, as many times as they require. This allows criminals to get around additional authentication steps such as SMS-based two-factor authentication, one-time password token and device verification. Given the risk that cyber puppeteer kits can pose, what can security teams do? As mentioned earlier, these kits are designed for ease of use and deployment. It’s not uncommon for these kits to call assets directly from the targeted brand’s website or content delivery network (CDN). This leaves a trail in assets you control like referrer logs. Reviewing the referrer logs for any calls to leverage an organization’s legitimate logo from URLs ending in that path will lead you straight to active deployments.

Abridged fromZero Fox

Click here to see the original post

Share this article