A Week in Security (Apr 05 - 11)

A Week in Security (Aug 23 – Aug 29)

Last week, we touched on the growing threat of business email scams, a browser hijacker called Browsefox (a.k.a. Sambreel and Yontoo), a fake “rewards” page, a peculiar spam about “girls list”, and a quite scammy Instagram follower booster that actually leads to a browser extension PUP.

For our bi-monthly PUP Friday post, we featured an unwanted program claiming to alert users of possible zombie invasions.

We also saw a then-active malvertising campaign on MSN.com that was carried on by the same threat actors behind that operation against Yahoo! visitors we had also written about earlier this month. Users who visited MSN.com may find themselves affected by the Angler exploit kit in the process.

Notable news stories and security related happenings:

  • Operation Safenet: Staffordshire Police Launch Team to Protect Children Against Online Child Abuse. “Staffordshire Police has launched Operation Safenet, using a team of specialists to safeguard children by detecting abuse and prosecuting offenders for the possession and distribution of indecent images.” (Source: Staffordshire Newsletter)
  • Android Security Is Flawed, and Marshmallow Can’t Fix It. “It hasn’t been a good week for the security of the Android operating system, with continuing reports on the state of several persistent vulnerabilities that affect millions of users. And it looks like even Android Marshmallow, the next major release of the software that Google will launch this fall, isn’t going to do much to mitigate the major security problems underlying the world’s most popular mobile operating system.” (Source: CheatSheet)
  • Ashley Madison Hack Linked to Suicide, Spam, and Public Outrage. “An interesting aside in all of this mess, more of a personal observation really, is that on one hand, there are privacy advocates promoting the hunt for high-profile individuals – while seemingly ignoring the fact that 37 million people had their privacy violated last week. Does the right to privacy go away if someone cheats on their spouse?” (Source: CSO)
  • New Amazon Phishing Scam Steals Credit Card Details. “In this email, the company informs the recipient that a new security feature has been added and therefore, the user has to click on the provided link to update account information. The email also notifies the recipient that this update MUST be done within 24 hours.” (Source: HackRead)
  • Hacker Slaps Dolphin, Mercury browsers, Squirts Zero Day. “Mobile security guy Rotologix has popped two popular not-Chrome not-Firefox Android browsers, gaining the power to commit remote code execution using zero-day flaws.” (Source: The Register)
  • Why Phone Fraud Starts With A Silent Call. “It turns out there could be someone on the other end of the line: an automated computer system that’s calling your number — and tens of thousands of others — to build a list of humans to target for theft.” (Source: NPR)
  • Network Security Easier than Most Businesses Think, Says Kaspersky Lab. “The security firm has published a guide for businesses on improving security through best practices in employee IT security hygiene, application patching, mobility, device protection and online behaviour.” (Source: Computer Weekly)
  • Samsung’s Smart Fridge Could be Used to Steal Your Gmail Login. “In yet another example of a manufacturer of a connected product failing to secure said product, Samsung’s connected fridge allows malicious people to steal a consumer’s Gmail login credentials provided they can get on the user’s Wi-Fi network. The exploit, known as a man-in-the-middle attack, is made possible because the Samsung smart fridge lets people link their Gmail calendars to a screen in the fridge’s door so they can see their day’s events.” (Source: Fortune)
  • Executives Lack Confidence in Cybersecurity Postures. “Cybersecurity is a daunting reality for many organizations and despite continued investment (and more examples of “what not to do” than you could shake a stick at), confidence in enterprise security posture is still relatively low. That’s according to a new survey conducted by Raytheon and Websense.” (Source: LegalTech News)
  • Combating Human Error in Cybersecurity. “According to a 2014 IBM study, more than 95 percent of cybersecurity incidents are due to human error. It’s a staggering number, and one that cybercriminals and nation-state adversaries alike are counting on.” (Source: Help Net Security)
  • The Most Common Mistakes These 27 Cyber Security Experts Wish You’d Stop Doing. “But what exactly are the most common mistakes that users make which expose them to cyber threats? To find out, we asked 27 cyber security experts to share what errors they have seen come up most often in their many years of experience.” (Source: Heimdal Security Blog)
  • Risky Mobile Behaviors are Prevalent in the Government. “…not only are federal employees using personal devices to access potentially sensitive government data, a significant number of them engage in behaviors that could put the device and, in turn, the data it contains or accesses at risk. This includes behaviors such as rooting, jailbreaking, and sideloading applications, which involves installing applications from places other than official app stores, such as websites or links in email.” (Source: Help Net Security)
  • Fraud Rate Doubles as Cybercriminals Create New Accounts in Users’ Name. “To get more value out of stolen personal information, cyber criminals doubled their rate of account creation fraud this summer, according to a report report from Vancouver-based NuData Security.” (Source: CSO Online)
  • Cyber Threat Intelligence – No Longer Just a Nice To Have. “Information leakage is possibly one of the most common, and misunderstood security risks faced today, and potentially one which impacts organizations every single day. When linked to electronic distance information gathering, it can, and does pose significant security risks to any business, or government agencies alike.” (Source: InfoSecurity)
  • Researcher Catches AT&T Injecting Ads on Free Airport Wi-Fi Hotspot. “According to Mayer, AT&T’s ad injection was handled by a company called RaGaPa, which advertises ‘hotspot monetization,’ saying its ‘exclusive technology inserts content displaying advertisement or other venue specific promoted content on every webpage a user visits using venues’ internet access.'” (Source: Ars Technica)
  • Patched Ins0mnia Vulnerability Keeps Malicious iOS Apps Hidden. “Researchers at FireEye today published a report on the vulnerability they’re calling Ins0mnia. The flaw bypasses restrictions imposed by Apple in iOS that limit how long an application is allowed to run in the background before it’s automatically suspended.” (Source: Kaspersky Labs’s ThreatPost)
  • Consumers Want Password Alternatives. “The study showed that, as things stand, most consumers are not confident in online brands or the efforts they’ve made so far to supplement password security. And, like many password surveys before it, this one shows once again that part of that mistrust stems from consumers’ admitted inability to effectively manage password hygiene for their own accounts.” (Source: Dark Reading)
  • BitTorrent Kills Bug that Turns Networks into a Website-Slaying Weapon. “The San Francisco company said Thursday the patch for its libuTP software will stop miscreants from abusing the peer-to-peer protocol to launch distributed reflective denial-of-service (DRDoS) attacks.” (Source: The Register)
  • FBI: $1.2B Lost to Business Email Scams. “The FBI today warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.” (Source: Krebs on Security)
  • The Race for the Unbreakable Password is Almost Over. “What Ashley Madison needed was quantum cryptography. Quantum cryptography is the use of physics, specifically quantum mechanics, to build secret codes. It is so secure, so difficult to intercept, some call it unhackable. Banking, medical, business and government records around the world could be made secure from outside intruders.” (Source: PBS)
  • No, Microsoft is Not Spying on you with Windows 10. “The Windows 10 privacy agreement doesn’t mean Microsoft is secretly stealing the data from your hard disk. Where do people come up with these crazy ideas?” (Source: ZDNet)
  • Report: Phishing Training could Cut Damage Costs by $1.8M. “The report, sponsored by Pittsburgh-based security awareness training company Wombat Security Technologies, breaks down the cost of phishing attacks into five parts: containing the malware, remediating uncontained malware, productivity losses, containing credential compromises and remediating uncontained credential compromises.” (Source: TechTarget)

Safe surfing, everyone!

The Malwarebytes Labs Team