This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties.  Members and Law enforcement use only. Contact us for any permissions.  To do otherwise will result in the loss of membership.

Complete Story
 

10/30/2018

The Masquerade Ball: Train Yourself to Detect Spoofed Files

The State of Security

Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.

This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe. However, file names may not be so easy to spot like that. Let’s go through a quick exercise and test your masquerading chops. Which of the following executables is the malicious one?

  • Conhost.exe
  • Explorer.exe
  • Lsalso.exe
  • Lsass.exe
  • Rdpclip.exe
  • Spoolsv.exe
  • Svchost.exe
  • Svhost.exe

Some of these may seem more familiar than others, such as conhost, explorer, and lsass. Others might be somewhat new to you, such as lsalso or rdpclip. The tricky part for most comes with the final three. Spoolsv is the print spooler service. Svchost is a system process used to launch Windows Services. Svhost is the malicious outlier that is trying to hide by using “sv” for service as used by the spoolsv executable rather than the expected “svc” for service as used by the proper executable.

Read more...

Printer-Friendly Version


Resources

Alerts

The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.

more information
Resources

Resources

Your electronic library to help in fighting financial fraud for all of our partners.

more information