Detail of a calendar page with dates

A Week in Security (Mar 13 – Mar 19)

Last week, we touched on a 419 scam, modding on games (in general), a much talked about iCloud scam that “may be worse than ransomware”—not to mention a number of threats targeting Apple users—and a Steam scam.

Senior security researcher Jérôme Segura had once again unearthed a couple of malvertising campaigns. First, Segura revealed another round of malicious ads from online top publishers, which include (but are not limited to) The New York Times and The BBC. Just like one campaign he discussed back in January, this also leads to an Angler exploit infection. Second, Segura also found a targeted campaign against UK internet users. Specifically, ads on the legitimate news site called The Daily Mail was found pointing to rogue or shadowed sub-domains responsible for the redirection to Angler download sites.

We also did a deconstruction of a TeslaCrypt spam campaign and highlighted an interesting adware called TopFlix that displays ads and modifies a system’s DNS for last week’s PUP Friday post.

Notable news stories and security related happenings:

  • Instagram Hackers Stole Tens of Thousands of Euros from Users. “Two young Dutch hackers were arrested on Sunday. The police believe the two hackers, aged 18 and 19, hacked into a large number of Instagram accounts and thereby managed to steal tens of thousands of euros in advertising revenue from the real users, NOS report.” (Source: Netherlands Times)
  • CVE-2013-5838 Java Flaw is Back Two-year Later Due to Broken Patch. “Bad news for Java users: In 2013 Oracle released a patch to fix the CVE-2013-5838 vulnerability, but security experts discovered that it could be easily bypassed to compromise the latest versions of the software. This means that attackers can exploit again the same vulnerability hacking machines running the latest versions of Java.” (Source: Security Affairs)
  • The Two Misconceptions Dominating the Encryption Debate. “Cybersecurity is a massive challenge affecting everyone –- startups, government, corporate systems and consumers, costing the global economy billions of dollars annually. Tragically, the one solution we are seriously considering — mandating encryption backdoors — will undermine the integrity of our networks, as confirmed by information security experts and the government’s own defense and intelligence officials.” (Source: TechCrunch)
  • Cybersecurity Training, Military Style. “Cybersecurity training programs modeled on military tactics are making their way to the private sector. Similar to how the armed forces stage war games to test the readiness of their troops for battle, these “hands on” training programs put companies through simulated breaches designed to test the effectiveness of the security tools, policies and teams they’ve put in place to defend themselves.” (Source: The Wall Street Journal)
  • Two-factor Authentication (2FA) Versus Two-step Verification (2SV). “As we go about our online lives, many of us have considered enabling two-factor authentication (2FA) or two-step verification (2SV) on our accounts. Both measures introduce another element into a service’s login process. For that reason, plenty of reputable sources online have left the impression that there is no difference between the two concepts. But those reports are wrong.” (Source: Graham Cluley’s Blog)
  • It’s Time to Kill the Static Password. “If you feel passwords are a struggle to manage, you are not alone. A recent UK Government study found that nearly half of respondents used unsafe passwords, such as the names of their pets, for fear of forgetting them.” (Source: Help Net Security)
  • Music Streaming has a Nearly Undetectable Fraud Problem. “Right now, Spotify, Tidal, and Rhapsody are all battling multi-million-dollar lawsuits alleging copyright issues and improper royalty payments—with one seeking as much as $150 million in damages. But amid all the high-profile tumult, music streaming is facing a much more quiet, insidious problem: Click fraud.” (Source: Quartz)
  • Typosquatters Target Mac Users With New ‘.om’ Domain Scam. “According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om suffix for U.S. companies and services such as Citibank, Dell, Macys and Gmail. Endgame made the discovery last week and reports that several groups are behind the typosquatter campaigns.” (Source: Kaspersky’s Threat Post)
  • A History of Ransomware. “A recent study titled, ‘Battling the Big Hack’ by Spiceworks found that 80 percent of organizations experienced an IT security incident in 2015, with 53 percent of respondents having a concern for ransomware in 2016. But how did we get here? And how can we avoid these growing attacks in the coming year and beyond?” (Source: CSO Online)
  • Internet of Things: Humble Lightbulbs could Become a Form of Attack. “If anyone in the technology industry believes the cyber security risk posed by the internet of things is exaggerated, then Daniel Miessler, a director at IOActive, a security company, is keen to put them straight. IOActive has published a paper detailing how its researchers were able to take control of a sport utility vehicle without the investigators even touching the car.” (Source: Financial Times)
  • A Third of Businesses in the UK Believe They will be Hacked in 2016, Survey Shows. “Economists at the Centre for Economic and Business Research modelled how a real cyberattack would affect a cross-section of the British economy, including the telecoms, utilities, retail, banking and insurance sectors, The Telegraph noted. They found telecom companies were the most vulnerable due to the nature of sensitive information stored, the value of the data and low levels of investment in cyber security.” (Source: BitDefender’s Hot for Security Blog)
  • Finally, Someone to Blame for the Ransomware Surge, Just Don’t Feed the Hackers. “The end of last year saw a significant uptick in incidents where system administrators were denied access to their technology until they paid hackers ransom. These so called ransomware attacks have become more prevalent thanks in part to thriving cybercriminal networks on the dark Web, but now three security firms said there’s a specific culprit to blame: China.” (Source: FierceCIO)
  • Steam Stealer Malware ‘Booming Business’ for Attackers Targeting Gaming Service. “Santiago Pontiroli, a researcher with Kaspersky Lab’s Global Research and Analysis Team, and Bart P, an independent security researcher, published a thorough analysis of the service on Tuesday on Securelist and examined how malware targeting it has evolved through the last few years.” (Source: Kaspersky’s Threat Post)
  • Business Email Compromise Fraud Rising Fast, Hard to Fight. “According to ZapFraud, these kinds of spear phishing attacks, known as business email compromise (BEC), now account for 4 percent of the total volume of scams, up from from less than 1 percent in 2011.” (Source: CSO)
  • Biometrics are Coming, Along with Serious Security Concerns. “Databases get hacked all the time, from the IRS to Target to hospitals and banks, and until some of the very real security concerns surrounding the use of biometric technologies are better ironed out, you wouldn’t be wrong to worry about linking data about your body parts to online accounts.” (Source: Wired)
  • Pedophiles May Be Using Anonymous’ Symbolic Mask To Trap Children. “According to reports, pedophiles are using Anonymous mask or guy Fawkes mask to lure young kids and share objectionable content. It seems like pedophiles are pretending to be part of the hacktivist group and its movement against injustice through creating bogus Facebook and Twitter profiles of Anonymous but in reality, they are trapping the kids online.” (Source: Hack Read)
  • To Bypass Code-signing Checks, Malware Gang Steals Lots of Certificates. “There are lots of ways to ensure the success of an advanced hacking operation. For a gang called Suckfly, one of the keys is having plenty of stolen code-signing certificates on hand to give its custom malware the appearance of legitimacy.” (Source: Ars Technica)
  • Google Starts Tracking, Encourages Worldwide HTTPS Usage. “Google has added a new section to its Transparency Report, which will allow users to keep an eye on Google’s use of HTTPS, and HTTPS use of the top 100 non-Google sites on the Internet. With this new section, Google is hoping to spur more sites towards using HTTPS, as well as showing the progress of their own efforts.” (Source: Help Net Security)
  • Malware Increasingly Making its Way into Organizations Through Social Media. “The report found just 54 percent of organizations feature a written policy governing the use of public social networks, while just 51 percent have policies governing enterprise social media usage. This is despite the survey finding 82 percent of organization use Microsoft SharePoint for enterprise social purposes, while more than half of surveyed organizations use each of Facebook, Twitter and LinkedIn.” (Source: LegalTech News)
  • Ransomware Will Spike As More Cybercrime Groups Move In. “Take the Dridex group, a Russian cybercrime gang that until now has been known mainly for operating one of the most successful banking Trojans ever. The group is believed to be behind a recently released ransomware tool dubbed Locky that has begun proliferating in a major way on computers worldwide.” (Source: Dark Reading)

Safe surfing, everyone!

The Malwarebytes Labs Team