T-Mobile Employee Steals 1.5 Million Customer's Information

This week we hear about how a T-Mobile employee stole 1.5 million customer’s information and how GozNym trojan is targeting U.S. banks.

Breach

T-Mobile Employee Steals 1.5 Million Customer’s information

T-Mobile Czech Republic has been hit by a breach, and this time it isn’t from an outside hacker; it was from an employee with privileged access. This employee was a part of a small team with access to customer data and he managed to steal data of 1.5 Million T-Mobile customers. The insider was subsequently caught when attempting to sell the information online, but T-Mobile hasn’t shared any more details regarding the breach due to an ongoing police investigation by the Czech Police’s Unit for Combating Organized Crime.

T-Mobile assured all of its customers that the data stolen was purely for marketing purposes, and contained no sensitive information like location, traffic, or passwords. The Czech media is saying that this is the largest breach in the Czech Republic’s history, and T-Mobile has said it will inform its customers of any further developments in the investigation.

References: Insider Breach: T-Mobile Czech Employee Steals and Sells 1.5 Million Users DataBottom of Form | T-Mobile Hit By Insider Breach; Staffer Steals Over 1.5 Million Customer Records | T-Mobile Hit By Insider Breach

Mitigation Strategies:

  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Log management could detect any suspicious user account activity. 
  • Netflow traffic may also reveal large data transfers and data leakage.

Malware

GozNym Trojan Targets U.S. Banks

A hybrid GozNym Trojan has made its way targeting U.S. banks, redirecting users to rogue websites to hijack their accounts. GozNym was detected in April 2016 as a Trojan that used web injections, that relies on malicious DLLs loaded in the user’s browser to show overlays on top of the page, when visiting a Polish banking portal.

GozNym has been launched to attack four large U.S. banks, and now uses a technique called “redirection attacks” which occur when the malware redirects the user to a fake banking portal. What makes this particularly tricky is that the fake banking portal is a perfect replica of the real ones using the correct URL and the bank’s real SSL certificate in the browser’s address bar.

References: GozNym Banking Trojan Hits the US With Redirection Attacks | GozNym Trojan Turns Tts Sight on Business Accounts at Major US Banks | GozNym Banking Trojan Hits the US With Redirection Attacks

Mitigation Strategies:

  • Mail filtration would scan incoming files and hyperlinks of any malicious links or codes.
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • 24x7 Security Monitoring to provide anomaly detection.

Top 20 IP Addresses

80.82.65.219 188.118.2.26
46.109.168.179 81.183.56.217
123.249.0.151 118.170.130.207
155.94.163.97 93.174.93.94
91.219.29.41 217.12.223.83
185.82.216.55 51.254.240.48
114.44.192.128 116.255.189.195
218.27.207.144 155.94.224.147
153.142.6.53 123.234.227.203
115.230.126.31 183.60.48.25

*IP addresses provided by Recorded Future.