A Week in Security (Apr 05 - 11)

A Week in Security (Jun 28 – Jul 04)

Last week, we touched on a Twitter phishing campaign, a WhatsApp and Facebook scam, the grey side of mobile advertising, and CS:GO lottery.

Company update: Our latest version of Malwarebytes Anti-Exploit is out!

Our security researchers spotted a rogue Twitter account claiming to be an “Official Verification Page”, luring users who want their accounts verified and (hopefully) sport that small, blue check badge beside their names. Unfortunately, it’s a sly phishing campaign intent on getting personal and credit card details.

We also saw a WhatsApp scam targeting users called “WhatsApp Elegant Gold”. Other than spam user contacts, the campaign also leveraged on surveys that, once completed, may or may not unlock something that users have actually signed up for.

Lastly, we published part 2 of a blog series under the Digital Snake Oil title. In a previous post, we talked about about registry cleaners (the misbehaving kind). This time, it was about driver updaters.

Notable news stories and security related happenings:

  • Hackers Posting Nude Pictures of Women without Their Knowledge. “Multiple attempts were made by the hacker to retain the data online. The images were firstly published on a forum this Friday. Although the pictures were taken off but these appeared again by the evening. To ensure easy distribution, the hacker uploaded the cache to an undisclosed file sharing service that is based in New Zealand.” (Source: HackRead)
  • Dridex Banking Malware Spreading Through New Spam Campaign. “Attached to each spam email is a fake scanned document that, in reality, is a macros-enabled .doc, Heimdal Security wrote in its blog post on the attack. The email tries to pass as legitimate under the subject line “Scanned from a Xerox Multifunction Printer.” It tells the recipient that the document was scanned and then sent to them directly from the printer.” (Source: SC Magazine)
  • Backdoor Delivered to Japanese Media Company in MERS-Themed Spear Phishing. “Cybercriminals are quick to exploit important news, and reports on the Middle East Respiratory Syndrome (MERS) outbreak in Korea make no exception, although in a recent attack the lure does not seem to have a financial motivation behind and the attack appears to be targeted.” (Source: Softpedia)
  • Cybercriminals Adopt Recently Patched Zero-Day Exploit in a Flash. “Just four days after Adobe Systems patched a vulnerability in Flash Player, the exploit was adopted by cybercriminals for use in large-scale attacks. This highlights the increasingly small time frame users have to deploy patches.” (Source: CSO Online)
  • A Third of iThings Open to VPN-hijacking, App-wrecking Attacks. “A trio of FireEye researchers have reported twin ‘app-demolishing’ iOS vulnerabilities Apple has partially fixed in its latest update that could wreck core apps such as the App Store and Settings.” (Source: The Register)
  • Microsoft Quietly Pushes 17 New Trusted Root Certificates to All Windows Systems. “A certificate expert who goes by the Twitter handle @hexatomium said in an article on GitHub over the weekend that Microsoft started pushing the new trusted root certificates earlier this month to ‘all supported Windows systems.’ It isn’t clear how the root certs were pushed, but he does say Microsoft ‘did not announce this change in any KB article or advisory.'” (Source: InfoWorld)
  • Mercenary Hackers: An Elusive, Challenging Foe. “For-hire criminal hackers are a plentiful resource for nation-states and militant groups to carry out digital attacks. They are also expert at covering up their tracks, making it difficult to pinpoint true culprits.” (Source: Christian Science Monitor)
  • Nigerian Scam Groups Target SMEs in Taiwan. “Trend Micro Inc. has issued a warning to Taiwanese small- and medium-sized enterprises about the newest Nigerian hacking scheme that will not only steal information, but also cancel transactions initiated by enterprises and transfer the money to the hacker’s bank accounts instead.” (Source: AsiaOne)
  • Crooks Use Hacked Routers to Aid Cyberheists. “Cybercriminals have long relied on compromised Web sites to host malicious software for use in drive-by download attacks, but at least one crime gang is taking it a step further: New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware.” (Source: KrebsOnSecurity)
  • Researchers Expose Dino, Espionage Malware with a French Connection. “Security researchers at ESET in Bratislava, Slovakia have published an analysis of another apparently state-sponsored cyber-espionage tool used to target computers in Iran—and potentially elsewhere.” (Source: ArsTechnica)
  • Hundreds of Dark Web sites cloned and “booby trapped”. “The fake sites were discovered by Juha Nurmi, a founding member of the ahmia.fi project, an open source search engine that aims to search, index and catalogue all the content present on the Tor network.” (Source: Sophos’s Naked Security Blog)
  • New ways to attack iPhones exposed – make sure you update to iOS 8.4. “In a blog post, security researchers provide details of new so-called Masque attacks, exploiting iOS’s failure to properly distinguish between apps with the same bundle identifier.” (Source: Graham Cluley’s Blog)
  • Multiple holes in Amazon Fire phone, says MWR Labs. “If an attacker were able to gain adb access to the device, they could install and uninstall applications, bypass the lock screen and steal data among other things.” (Source: SC Magazine – UK)
  • Android Malware On The Rise. “Although mobile malware hasn’t yet been blamed for any major data breach or cybercrime event, attackers are churning out a new piece of Android malware every 18 seconds — and the rate is trending upwards.” (Source: Dark Reading)
  • Delta Air Lines, Facebook Users Hit With Viral Giveaway Hoax. “A Facebook promotion from “Delta Airways” has gone viral on the site, getting shared nearly 65,000 times in 24 hours. The only issue: the promotion is a hoax, and it’s from an imposter Facebook page.” (Source: Facecrooks)

Safe surfing, everyone!

The Malwarebytes Labs Team