Detail of a calendar page with dates

A week in security (Jul 17 – Jul 23)

Last week, we spotted a phishing scam that targeted Wikileak’s Twitter account; gave an account why tech support scammers are still in business; and profiled the adware called Window Range Manager (a.k.a Winrange), an improved version of Petya, and a cross-platform Mac malware called Adwind.

Senior security researcher Jérôme Segura tracked a malvertising campaign that was distributing Cerber, a known ransomware, which was connected to threat actors behind the Magnitude exploit kit. Although there were signs of slowdown for this EK, it’s far from gone.

We also wrote a piece on how internet users can protect their IP address, a piece of digital information that one may not want potential attackers to get their hands on.

Notable news stories and security related happenings:

  • Chinese Hackers Suspected Behind Philippines Government Websites Hack. “Coincidentally, the hacked websites featured the infamous Guy Fawkes mask associated with the hacktivist group Anonymous, with a message that read: ‘Nobody can give you freedom. Nobody can give you equality or justice. If you are a man you take it. – Chinese government.'” (Source: International Business Times)
  • Fake Pokemon Go Apps Lock Phones And Access Porn Sites. “The popularity of fake versions of the game has been hard to check because it hasn’t been officially released in many countries. More than 215 unofficial versions of the popular app have already been found in app stores, according to cyber security company RiskIQ. The warnings follow log-in issues with the official game since it was launched earlier this month after searing global demand crashed servers around the world on at least three occasions.” (Source: The Independent)
  • Hacker Selling Entire US Voters’ Registration Records on Dark Net. “It’s raining confidential data on the Dark Net. It seems that every few days someone is offering data on there that wouldn’t be available otherwise. Recently, we discovered a seller going by the online handle of ‘DataDirect’ is claiming to have full access to voter registration records of the citizens of the United States and offering buyers state by state voters’ records where the price for each state is 0.5 BTC (340.38 US Dollar).” (Source: HackRead)
  • Rio 2016: The World Is Watching, Especially Hackers. “Every four years, the host country pours an enormous amount of time and resources into building venues for the many different events, as well as the infrastructure necessary to accommodate the massive influx of visitors. In fact, the total cost of the 2016 Olympics in Rio de Janeiro, estimated to exceed $12 billion, has increased by $99.3M since August alone.” (Source: Help Net Security)
  • Pokémon Go Masters Are Selling Their Accounts For Thousands On eBay. “Buying an account to have an array of already-caught Pokémon at your disposal may take the joy out of the game, and possibly get your account suspended,  but that hasn’t stopped them popping up on the auction site. It would certainly save Pokémon hunters putting in the hours trying to ‘catch them all’; with some high-level accounts attracting bids of thousands of pounds (one bidding war stopped at £7,300).” (Source: The Telegraph)
  • UK Rail Hit By Four Cyberattacks In One Year. “Kaspersky Lab believes that at the moment, state-sponsored attackers were very active without doing much, but hackers could cause chaos if they managed to enter the rail network system. Network Rail has said cybersecurity would play an important part in their plan to introduce digital train control technology. ‘Safety is our top priority, which is why we work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats,’ added a spokesperson.” (Source: Dark Reading)
  • Feds Shut Down Tech Support Scammers, Freeze Assets. “Federal authorities have shut down several alleged tech support scammers working out of Florida, Iowa, Nevada and Canada, freezing their assets and seizing control of their businesses. The action was one of the largest in the U.S. against scammers, who bilk consumers out of an estimated $1.5 billion annually with bogus tales of infected Windows PCs and Apple Macs, high-pressure sales tactics, and grossly overpriced services and software.” (Source: CSO)
  • Teenager Avoids Custody For Cyber-attacks And Airline Bomb Hoaxes. “The teenager, who cannot be named for legal reasons, attacked 12 websites when he was aged 14 and 15, including sites belonging to his local police force and SeaWorld. He targeted government and pro-hunting sites in Africa, Asia, Europe and North America from a laptop in his bedroom at home in Plympton, near Plymouth, Devon.” (Source: The Guardian)
  • OurMine Is Now Hacking Into Minecraft Accounts. “The same hacking group that took over Mark Zuckerberg’s Twitter account has now found a way to break into accounts connected to the hit game Minecraft. The group, OurMine, made the claim on Tuesday in a video demonstrating its hack. The attack is aimed at the user login page run by Minecraft’s developer, Mojang.” (Source: PC World)
  • Baby Monitor Hackers Still Rocking Cradles Across The UK, Data Watchdog Warns. “Two years after it was revealed that a creepy Russian website was allowing users to watch more than 73,000 live streams from unsecure baby monitors, the UK’s data watchdog has warned that manufacturers still aren’t doing enough to keep their devices safe from hackers.” (Source: Ars Technica UK)
  • Google Chrome Malware Leads to Sketchy Facebook Likes. “What he found was what he called a ‘glaring security hole’ in the Google Chrome Webstore that allowed malware authors to infect Chrome browsers via a bogus age verification extension. The malware-laced extension called “Viral Content Age Verify” allowed a third-party to “read and change all your data on the websites you visit” and potentially ‘read your emails, steal all your login credentials, have you DDoS someone, mine Bitcoin, seed pirated content… You name it. That even includes reading and leaking your credit card information, if you ever are to type that in,’ Kjaer describes.” (Source: Kaspersky’s Threatpost)
  • Slew Of WP-based Business Sites Compromised To Lead To Ransomware. “In this latest campaign, the compromised sites range from that of tires and sporting goods manufacturer Dunlop, to the official Guatemalan Tourism site and sites of firearms dealers. ‘Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler or a Flash player debugging utility. If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server,’ says Belcher.” (Source: Help Net Security)
  • Fraud And Computer Misuse Crime On The Rise, Study Finds. “A new report from the Office for National Statistics (ONS) states that cybercrime is on the raise in England and Wales. According to the report, adults aged 16 and over experienced an estimated 5.8 million incidents in the past 12 months, with 3.8 million of those classified as fraud and another 2 million as computer misuse incidents.” (Source: Tripwire)
  • Browser Study Aims To Stop Hackers In Their Tracks. “Browser fingerprinting is an increasingly common tracking technique that collects contextual data from a person’s computer without their knowledge. Hackers have been able to obtain private information such as browsing history, computer clock and even the unique identity of the computer from a user’s internet browser. Researchers at the University of Adelaide in South Australia are conducting a study to discover the weaknesses in contemporary “browserprinting” methods to build an adequate defence program.” (Source: The Lead South Australia)
  • Twitter’s Verified Badge Plan Raises New Security Concerns. “Experts are warning that Twitter’s decision to open up its verified badge scheme to all-comers could create additional security risks for users. Twitter announced the move earlier this week, claiming it would create an online application process for users and organizations who want to be branded with the badge – indicating they’ve received verified status as a tweeter of ‘public interest.'” (Source: Infosecurity Magazine)
  • ‘Warframe’ Hacked, Details On 775,000 Players Traded. “User details for online, free-to-play game ‘Warframe’ are being traded in the digital underground. The nearly 800,000 records include email addresses, usernames, and dates for when the account was created and last logged into. Warframe is available on PC, PlayStation 4 and Xbox One, and is consistently in the top 20 played games on Steam. Troy Hunt, a security researcher and creator of the breach notification site Have I Been Pwned?, first flagged the data breach to Motherboard earlier this month. Motherboard obtained a sample of the data and provided a copy to Warframe, which verified its authenticity.” (Source: Motherboard)
  • Trojanized Remote-Access Tool Spreads Malware. “Cybercriminals are silently spreading banking Trojans by bundling them with legitimate downloads of the remote-access tool Ammyy Admin, according to researchers at security firm Kaspersky Lab. Kaspersky and others say the growing threat points to the need for organizations to curtail any administrative privileges granted to employees who also have the ability to download remote-access tools or software.” (Source: Bank Info Security)
  • Update Now: Macs And iPhones Have A Stagefright-style Bug! “And, as you probably know only too well, the more complex a program gets; the more calculations it needs to do based on numbers extracted from untrusted files; the more it needs to mess around allocating and deallocating memory and shuffling data between memory buffers…the more likely it is that some sort of buffer overflow or integer overflow bug will show up.” (Source: Sophos’ Naked Security Blog)
  • How Apple And Facebook Helped US To Arrest Kickass Torrents’ Owner. “Kickass Torrents fans should already know that its 30-year-old alleged owner, Artem Vaulting,  has been arrested in Poland by the US authorities on suspicions of reproducing and distributing copyrighted content worth $1 billion. Vaulin, who is a Ukranian national was supposedly running Kickass Torrents platform behind the scene for last 8years leaving no trace marks whatsoever.” (Source: HackRead)
  • Opinion: How To Talk Digital Privacy With Kids. “Now, parents are being asked to have an equally challenging conversation about staying safe, secure and private online – without inducing groans and eye rolls. And in an age of connected devices, Wi-Fi enabled toys, and personal assistants such as Amazon Echo, the fundamental facts of what happens to your data and online choices can be harder to find out and explain to your children.” (Source: Christian Science Monitor)
  • Take Care When Computing On The Road. “There are several common security threats against users of public wireless networks that you do not need a password to join and are often found in public places. The attack people often think of is called “sniffing,” which is when an attacker eavesdrops on your communication between your computer and the server. The concern is someone listening while you enter a username and password to a website. Today, most websites use encryption between your computer and the site (you can tell by the little padlock in the address bar). However, when in doubt, wait until you are on a secure wireless network before using a password.” (Source: The Des Moines Register)
  • Now You Can Hide Your Smart Home On The Darknet. “Here’s how it works: the Guardian Project turned a simple Raspberry Pi mini-computer into a smart hub running the open-source software called HomeAssistant software and acts as a so-called Tor hidden service, the same application of Tor that obscures the location of servers running dark web sites. The result, says Guardian Project director Nathan Freitas, is a far stealthier and more secure way to connect your smart home to the Internet, while still keeping it safe from potential digital attacks.” (Source: Wired)
  • Tinder Spammers In ‘Verified Profile’ Scam. “Security experts are warning of a new scam on Tinder designed to lure users onto sites in the name of online safety, where they’re tricked into handing over their credit card details. Satnam Narang, a senior researcher with Symantec, claimed to have noticed an uptick in spam on the dating platform which begins with a flirty opening and then asks the victim whether or not they’re a verified user.” (Source: InfoSecurity Magazine)
  • Auto Industry ISAC Releases Best Practices For Connected Vehicle Cybersecurity. “The Automotive Information Sharing and Analysis Center (Auto-ISAC) has released a set of cybersecurity best practices for connected vehicles. The document, developed over the course of five months by a group of more than 50 cybersecurity experts from the auto industry, is designed to demonstrate the collective commitment by automakers to make modern cars safer against emerging cyber threats.” (Source: Dark Reading)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR