Detail of a calendar page with dates

A Week in Security (Jan 03 – Jan 09)

Last week, we sent our readers a survey that they may want to check out and answer. We created it in the hopes of improving our PUP Friday posts.

We also spotlighted on a defaced UK site, questioned the veracity of the data behind the Mac OS X being “the most vulnerable of 2015”, and delved into another phishing campaign on Facebook, claiming disabled user accounts.

Senior security researcher Jérôme Segura revealed a clever clickjacking campaign banking on the European Cookie Law, a legislation requiring websites to get consent from visitors to store and/or retrieve data from their systems. The said campaign also used a hidden advert underneath a supposed ad they purport to display.

In another post, Segura focused on the abuse of pop-under ads. Unlucky visitors were directed from malicious adverts to a domain serving the Magnitude and Flash exploit kits. Once flaws are found on visitors’ systems, these are then infected with a CryptoWall ransomware.

Notable news stories and security related happenings:

  • Irked Train Hackers Talk Derailment Flaws, Drop SCADA Password List. “A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hard-coded industrial control system credentials to kick vendors into action.” (Source: The Register)
  • The CryptoJoker Ransomware is Nothing to Laugh About. “A new ransomware has been discovered called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back […] CryptoJoker is not widely distributed at this time, but is a fully functional ransomware that could see greater distribution in the future.” (Source: Bleeping Computer)
  • Fraudsters Automate Russian Dating Scams. “Recently, I had a chance to review a package of dating scam emails, instructions, pictures, videos and love letter templates that are sold to scammers in the underground, and was struck by how commoditized this type of fraud has become.” (Source: Krebs on Security)
  • Human Behaviour as the “Biggest Threat to Company Security”. “People were reported to be ‘almost universally’ the biggest weakness in information security, ahead of technology and processes. Of the respondents that reported to have an insider threat or policy, 70% offer employee training to minimize risk.” (Source: Information Security Buzz)
  • 2015: The Year Of ‘Attacks on Trust’. “Nine attacks that leveraged stolen, compromised, or unprotected cryptographic keys and digital certificates show how easy it is for cybercriminals to bypass security controls and hide their actions.” (Source: Dark Reading)
  • Security Researcher with Implanted Pacemaker Sounds the Alarm on IoT Medical Devices. “Marie Moe, a former member of Norway’s Computer Emergency Response Team, gave a talk at the 32nd Chaos Communication Congress (32C3) in Hamburg, Germany, revealing details about unsafe practices used for modern-day pacemaker devices.” (Source: Softpedia)
  • Difficult to Block JavaScript-based Ransomware Can Hit All Operating Systems. “Ransom32 is delivered on the victims’ computer in the form of a self-extracting WinRAR archive. It uses the built-in scripting language to unpack its contents and among the files it unpacks is one called chrome.exe.” (Source: Help Net Security)
  • Kid Spends $5900 Playing Jurassic World on Dad’s iPad. Here’s How to Prevent That Happening to You. “As the Metro reports, Mohamed Shugaa, from West Sussex, UK, found out his son had made the transactions during a 5-day dino spree in December, using Dino Bucks in the iTunes game Jurassic World on his dad’s iPad.” (Source: Sophos’s Naked Security Blog)
  • Tips to Protect Your Personal Information While Online. “Give personal information over encrypted websites only. If you’re shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server.” (Source: The US IRS Website)
  • The Nature Lover’s Guide to Cyber Security. “It seems paradoxical, this borrowing from the natural world to safeguard a virtual one. But humans have engaged in biomimicry for eons, starting, perhaps, with wearing animal hides for warmth. Now, as then, we may find some of the best solutions to our problems on nature’s path.” (Source: The Wall Street Journal)
  • Wi-Fi Standard Could Make Internet of Things Things Even Easier…for Hackers. “A new standard for Wi-Fi for IoT devices may create yet more ways to attack vulnerable kit, according to a security consultancy with a storied history of hacking into internet-connected gizmos.” (Source: The Register)
  • Gaming Gets Serious on Addressing Online Dual Threats of Cyber-Attacks and Piracy. “In this environment, defending against piracy and cyber threats has become a mission-critical issue for service, content and distribution suppliers to the digital media industry.” (Source: Willis Towers Watson Wire)
  • Data Convenience isn’t a Crime, but Treating It as One Should be. “…the more frequently the IT community overreacts to non-events in security and privacy, the weaker the protections we can give to significant security/privacy problems.” (Source: Computer World)
  • Crafty Booby-trapped Invoice Malware Empties Japanese Bank Accounts. “The scam uses carefully crafted Japanese-language emails that include ZIP files seemingly coming from Russian .ru domains. As well as containing fake invoices, the folders also include the Rovnix malware kit – a complex app suite that has begun circulating on darknet forums.” (Source: The Register)
  • More Google Play Apps Infected with Brain Test Malware: Lookout. “Google has promptly removed 13 compromised apps from the Google Play Store after mobile cybersecurity firm Lookout found the developers behind the Brain Test strain of malware had returned.” (Source: ZDNet)
  • WhatsApp Phishing Campaign Unleashes Malware Storm. “…cyber-criminals are sending fake emails claiming to be delivering legitimate WhatsApp content; instead, the messages spread malware when the target clicks on the ‘message.'” (Source: InfoSecurity Magazine)
  • You Can’t Stop What You Can’t See: Mitigating Third-party Vendor Risk. “Third-party vendors are a liability for host organizations, often unwittingly creating backdoors and exposing sensitive data. In fact, according to the Ponemon Institute ‘Aftermath of a Data Breach Study,’ 53 percent of organizations felt vulnerable to another breach due to negligent third parties including vendors and outsourcers.” (Source: Help Net Security)
  • The ‘Bogus Boss’ Email Scam Costing Firms Millions. “Staff are less likely to question instructions purporting to come from on high, and it’s this psychological manipulation – often accompanied by a sense of urgency – that is a major factor in the fraud’s success.” (Source: The BBC)

Safe surfing, everyone!

The Malwarebytes Labs Team