Detail of a calendar page with dates

A week in security (Jun 12 – Jun 18)

Last week, we uncovered a truth about malvertising, briefed our readers on email spoofing, disclosed advanced phishing tactics used by PayPal phishers, and painted a picture of what an Angler-less exploit scene looked like.

Senior Malware Intelligence Analyst Nathan Collier found a mobile Trojan mimicking popular apps like TrueCaller and Torque Pro. Once installed, it acted as a redirector, sometimes to ad sites or random websites.

Malware Analyst MlwrHpstr provided a technical analysis of the zCrypt ransomware, an interesting piece of extortion malware that is capable of propagating itself. It was found to land on target systems via malicious spam. Furthermore, zCrypt used OpenSSL to encrypt content.

Notable news stories and security related happenings:

  • Report: Careless Employees Biggest Threat To Law Firm Cybersecurity. “Of the 180 IT managers, administrators and information professionals working at law firms who were surveyed for the report, 60.9 percent said it is human errors, such as clicking on a bad link, that pose the greatest cybersecurity risk to their firms. Still, 12 percent of the firms surveyed don’t offer training on cybersecurity and 52 percent said they only train employees once a year. The report did note that 17 percent of firms offer monthly training, up almost double from last year.” (Source: Law.Com)
  • North Korea Mounts Long-running Hack Of South Korea Computers, Says Seoul. “North Korea hacked into more than 140,000 computers at 160 South Korean firms and government agencies, planting malicious code under a long-term plan laying groundwork for a massive cyber attack against its rival, police in the South said on Monday. South Korea has been on heightened alert against cyber attacks by the North after Pyongyang conducted a nuclear test in January and a long-range rocket launch in February that led to new U.N. sanctions.” (Source: Reuters)
  • Thousands Of Websites Exploited For Illegal SEO Tactics. “Imperva researchers discovered a long-running and still active illegal attack that has been exploiting vulnerabilities in thousands of legitimate websites to increase SEO results for illicit websites. One of the largest influencers of SEO page rank is how many other sites contain links back to the page, and how highly the referring sites themselves are ranked. There is significant monetary and brand value in having as many respectable and popular sites link to the promoted page as possible.” (Source: Help Net Security)
  • All Clues Point To The Death Of The Angler Exploit Kit. “If this is the first time you read about an exploit kit such as Angler, these are specialized Web-based applications that sit on a website and await visitors. Crooks use malvertising attacks, hidden redirections on hacked sites, or spam campaigns to send traffic to these Web pages. Here, exploit kits (EKs) like Angler test the user’s locally installed software and detect vulnerable versions. They then deliver malicious code via JavaScript, Flash, or Silverlight that exploits these weaknesses in order to download and installs malware in what’s known as a drive-by download. Most users never notice anything, unless they have antivirus software installed on their computers.” (Source: Softpedia)
  • Is A Password-free Future Around The Corner? Here’s All You Need To Know. “The future is replete with options that could replace the much-maligned traditional passwords. In a few years, user authentication could be confirmed by a person’s eye blinking or typing pattern. A person’s location or style of holding a phone could also be key to a secure future. Here are some future alternatives to the conventional password: zero-interaction authentication, persona-based authentication, ‘account key’ feature, trust score system, strong encryption standards, and advanced biometrics.” (Source: The Financial Express)
  • Hackers Threaten To Hit The Brakes On Prabhu Express. “Railways Minister Suresh Prabhu is a worried man. Recent attempts by hackers to break into the Railways’ online system involving train operations and the reservation system is giving him sleepless nights. The organisation, which sees half of its total tickets booked online, has held meetings with National Technical Research Organisation (NTRO), a cyber security agency under the National Security Advisor, to come up with systems that will ensure its sites are not hacked.” (Source: The Indian Express)
  • Ransomware Now Comes With Live Chat Support. “Getting hit by ransomware is nasty business at any time. But victims of some new variants of a ransomware sample called Jigsaw should count themselves a tad luckier than others. The purveyors of the malware have considerately introduced a new live chat feature that gives victims a way to directly contact their extortionists and negotiate a ransom payment. Instead of requiring customers to go to dark web sites, the operators have made people available to answer questions and provide direction to victims on how to pay the ransom.” (Source: Dark Reading)
  • Ransomware Targets Android Smart TVs. “If you own a Sharp and Philips smart TV running the Android TV OS, you should know that it could be hit by FLocker, a device-locking ransomware that targets both Android-powered mobile devices and smart TVs […] According to the researchers, FLocker avoids targeting users located in Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia and Belarus, but goes after all others.” (Source: Help Net Security)
  • New Device Can Allegedly Clone 15 Contactless Bank Cards A Second. “The Daily Star newspaper is reporting that a new device has surfaced online which has the ability to clone 15 contactless bank cards a second.  According to the publication, the scanner skims details from contactless cards of people standing nearby and is able to capture encrypted data onto blank cards using specialised software. The device, named the Contactless Infusion X5, can read any bank card from 8cm away and will read 1024 bytes per second, equivalent to 15 bank cards per second, The Daily Star alleges.” (Source: SC Magazine UK)
  • Scammers Have Already Started Trying To Exploit Orlando Shooting For Bitcoins. “The vultures have already begun to descend on the tragedy in Orlando, Florida. A fake Twitter account claiming to represent the nightclub where the largest mass shooting in modern US history took place in the early hours of June 12 was calling for donations to assist victims—by sending bitcoins to buy bottled water and Oreo cookies. The account was suspended on Monday afternoon.” (Source: Ars Technica)
  • Machine Learning Could Help Companies React Faster To Ransomware. “File-encrypting ransomware programs have become one of the biggest threats to corporate networks worldwide and are constantly evolving by adding increasingly sophisticated detection-evasion and propagation techniques.” (Source: CSO)
  • Japan Travel Agency Fears Leak Of 7.93 Million Records, Passport Deets. “Executives at the company held a press conference bowing in apology for the feared breach and telling local media it may have stemmed from staffer who opened phishing-borne malware. The company felt the need to point out that some 43,00 of the passports are still valid, indicating the breached database also contained old records.” (Source: The Register)
  • Hacker Steals 45 Million Records From 1,100 Home, Sports And Tech Support Forums. “, a company that runs multiple support forums on various topics, has suffered a massive data breach in February 2016 when a hacker managed to steal over 45 million user records from its database. The records, which data breach indexing site LeakedSource has managed to acquire and analyze, contain details from over 1,100 tech support portals VerticalScope is running on different domains. LeakedSource says the biggest data troves are from sites such as,,, and” (Source: Softpedia)
  • Wendy’s Security Breach Exposes Weaknesses In POS Systems. “In January, The Wendy’s Co. said it was investigating possible credit card fraud at some of its restaurants. The security breach has dogged the company ever since. Last week, the Dublin, Ohio-based quick-service operator said that the breach was far larger than it initially reported, with many more than 300 restaurants affected. The incident has shed light on the way franchised restaurant operators handle point-of-sale systems and protect credit card data. Wendy’s placed much of the blame for the breach on third-party POS providers used by some of its franchisees.” (Source: Nation’s Restaurant News)
  • Home Depot Sues Visa, MasterCard For Exposing Consumer Data To Fraud. “Atlanta-based home supply chain The Home Depot on Monday filed a massive antitrust action against Visa and MasterCard, claiming the credit card companies are engaging in predatory price-fixing that also made retailers who accept their payment cards vulnerable to fraud. The suit, filed in federal court in Atlanta, claims that for decades the technology has existed to make credit and debit card transactions less vulnerable to fraud, but Visa and MasterCard ‘pushed consumers to use payment card technology that Visa and MasterCard know is defective.'” (Source: Law.Com)
  • UK Industry Asked To Help Youth Avoid Career In Cyber Crime. “Crest is collaborating with the NCA on knowledge and resource sharing to further the aims of the agency’s Prevent campaign as part of the certification body’s social responsibility programme. The campaign by the NCA’s National Cyber Crime Unit (NCCU) is aimed at raising awareness not only of the consequences of cyber crime, but also of the benefits of a career in cyber security. By understanding the cyber criminal and their motivations, the NCA believes it is possible to encourage youngsters to use their skills and knowledge for good rather than criminal activities.” (Source: Computer Weekly)
  • Adobe Promises Fix For Flash Zero-day Being Used By Hackers. “Adobe has promised to issue a fix for another major security flaw in its Flash software. Adobe has credited Kaspersky with uncovering evidence that the flaw is being used by a group of Russian hackers dubbed ScarCruft. The flaw is notable because it can be used against Windows, OS X, Linux, and Chrome OS systems.” (Source: V3)
  • FBI: Email Scams Take $3.1 Billion Toll On Businesses. “Business-related inbox scams are reaching epidemic levels with the total cost to business reaching a whopping $3.1 billion. The dire warning comes from the FBI that says skyrocketing losses represent a 1,300 percent increase since January 2015 […] On Tuesday, the FBI refreshed those BEC numbers reporting 22,143 worldwide BEC victims representing $3.1 billion in losses since January 2015. Closer to home the FBI reports 14,032 U.S. BEC victims representing $961 million dollars in losses between October 2013 and May 2016.” (Source: ThreatPost)
  • BadTunnel: A Vulnerability All Windows Users Need To Patch. “A security researcher has uncovered a serious vulnerability that affects every version of Microsoft’s Windows operating system from Windows 95 to Windows 10. he vulnerability could give attackers a way to set up man-in-the-middle attacks against victims by getting them to click on a link, open a Microsoft Office document or plug in a USB drive. In an interview with Dark Reading, Yang Yu, who earned a whopping $50,000 bug bounty for the discovery he’s nicknamed BadTunnel, described the impact in grandiose terms.” (Source: Sophos’ Naked Security Blog)
  • Russian Police To Target Credit-card Credential Thieves. “Alex Monkov, an official spokesman for the Russian Ministry of Internal Affairs department dealing with cyber-crimes told that the number of cyber-attacks targeting personal data of cardholders in Russia has significantly increased this year. Russian Ministry of Internal Affairs data reports that during the period January-May this current year hackers gained unauthorised access to the personal bank card data of more than 64,000 Russian citizens, achieved using classic social engineering and deception schemes.” (Source: SC Magazine UK)
  • Over 2,100 Servers In Malaysia Hacked. “Malaysia’s national cybersecurity agency said it detected intrusions in several local servers for years and issued advisories to victims but ignorance was still making them easy targets for hackers. It was found that over 2,100 servers have been compromised and their access sold to hackers for as low as RM29 (US$6) up to RM24,600 (US$6,000) on an underground cybercrime shopping website, xDedic, the ‘eBay of cybercrime’ where hackers shop access and passwords for infiltrated servers worldwide for criminals to buy.” (Source: The Star)
  • “Spam King,” Who Defied Nearly $1B In Default Judgments, Sentenced To 2.5 Years. “Prosecutors wrote that by his own admission, Wallace executed ‘a scheme from approximately November 2008 through March 2009 to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook’s servers.’ Wallace lost civil suits from MySpace and Facebook, among others, and was hit with nearly a total of $1 billion in outstanding default judgments, for which they have been unable to collect. In 2011, he was finally hit with criminal charges.” (Source: Ars Technica)
  • Three Ways To Thwart Hackers’ Attempts At Persuasion. “Thanks to movies and crime shows, we often think of cybercriminals as antisocial computer whizzes with impeccable typing abilities, an affinity for baggy hoodies and a multimonitor computer setup illuminating their dark hideouts. But instead of focusing on the fraudster’s technological knowledge, picture the criminal as a sophisticated persuasion specialist with degrees in psychology and research. These hackers make a living on using psychological tricks to prey on emotions to obtain information, and unfortunately, business is good. The Anti-Phishing Working Group reported more than 803,756 unique phishing attacks in 2015, of which about 21% targeted financial institutions.” (Source: American Banker)
  • Companies Pay Out Billions To Fake-CEO Email Scams. “Email scammers, often pretending to be CEOs, have duped businesses into giving away at least $3.1 billion, according to new data from the FBI.  The email schemes, which trick companies into wiring funds to the hacker, continue to bedevil companies across the world, the FBI warned in a posting on Tuesday. The amount of money they’ve tried to steal has grown by 1,300 percent since January 2015, it said.” (Source: CSO)
  • Verizon Fixes Email Flaw Which Left User Accounts Open To Attack. “The vulnerability was discovered by researcher Randy Westergren, a software developer for XDA Developers. In a blog post this week, the security expert said the bug ‘would have allowed an attacker to intercept incoming emails from any user’s inbox without interaction.’ The researcher has worked with Verizon on multiple occasions to fix security flaws and has previously disclosed a critical vulnerability in Verizon’s MyFiOS app’s API.” (Source: ZDNet)
  • Gartner: ‘Insider Threat Is Alive And Well On The Dark Web’. “Corporate employees who help carry out cyberattacks are increasingly being sought and are seeking criminals to hire them, a Gartner analyst told a group at the consulting firm’s Security and Risk Management Summit. A group of 60 CIOs and CISOs she worked with say this recruitment is more active and becoming a larger concern because of their use of the Dark Web to sell their services, says Gartner analyst Avivah Litan.” (Source: Network World)
  • Security Implications Of Online Voting. “With essentially everything moving online, it would seem to be the natural progression that voting online or on your mobile device would be the next thing to happen. Not only would it be more convenient for the voter, but it would greatly reduce the travel costs. The question is, are we technologically mature enough and can we count on today’s security infrastructure to protect our vote? To put it simply, allowing people to vote on a mobile platform or online is very dangerous. Current technology, although it can make our computers quite secure, cannot guarantee perfect security. We have to think about the scenario where a segment of the computers used for voting will have already been compromised by hackers previously.” (Source: Help Net Security)

Safe surfing, everyone!

The Malwarebytes Labs Team