Detail of a calendar page with dates

A week in security (Oct 23 – Oct 29)

Last week, we wrote a detailed profile of Trick Bot, which we believe to be the successor of the known information stealer, Dyreza. We also touched on the concepts of scamming as a service and attribution.

We also took a look at hacker stereotypes in Hollywood and debunked them.

Finally, we unearthed a piece of malware that was shared publicly on Pastebin and warned UK readers about a then-ongoing scam campaign targeting WhatsApp users.

Below are notable news stories and security-related happenings:

  • Beware Of Hicurdismos: It’s A Fake Microsoft Security Essentials Installer That Can Lead To A Support Call Scam. “Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed? We recently discovered a threat detected as SupportScam:MSIL/Hicurdismos.A that pretends to be a Microsoft Security Essentials installer. Microsoft Security Essentials is our antimalware product for Windows 7 and earlier. In Windows 10 and Windows 8, Windows Defender provides antimalware protection and is installed and enabled by default when Windows is installed. However, some users may believe they also need to download and install Microsoft Security Essentials.” (Source: Microsoft Malware Protection Center)
  • 15 Percent Of All Routers Use Weak Passwords, 20 Percent Have Open Telnet Ports. “There’s a reason why a large piece of the Internet went down last week after a DDoS attack on a key DNS service provider, and that is poor equipment design. While Internet of Things (IoT) devices such as DVRs, CCTV systems, IP cameras, baby monitors, and others are to blame and have played a major role in recent DDoS attacks, there is another type of equipment that also regularly contributes to DDoS botnets. Those devices are home (SOHO) routers, which some experts wrongfully categorize as IoT when they’re just your regular networking equipment that’s been around for years before the concept of IoT even appeared.” (Source: Softpedia)
  • Study Finds Women Are More Privacy Savvy Than Men. “A new online privacy study from internet security firm ESET has revealed that UK social media users are finally starting to recognise the importance of their online security, with two-thirds of Brits taking important steps to protect their privacy online. The study, which was carried out in October 2016 and looked at the attitudes of 1000 social media users in the UK, revealed that encouragingly 68 percent of respondents have already taken steps to protect their privacy online, 75 percent believe that privacy is more important than popularity on social media and 53 percent of respondents regularly review the privacy settings on the social media accounts they use.” (Source: IT Security Guru)
  • Cyber Security Experts Warn Firms About Dark Side Of Social Media Use As Hackers Hunt Data. “Employees who use social media and post work-related information on networking sites such as LinkedIn are making their firms more vulnerable to sophisticated hackers, a leading Irish cyber security expert has warned. Mike Harris, who heads up the cyber security team at consultancy firm Grant Thornton in Dublin, said hackers are increasingly using social-engineering techniques to scam companies out of millions of euro by using fake emails and stolen identities culled from online personal data.” (Source: The Independent)
  • Indian Banks Use Insecure ATM Machines, Still Cling To Outdated Windows XP: Report. “There is still some time before we get a clear picture of the data breach that has affected over 32 lakh debit cards in India. But cyber security firm Kaspersky has done some quick analysis of it with a more detailed one still in the process. Although for now the company is neither denying nor confirming the State Bank of India debit cards breach, it is quite blunt in saying that the banking industry in India is very cavalier about the cyber security and that is not good for consumers. The company says that it had revealed a few months ago that ‘ATM machines’ outdated communication standard leaves them open to attacks’ in India.” (Source: India Today in Tech)
  • Hired Experts Back Claims St. Jude Heart Devices Can Be Hacked. “Short-selling firm Muddy Waters said in a legal filing on Monday that outside experts it hired validated its claims that St. Jude Medical Inc cardiac implants are vulnerable to potentially life-threatening cyber attacks. U.S. regulators responded by reiterating previous advice that patients should keep using the devices, and a St. Jude spokeswoman said the company would respond ‘through appropriate legal channels.'” (Source: Reuters)
  • The Decline In Chinese Cyberattacks: The Story Behind The Numbers. “Last summer, an audience of government officials, military personnel, and foreign ambassadors gathered in Aspen, Colorado, to hear John Carlin, then an assistant attorney general, speak about cyberattacks. The Aspen Security Forum, which is held every year at a breathtaking resort in the Rocky Mountains, is the sort of event where national security wonks go for hikes in T-shirts and shorts, then trade war stories over lemon-raspberry water and superfood balls. The news of the Democratic National Committee hack had broken just the day before, and many hoped that Carlin, who headed up the investigation into the incident, might speak candidly about it. Instead, he recounted the Justice Department’s indictment of five hackers in China’s People’s Liberation Army Unit 61398 for commercial espionage—back in 2014.” (Source: The Technology Review)
  • Hackers Target All Major UK Banks With New Twitter Phishing Campaign. “A new active Angler phishing social media scam campaign has been identified by security researchers, which is targeting all major UK banks and their customers. The scam campaign involves hackers creating fake Twitter accounts, posing as customer support staff, in efforts to hoodwink customers into divulging credentials. In this case, ProofPoint researchers noted that the hackers operating the Angler phishing campaign were monitoring bank customers’ accounts on Twitter. They hijacked conversations users attempted to have with genuine support staff of banks, and redirected customers to a fake support page.” (Source: International Business Times)
  • PayPal Patches Bone-headed Two Factor Authentication Bypass. “PayPal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and passwords in hand need only mess with post requests changing securityquestion0 to securityquestion1 for two factor authentication to be bypassed.” (Source: The Register)
  • Suspect Arrested In Phoenix-area Cyber Attack On 911 Phone Systems. “Meetkumar Hiteshbhai Desai, 18, was arrested and booked into the 4th Avenue Jail on three counts of felony computer tampering. The Maricopa County Sheriff’s Office Cyber Crimes Unit says he is the one behind a series of 911 hang-up calls that have affected multiple agencies in the Valley. According to a release from MCSO, the Surprise Police Department received over 100 911 hang-up calls late Tuesday night.” (Source: The 12 News)
  • Security Community Needs ‘cultural change’, Warns Australia’s Newest Cyber Guardian. “Cybersecurity experts need to take a more progressive approach to security education and drive a ‘cultural change’ to improve accessibility to high-level security skills, Australia’s newest SANS Institute-accredited Cyber Guardian has advised. A lecturer in the UNSW School of Engineering and Information Technology and Australian Defence Force Academy (ADFA) who completed his PhD in intrusion detection and exploit payload technology, Dr Gideon Creech was awarded the distinction – one held by just 35 people in the world and just one other Australian – after completing a rigorous certification program that builds on the GIAC Security Expert certification that itself is only held by around 200 people worldwide.” (Source: CSO)
  • Blog: Simple Steps for Social Media Security. “According to a recent report by cybersecurity developer Forcepoint, millennials might pose as serious a cybersecurity risk to enterprise networks as cyber criminals. The research found that the baby boomer generation, those aged 51 to 69, are more cautious online while the younger work force is more likely to abandon caution in exchange for digital convenience. One of the most notable results from the survey, done in July by research agency LaunchTech and commissioned by Forcepoint, is that more than 60 percent of millennials said they would not accept employment offers unless they are assured of no access restrictions to social media platforms.” (Source: AFCEA)
  • Let’s Clean Up The Internet By Taking Responsibility For Our Actions. “Imagine an Internet with multiple levels of security that users need to earn. Level zero means a person does nothing, and so has limited access to services because their computer is probably infected. Many corporations work this way on their internal networks, restricting access of devices that are unknown or do not have a minimum set of security defenses. Restrictions could be based on inexperience — akin to what many countries do with driver’s licenses — or personal habits, which often affect life insurance premiums. The intriguing part is how do people earn their way to higher levels of trust and access? What mix of incentives and consequences will produce the best results?” (Source: Dark Reading)
  • Stolen Medical Records Available For Sale From $0.03 Per Record. “The development of the market for stolen data and related hacking skills indicate that the business of cybercrime in the healthcare sector is growing, according to Intel Security. ‘In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success’ said Raj Samani, Intel Security’s CTO for Europe, the Middle East, and Africa. ‘Given the growing threat to the industry, breach costs ought to be evaluated in the Second Economy terms of time, money, and trust—where lost trust can inflict as much damage upon individuals and organizations as lost funds.'” (Source: Help Net Security)
  • Personal Tracking Devices Expose Public Privacy Risk. “Small tags embedded with Bluetooth Low Energy have become increasingly popular in recent years as a way for consumers to track things such as car keys or other small items. There is only one small problem: They’re also potentially a larger public privacy risk, according to new research released Oct. 25 by security firm Rapid7. Among the trackers Rapid7 looked at is the TrackR Bravo device, which was found to have four unique vulnerabilities, including cleartext password storage (CVE-2016-6538), Tracking ID exposure (CVE-2016-6539), unauthenticated access (CVE-2016-6540) and unauthentic pairing (CVE-2016-6541) vulnerabilities.” (Source: eWeek)
  • Major Security Flaw Targets Industrial Computer Systems. “A major security vulnerability affecting one of the world’s largest manufacturers of computerized industrial control systems, Schneider Electric, has recently been identified, according to a leading cybersecurity firm. Researchers at the Israel-based Indegy Corporation Tuesday publicly announced their identification of the security hole and details of how it could have been exploited. The security threat has since been filled by engineers at Schneider Electric.” (Source: VOA News)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR