A Week in Security (Sept 14 – 20)

Here’s a review of last week’s posts on Malwarebytes Unpacked:

• The “Kevin the Game Dev” Tumblr Spam Run (Fraud/Scam Alert) Security researcher Chris Boyd has found “Kevin”, a bot posing as a game developer on Tumblr, encouraging the unwary to “try a game he’s been ‘working on’.” Boyd adds, “As best we can tell, the games mentioned are real MMORPG titles but it seems clear that this person has nothing to do with games development and is riding on their coat-tails.”
• Rogue E-Books Could Pose Threat to Amazon Accounts (Security Threat) In this post, Boyd has reported about a security researcher finding malicious code that can likely be injected via a stored XSS attack on the Manage Your Kindle page on the Amazon website. He also issued a few tips for users to follow on how they can secure their Kindle device.
• Steer Clear of Fake “EuroMillions Lottery” Email (Fraud/Scam Alert) Boyd finds a 419 mail under the guise of a fake “EuroMillions Lottery”. Anyone can be conned by this scam since EuroMillions is a legitimate European lottery; however, it is also aware that scammers are banking on their name to cash out on users, too. They have useful tips in their official websites on how to spot fakeouts.
• Steam Threats: What They Are and What You Can Do to Protect Your Account (Online Security) We have compiled a list of threats that continue to affect certain users of Steam, Valve’s famous gaming platform. In this post, we also put together and out a handy list of safety measures one may take to help ensure that their accounts are secure and will remain that way.
• Steer Clear of USAA Phishing Campaigns (Fraud/Scam Alert) We have observed several scam attempts to get personally identifiable information on United Services Automobile Association (USAA) clients. USAA phish usually targets credit/debit card details; however, this campaign extended to gathering more sensitive information, such as birth dates, social security number, and mother’s maiden name among others.
• Magazine Photoshoot Leak Leads to Installs / Surveys (Fraud/Scam Alert) Photos of a rising model from the Philippines were leaked to the public Web without permission. Esquire Philippines, the magazine who will be putting the model on the cover in their upcoming issue, already issued a statement about the photos, which were apparently taken from one of their exclusive photoshoots.
• Meet the Master Boot Record (Security Threat) Security researcher Pieter Arntz talks about the Master Boot Record (MBR), what it is and how malware can alter it. He also dished out a couple of ways users can fix it if expert help is not on hand.
• Malvertising hits ‘The Times of Israel’ and ‘The Jerusalem Post’, redirects to Nuclear Exploit Kit (Malvertising) Security researcher Jérôme Segura has discussed malvertising (malicious advertising) attempts within the legitimate domains of two popular Israeli news channels on the Web. Malwarebytes Anti-Malware detect the payload from the ads as Trojan.Agent.BPEN, a malware downloader.
• Large malvertising campaign under way involving DoubleClick and Zedo (Malvertising) Following the discovery of malvertisements on a couple of popular news sites, Segura also found malvertising attempts on Last.FM, a popular site for streaming music. The binary involved this time is Zemot, a known payload of another malware.
• Malicious activity observed in new Top-level domains (Online Security) Segura observed malicious activities, particularly involving exploits, on new top-level domains (TLDs) in our honeypots. He adds, “It is important to note that the majority of the domains involved were not registered by the bad guys themselves. Instead what we observed are websites whose DNS entries have been hacked and are used for nefarious purposes.”

Top news stories:

• Dragonfly malware targeting pharmaceutical companies. “The recently revealed Dragonfly (Havex) malware is likely targeting the pharmaceutical sector, not the energy sector as previously believed, according to Belden.” (Source: Help Net Security)
• Beware geeks bearing gifts: Steam-draining nasty spreads via Twitch. “Infosec bods are warning of new malware spreading through game-streaming web hit Twitch: the software nasty subverts Steam accounts to drain player’s wallets, and could take away all their precious weaponry.” (Source: The Register)
• Archie Exploit Kit Targets Adobe, Silverlight Vulnerabilities. “A relatively new exploit kit that borrows modules copied from the Metasploit Framework and exploits any older versions of Adobe Flash, Reader and, Silverlight the user may be using has begun to make the rounds.” (Source: Threat Post)
• “Shocking” Android browser bug could be a “privacy disaster”: here’s how to fix it. “Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another.” (Source: Sophos’ Naked Security Blog)
• Twitter Vulnerability Allows Hacker to Delete Credit Cards from Any Twitter Account. “An Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela, who have been rewarded by many reputed and popular technology giants including Google, Microsoft and Apple, have discovered a critical vulnerability in Twitter’s advertising service that allowed him deleting credit cards from any Twitter account.” (Source: The Hacker News)
• The Dark Web Gets Darker With Rise of the ‘Evolution’ Drug Market. “…Evolution’s popularity has been driven not only by a more secure and professional operation than its competitors, but also by a more amoral approach to the cryptomarket than the strict libertarian ethos the Silk Road preached. Case in point: About 10 percent of Evolution’s products are stolen credit card numbers and credentials for hacked online accounts.” (Source: Wired)

Stay safe!

The Malwarebytes Labs Team