A Week in Security (Apr 05 - 11)

A Week in Security (Sep 27 – Oct 03)

Here’s a reminder to our readers: Malwarebytes will be participating in the up-and-coming IP EXPO Europe. If you’re in London this week, please don’t forget to drop by stand AA3 and say hello to your friendly Malwarenaut!

Last week, we touched on an atypical Skype hacking tool, which is actually a backdoor program; the growing threat of phishing brought to us by Michael Osterman, our latest guest blogger; tech support impersonators that banked on the Malwarebytes’s brand; and an Instagram account that just tugs on the heartstrings the wrong way.

Senior Security Researcher Jérôme Segura found and documented more hot malvertising campaigns based on data captured from our telemetry. First off, adult sites Pornhub and YouPorn were used to affect millions of users, following the xHamster attack several days ago. Next, rogue advertisers were able to use Google’s AdWords in a malicious way to point users to a fake blue screen of death (BSoD) tech support scam.

Malware Intelligence Analyst Christopher Boyd reported of spammers misusing Indiegogo, a popular crowdfunding site similar to Kickstarter. We’ve seen similar spam campaigns before on deviantArt, LinkedIn, Steam, and even on Celine Dion’s official website.

Boyd also published an interesting phishing find that highlighted the tactics the fraudsters used while incorporating common online elements: a PDF file, a URL shortener, and an error message. The tactic should serve a reminder for anyone to never let their (our) guard down, knowing that phishers can extract credentials and information from anyone, even from security savvy users.

Notable news stories and security related happenings:

  • Mobile Advertising DDoS JavaScript Drip Serves Site with 4.5bn Hits. “CloudFlare has turned up an unusual form of denial-of-service attack: mobile advertisements that are pumping out around 275,000 HTTP requests per second. The cloud outfit didn’t name the victim, but said the Layer 7 HTTP floods hitting the target is the latest example of a once-theoretical attack turning up in the real world.” (Source: The Register)
  • More Law Firms Embrace Cloud-Based IT. “In addition to intrusion detection systems and spam filters, ‘we are able to build one environment and then house all of these firms in one environment where they are all separate from each other, almost like hardware,’ he added. ‘Most solo practitioners law firms… we see them storing a lot of data on their laptops. I am always harping on them to make sure they keep that data encrypted.'” (Source: Legal Tech News)
  • Two New PoS Malware Affecting US SMBs. “Following the seemingly quiet state of point-of-sale (PoS) malware these past few months, we are now faced with two new PoS malware named Katrina and CenterPoS now available to cybercriminals.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • Rise of Bitcoin Extortionist Group Threatens HK Banks Says Akamai. “Some regional banks in Hong Kong have been preyed upon by bitcoin extortionist group known as DD4BC, according to Akamai Technologies. […] As DD4BC is starting to flex its muscles in markets outside North America and Europe, Akamai is warning companies in Hong Kong to brace themselves against more aggressive tactics from the extortionist group.” (Source: Enterprise Innovation)
  • With Stolen Cards, Fraudsters Shop to Drop. “A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.” (Source: Krebs on Security)
  • Apple Watch Security Risks (and Benefits). “A recent HP Fortify study of 10 popular smartwatches (HP didn’t identify which brands were tested) found that every one contained significant vulnerabilities, including insufficient user authentication, lack of transport encryption, insecure interfaces, insecure firmware and privacy concerns. In 90 percent of cases, the study found, communications to and from the watch were easily intercepted.” (Source: eSecurity Planet)
  • Celebrity Search Results Loaded with Malware, Study Shows. “The results of searches relating to breaking news events and celebrities continue to be loaded with malware, a study has revealed. Model and TV personality Kelly Brook is the most dangerous celebrity to search online, according to Intel Security’s ninth annual survey of risky search topics.” (Source: Computer Weekly)
  • Microsoft Reaffirms Privacy Commitment, but Windows will Keep Collecting Data. “The privacy implications of Windows 10 and its data collection have been a talking point since the operating system was released. And today, Microsoft published a response of sorts. For the most part, the new blog post reiterates the company’s (lengthy) privacy policy.” (Source: Ars Technica)
  • Majority of Cybersecurity Experts Say Mobile Payments Data Breaches will Grow. “A survey by ISACA of more than 900 cybersecurity experts shows that an overwhelming majority (87 per cent) expect to see an increase in mobile payment data breaches over the next 12 months. Yet 42 per cent of respondents have used this payment method in 2015.” (Source: CIO)
  • Scammers Use Google AdWords, Fake Windows BSOD to Steal Money from Users. “Faced with the infamous Windows Blue Screen of Death (BSOD), many inexperienced computer users’ first reaction is panic. If that screen contains a toll free number ostensibly manned by Microsoft technicians who are there to help users overcome this problem, many are probably tempted to pick up the phone.” (Source: Help Net Security)
  • Drop-dead Simple Exploit Completely Bypasses Mac’s Malware Gatekeeper. “Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates. Gatekeeper’s sole function is to check the digital certificate of a downloaded app before it’s installed to see if it’s signed by an Apple-recognized developer or originated from the official Apple App Store.” (Source: Ars Technica)
  • Fresh Ransomware Campaign has a 0% Detection Rate. “So how to protect oneself? Users should exercise extreme caution when it comes to opening emails from unknown senders—but should also make sure everything on their systems is up to date.” (Source: Info Security Magazine)
  • Opinion: Fight Phishing Without Blaming Victims. “Yes, anti-phishing training is effective. But only to a certain point. Training can reduce the number of malicious links that get clicked on within an organization but it will never eliminate the threat. Criminal hackers are crafty, and there will always be that perfectly designed e-mail that’ll fool even the savviest recipient. So, if your security policy is to rely 100 percent on anti-phishing training, you’re about to have a very bad day.” (Source: Christian Science Monitor)
  • Experian Data Breach Hits More than 15M T-Mobile Customers, Applicants. “The data includes personal information for a combination of about 15 million customers and applicants in the U.S. who at one point may have applied for T-Mobile service. The company said that the incident did not impact its own consumer credit database.” (Source: CNBC)
  • Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking. “Yes, Android Stagefright bug is Back… …and this time, the flaw allows an attacker to hack Android smartphones just by tricking users into visiting a website that contains a malicious multimedia file, either MP3 or MP4.” (Source: The Hackers News)
  • Tens of Thousands of Routers, IP Cams Infected by Vigilante Malware. “Symantec researchers have avoided calling Wifatch a piece of malware because it doesn’t actually do anything malicious. Instead, it appears to be the work of what experts call an “Internet of Things (IoT) vigilante” who wants to protect routers and other IoT devices from malicious actors.” (Source: Security Week)

Safe surfing, everyone!

The Malwarebytes Labs Team