Speakers

Many cybercriminals in the world now focused on monetization, but they want to look cool and don’t want to spend too much money and efforts for this. They commit e-shopping fraud to either resell or use delivered goods. This presentation will focus on the underground findings related to e-shopping fraud and highlight topics like how hackers collect and monetize credit cards, what tricks they use to avoid antifraud system, how hackers trick logistics companies to deliver goods. Security Tips and suggestions to the industry & e-shopping customers. Highlights on evolution of the “cat and mouse game” related to industry and community efforts to stop these hackers.

Trend Micro's vision of having "a world safe for exchanging digital information" does not end when we detection malicious files, emails or websites. We also routinely work with law enforcement to bring down cybercriminals. In this session, we will share a few cases that not only resulted in successful arrests, but also enhanced our understanding of the cybercrime underground.

Taking a cue from the latest password guidelines from the National Institute of Standards and Technology (NIST, https://pages.nist.gov/800-63-3/) and the latest password guidance from Microsoft (https://www.microsoft.com/en-us/research/publication/password-guidance/), we designed an experiment to uncover relevant statistics about passwords used in the organization, to guide us in refining password policies from the classic, traditional policies to the newer ones as recommended by the NIST and Microsoft.
In this report, we share our experience and findings from a password analysis study that was conducted in late 2017 to early 2018. We start with a discussion of the the key characteristics and rationale behind the new password guidance from the NIST and Microsoft, focusing particularly on human-oriented, psychological factors. We then share very interesting findings we were able to uncover from our measurements during the study, as well as our efforts to improve user education with regards to the improved password guidance. Finally, we also share our methodology, particularly how we were able to establish the needed infrastructure and capability to implement one of the latest and most challenging guidelines from NIST and Microsoft: checking passwords against hundreds of millions of known weak/bad passwords taken from past breaches and exploits.

Steganography has long been used by malware developers to hide malicious code inside files not normally scanned by Antivirus products. In addition, legitimate and trusted websites like GitHub and Pastebin were also leveraged to host malware. Recent efforts however, are now combining the two together by uploading images carrying malicious code on GoogleUserContent, a trusted hosting platform. In our presentation, we describe the process of hiding and executing code inside an image, the problems arising from malware-injected images hosted on websites with good reputation, and how to counter-act those problems.

Steganography has long been used by malware developers to hide malicious code inside files not normally scanned by Antivirus products. In addition, legitimate and trusted websites like GitHub and Pastebin were also leveraged to host malware. Recent efforts however, are now combining the two together by uploading images carrying malicious code on GoogleUserContent, a trusted hosting platform. In our presentation, we describe the process of hiding and executing code inside an image, the problems arising from malware-injected images hosted on websites with good reputation, and how to counter-act those problems.

Email is still the primary infection vector used in prominent threats today. This comes as no surprise, as majority of communications within organizations are conducted through email. In the recent years we’ve seen cybercriminals and threat actors use email as their stepping stone to getting into organizations, whether it is to conduct espionage, intercept transactions, or attempt extortion through network-crippling ransomware. But what makes it the go-to channel for cybercriminals? In this talk, we’ll take at look how email and user behavior towards it played a part in the success of past attacks, and what employees can do to avoid being their organization’s weakest link.