Detail of a calendar page with dates

A week in security (Jul 31 – Aug 06)

Last week, we did an in-depth analysis of Smoke Loader, took a closer look into Neutrino exploit kit’s jQueryGate, found a recurring Facebook scam, and detailed our findings about a technical support scam found within a technical support scam.

It also turns out that last week was Black Hat week. And during this prestigious conference, Malwarebytes shared with attendees our findings about an in-depth study we conducted with Osterman Research regarding ransomware. Readers can download the complete report here.

Senior threat researcher Jérôme Segura reported on online crooks abusing Google’s featured snippets via compromised sites that lead to fake online stores. According to Segura, “Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing.” Check out his blog entitled “Google’s featured snippets abused by SEO scammers”.

For our PUP Friday blog post, we talked about EoRezo, a family of software bundles otherwise known as Tuto4PC, that typically offers free tutorial or software and then makes money by bundling it with adware.

Notable news stories and security related happenings:

  • Rio Games: Watch Out For Card Fraudsters And Cybercriminals. “Brazil has among the world’s highest rates of debit and credit card fraud, according to the 2016 Global Consumer Fraud Survey, published by ACI Worldwide and Aite earlier this month. The research shows that almost half of consumers in Brazil (49%) had experienced some kind of card fraud in the past five years. Only Mexico has a higher card fraud rate (56%) than Brazil, followed by the US in third (47%). Maybe even more alarming is the fact that only two years ago, just 30 percent of those surveyed in Brazil said they had been a victim of card fraud, highlighting that the fraud problem in Brazil is growing.” (Source: IT Security Guru)
  • There Are Limits To 2FA And It Can Be Near-crippling To Your Digital Life. “After the Honan attack back in 2012, I decided to get two-factor authentication (2FA) turned on for my Apple ID to act as a safeguard. 2FA here was my friend to some extent, as in the case of iCloud. 2FA blocks any user attempting to login to your account, not allowing them to go any further than logging in and accessing Find My iPhone, Apple Pay, and Apple Watch settings — I don’t have Apple Pay and an Apple Watch for now, so I am not sure as to the extent of access for those two. But with Find My iPhone, this form of 2FA doesn’t protect it. This was kind of understood — if you lose your iPhone, you can’t get the second factor of authentication to get in to lock your iPhone.” (Source: Ars Technica)
  • Apple Users Hit with Large-Scale Smishing Scam. “Security experts at Intel noticed two new campaigns on July 22nd and July 27th respectively. These campaigns were smishing campaigns, which means these were SMS based and so tricky that they immediately managed to con a huge number of Apple users, approx. 7,500. According to experts, their security products identified that the campaigns were purely Smishing because of a suspicious SMS message being circulated via a US-based cell phone number.” (Source: HackRead)
  • DARPA Seeks A Better Way To Pinpoint And Track Malicious Actors. “The U.S. government wants to hack the hackers—and be able to talk about it. In an ambitious effort slated to begin in November, the Defense Advanced Research Projects Agency (DARPA) plans to delve into developing technologies and processes that would allow authorities to access and then operate inside the networks and systems of cyber adversaries, says Angelos Keromytis, program manager in DARPA’s Information Innovation Office.” (Source: AFCEA)
  • Tor To Combat Malicious Code Problem. “The discovery of over a hundred malicious nodes has prompted the Tor Network to develop a new design which is designed to fight this ongoing problem. Developer Sebastian Hahn assured that code has already been written to address this issue, and that the release date is being determined. The Tor Network has said that the attacks do not unmask the operator behind the hidden service, which the law enforcement community has been trying to accomplish for some time now.” (Source: Deep Dot Web)
  • One In Four IT Managers Thwart A Data Breach Every Day, Research Claims. “One in four IT managers attempt to stop a data breach every day, according to new research released by data security provider WinMagic. The study, which polled 250 IT managers and 1,000 employees, found that for almost half of employees (41%), IT security was solely the responsibility of the IT department, while a further 37% believe they have a role to play in IT security.” (Source: Apps Tech News)
  • Half Of Illegal Sports Live Streams Contain Viruses Or Malware. “But according to a new study from KU Leuven it’s not just your morals that you’ll be compromising, the device you’re streaming on is at risk too. The study looked at 23,000 “free” live sport streaming websites and found that clicking on half of them triggered malicious code designed to take over your computer, steal your identity or otherwise cause harm to your machine; in other words: they contained a computer virus. It’s enough to make any normally honorable sports fan install an ad blocker at the very least.” (Source: Extreamist)
  • Browser Exploits Increasingly Go For The Jugular. “Long the bane of the security industry, browser exploits just keep getting more dangerous as techniques grow more refined to get the most leverage from browser and browser extension flaws. According to speakers lined up for a lively panel session at Black Hat USA this week, achieving the highest levels of system privileges from a simple browser vulnerability has pretty much become de rigueur for attacks these days.” (Source: Dark Reading)
  • Innovative Techniques Allow Malvertising Campaigns To Run For Years. “A threat actor dubbed AdGholas has been mounting successful malvertising campaigns by using innovative targeting and obfuscation techniques, and has been infecting thousands of victims every day since 2015 – and possibly even earlier. The discovery of the massive malvertising network was made by Proofpoint researchers, and Trend Micro’s researchers helped with some aspects. Their efforts, along with those of advertising network operators, resulted in the suspension of all AdGholas campaigns on July 20, 2016. Whether AdGholas has been stymied for good or only temporarily, only time will tell.” (Source: Help Net Security)
  • Secure Messaging App Telegram Leaks Anything Pasted In To It. “Security researcher Kirill Firsov found a data leak in the popular messaging app Telegram. In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes. Security researcher Kirill Firsov found a data leak in the popular messaging app Telegram. In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.” (Source: Sophos’ Naked Security Blog)
  • Yahoo ‘Aware’ Hacker Is Advertising 200 Million Supposed Accounts On Dark Web. “On Monday, the hacker known as Peace, who has previously sold dumps of MySpace and LinkedIn, listed supposed credentials of Yahoo users on The Real Deal marketplace. Peace told Motherboard that he has been trading the data privately for some time, but only now decided to sell it openly. The company did not deny that the customer details were Yahoo users, despite being asked if it corresponded to the company’s own records.” (Source: Motherboard)
  • Social Security Administration Now Requires Two-Factor Authentication. “The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves. The SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.” (Source: KrebsOnSecurity)
  • Ringleader Of Global Network Behind Thousands Of Online Scams Arrested In Nigeria. “The 40-year-old Nigerian national, known as ‘Mike’, is believed to be behind scams totaling more than USD 60 million involving hundreds of victims worldwide. In one case a target was conned into paying out USD 15.4 million. The network compromised email accounts of small to medium businesses around the world including in Australia, Canada, India, Malaysia, Romania, South Africa, Thailand and the US, with the financial victims mainly other companies dealing with these compromised accounts.” (Source: INTERPOL)
  • Famed Hacker Creates New Ratings System For Software. “A famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes is now going after the computer software industry, whose standard practices all but guarantee that most products will be vulnerable to cyber attacks. Peiter Zatko, known in the hacker world as Mudge, was the best-known member of pioneering Boston hacking group the L0pht. More recently, he headed a Defense Department grant program for computer security projects.” (Source: Interaksyon)
  • How Foreign Governments Spy Using PowerPoint And Twitter. “Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail ‘Assad Crimes,’ she could easily have opened it. Instead, she shared it with us at the Citizen Lab. As we detail in a new report, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called ‘Droidjack,’ that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.” (Source: The Washington Post)
  • Malware Disguised By SSL Traffic Spikes Over The Last Year. “The use of encrypted traffic to disguise malware attempting to infiltrate user devices and enterprise networks has ‘significantly’ risen over the past year, researchers say. According to cybersecurity firm Blue Coat, there was a visible increase in the use of SSL/TLS encryption standards born out of privacy worries. However, while many individuals are now using these protocols whenever possible, it appears that threat actors are also harnessing SSL to disguise their activities.” (Source: ZDNet)
  • EU Digital Privacy Law Should Extend To WhatsApp, Gmail, Skype Says Public. “More than three quarters of citizens and civil society organisations who responded to a consultation on Europe’s privacy rules believe the law should be extended to cover over-the-top (OTT) service providers, such as Skype, Messenger, Gmail, and WhatsApp. On Thursday the European Commission published the preliminary findings of the public consultation on the review of the ePrivacy Directive—the so-called cookie law.” (Source: Ars Technica UK)
  • Homeland Security Chief Weighs Plan To Protect Voting From Hackers. “On the heels of the Democratic National Convention hack and the political fallout that is ensuing months before the presidential election, the country’s Homeland Security chief said he’s considering measures that would strengthen cybersecurity protections for voting. On the heels of the Democratic National Convention hack and the political fallout that is ensuing months before the presidential election, the country’s Homeland Security chief said he’s considering measures that would strengthen cybersecurity protections for voting. It’s time for the US government to ‘carefully consider’ whether America’s election system should be considered as critical infrastructure, which would trigger greater digital security measures for electronic voting machines, said Jeh Johnson on Tuesday at a Monitor-hosted breakfast for reporters.” (Source: Christian Science Monitor)
  • Impatient Users Saddled With Malicious Copycats Of Popular Prisma App. “If an iOS app gains extreme popularity but still does not come in a version for Android, it can be practically guaranteed that malware peddlers and scammers will take advantage of users’ impatience, and offer fake, malicious versions of it on Google Play and third-party Android apps stores. It usually happens with games, but any popular app will do. The latest example of this is the turn-photo-into-art app Prisma.” (Source: Help Net Security)
  • Beware Of Ransomware Hiding In Shortcuts. “Even if you haven’t been hit by ransomware yourself, you probably know someone who has. Most ransomware gets straight to work as soon as it infects your computer: it scrambles some or all of your files and then callously offers to sell you a tool to unscramble them. If you have a recent backup (one that wasn’t scrambled along with everything else!), you should be able to recover without paying, hopefully without too much trouble.” (Source: Sophos’ Naked Security Blog)
  • Facebook Continues Its War On Clickbait. “In a post today, Facebook said that its current plan of attack involved cataloging “tens of thousands” of headlines, which were then analyzed by a team of employees that decided if the headlines withheld pertinent information or were misleading about the accompanying article. The team apparently double-checked its work, and ‘from there, we built a system that looks at the set of clickbait headlines to determine what phrases are commonly used in clickbait headlines that are not used in other headlines,’ Facebook wrote in a press release today. ‘This is similar to how many e-mail spam filters work.'” (Source: Ars Technica)
  • Pokémon Go API Fiasco Exemplifies Mobile API Security Concerns. “While the majority of the unofficial third-party Pokémon Go apps are the products of developers who are simply enthusiastic fans of Pokémon Go, there are serious security concerns when it comes to the unauthorized use of internal or private APIs. It is very important that the developers of mobile apps are well-versed in a security-first approach to API development. Unfortunately, there are far too many mobile apps using APIs that are lacking even the basic countermeasures, let alone anything sophisticated to prevent unauthorized use of their APIs.” (Source: Programmable Web)
  • PC-nuking Malware Sneakily Replaces Popular Free Software On FossHub. “This isn’t good. Two of the most popular programs on download site FossHub were recently replaced with malware that nuked the master boot records on any PC unlucky enough to install it. The free software site had to act quickly after hackers infiltrated it through compromised user accounts. While the hackers were in the system they managed to replace the installation files for Audacity and Classic Shell with malicious downloads.” (Source: CSO)

Safe surfing, everyone!

The Malwarebytes Labs Team