Detail of a calendar page with dates

A week in security (Nov 13 – Nov 19)

Last week, we asked our blog readers what Malwarebytes Labs can do to make our awesome content more awesome. Those who provide us feedback within two weeks are eligible to win some cool swag: Amazon Gift Card codes.

amazongiftcard4

Readers still have time to join. Simply visit this online questionnaire and tell us what you think!

We also ran an anti-bullying campaign for Anti-Bullying Week, an annual event that started off in the UK that aims to raise awareness about bullying—this includes cyberbullying—that is happening among children and young people, and what we can do to combat this. In our campaign, we went beyond the scope of school-aged children and also focused on adult bullying, particularly that which happens in the workplace. You can read the posts we published on this below:

Below are notable news stories and security-related happenings:

  • FriendFinder Networks Data Breach Exposes Over 400 Million Adult Site Accounts. “Adult dating and entertainment company FriendFinder Networks has reportedly been hacked in a massive data breach exposing more than 412 million accounts and user credentials collected over two decades. According to Leaked Source, the breach is believed to have occurred in October with email addresses and passwords from six adult-oriented FriendFinder Networks websites dumped online. More than 330 million accounts on AdultFriendFinder – a site that dubs itself the ‘World’s largest sex and swinger community’ – were exposed in the breach. The hack also exposed more than 62 million user accounts on video site Cams.com and more than seven million on Penthouse.com in addition to a few million from other smaller websites owned by the company.” (Source: The International Business Times)
  • Black Friday And Cyber Monday Will Put Data Center Operations Under Extreme Stress Over The Annual Super-shopping Weekend. “Black Friday has become the biggest shopping day of the year, when retailers knock prices across much of their stock to kick-start the gift-buying season but BroadGroup has warned data centers to prepare for an infrastructure melee potentially on the scale of a DDoS-attack from the expected deluge of customers. Philip Low, Chairman of BroadGroup said: ‘This year, internet sales over the 24-hour period are expected to surpass £1bn for the first time in UK history.  The hysteria surrounding this, now famous, weekend tests IT infrastructure and websites to the limits.  Most brands and operators will have stress-tested their equipment and both tweaked and optimized code and hardware set-ups to maintain performance levels during peak times, however many just don’t know what might happen.'” (Source: IT Security Guru)
  • 10-year-olds Break Safety Rules Set By Parents To Hide Cyber-lives. “Forty-two percent of 10-year-olds believe they have the skills to hide what they’ve been doing online from parents. By age 13, this figure rises to 70 percent. New research by Kaspersky Lab reveals that children as young as 10 actively attempt to hide their cyber-lives and circumnavigate the rules set by their parents to govern internet use in the home today. One thousand children between the ages of 10 and 15 were polled.” (Source: SC Magazine)
  • Consumer And Business Perspectives On IoT, Augmented Reality Risks. “As every business becomes a digital business, the spread of technology such as augmented reality (AR) and Internet of Things (IoT) devices can add significant business value and personal convenience. Yet a new study from ISACA shows that consumers and IT professionals disagree on the risks and rewards. US consumers who are employed are more positive about the benefits of AR than IT professionals are, with 60 percent or more agreeing that a range of suggested AR applications would improve their life and make it easier for them to do their job. However, 67 percent of IT professionals are not certain the benefits of AR outweigh the risks.” (Source: Help Net Security)
  • Teaching Kids About Cybersecurity? Ask Garfield. “Children are spending more time online, chatting up strangers and sometimes giving them personal information that could put them in harm’s way. But a new collaboration that enlists a particularly troublesome cartoon feline is looking to teach kids a few things about cybersecurity. Mobile devices have become the babysitters of the technology age, engaging and distracting kids in equal measure.” (Source: The Voice of America)
  • WhatsApp Adds 2-Step Verification Passcode – Enable This Security Feature. “WhatsApp has introduced a new security feature that fixes a loophole in the popular messaging platform, which if exploited, could allow an attacker to hijack victim’s account with just knowing the victim’s phone number and some hacking skills. The attack does not exploit any vulnerability in WhatsApp; instead, it relies on the way the account setup mechanism works. WhatsApp allows users to sign up to the app using their phone number, so if an attacker wants to hijack your WhatsApp account, they would require an OTP (One time password) send to your phone number.” (Source: The Hackers News)
  • Businesses Are Warned Of Rising Threat Of Cyber Ransom Attacks. “The Central Bank of Ireland has warned financial institutions that cyber attacks are becoming more sophisticated, more targeted and more difficult to detect. Business consultants have also warned that a relaxed attitude to cyber security leaves small and medium enterprises vulnerable to phishing scams and harmful software designed to extort money from vulnerable firms. Many businesses are affected as they take reactive action rather than work to prevent threats.” (Source: Independent)
  • OAuth 2.0 Hack Exposes 1 Billion Mobile Apps to Account Hijacking. “Third-party applications that allow single sign-on via Facebook and Google and support the OAuth 2.0 protocol, are exposed to account hijacking. Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called ‘Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2.0.’ The paper describes an attack that takes advantage of poor OAuth 2.0 implementations and puts more than one billion apps in jeopardy.” (Source: Kaspersky’s ThreatPost)
  • Hacker Shows How Easy It Is To Take Over A City’s Public Wi-Fi Network. “In a perfect example of how public wireless networks can be dangerous for privacy and security, an Israeli hacker showed that he could have taken over the free Wi-Fi network of an entire city. On his way home from work one day, Amihai Neiderman, the head of research at Israeli cybersecurity firm Equus Technologies, spotted a wireless hotspot that he hadn’t seen before. What made it unusual was that it was in an area with no buildings. It turned out that the hotspot he saw, advertised as ‘FREE_TLV,’ was part of the citywide free Wi-Fi network set up by the local administration of Tel Aviv, Israel. This made Neiderman wonder: How secure is it?” (Source: CSO)
  • NHS Patients Being Put ‘At Risk’ Because Of Cybersecurity Flaws. “Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015. Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers. Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts’ emails and passwords, through public searches. Jennifer Arcuri, co-founder of Hacker House, told Sky News: ‘I would have to say that the security across the board was weak for many factors….'” (Source: Sky News)
  • Teenager Pleads Guilty To TalkTalk Hack Offenses. “A 17 year old hacker has admitted offenses related to the massive data breach at TalkTalk last year. According to the BBC, the boy told Norwich Youth Court he was just “showing off” and used tool software to identify vulnerabilities on the TalkTalk website. He pleaded guilty to seven charges under the computer Misuse Act and will be sentenced on 13 December. TalkTalk was fined a record £400,000 by the Information Commissioner’s Office (ICO) for its failures that allowed the breach to take place. The ICO found that TalkTalk could have avoided the cyber attack if it took a few basic security steps to protect the information it holds on its customers.” (Source: TechWeek – Europe)
  • This Ransomware Uses Your Social Media Profiles To Personalize Its Demands. “A newly discovered form of ransomware scrapes the social media accounts and local files of victims in order to tailor a customized demand, and threatens court action if it isn’t paid. Dubbed ‘Ransoc’ by cybersecurity researchers at Proofpoint due to its connection with social media including Facebook, LinkedIn, and Skype, this ransomware represents yet another evolution of the malicious software which has boomed during 2016. It isn’t the first ransomware variant to use social engineering in an attempt to scare the victim into paying up, but Ransoc is unique in how it attempts to turn the users’ files against them — especially if illegally downloaded files are on the system.” (Source: ZDNet)
  • Preparing For The Holiday Shopping Season? Cybercriminals Are Getting Ready As Well. “The number of financial phishing attacks is expected to rise during the Holiday shopping season which starts unofficially on Black Friday. Retrospective research by Kaspersky Lab specialists shows that, over the last few years, the holiday period was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year. As previous years have shown, a peak season for sales can also be a peak hunting season for criminals. While e-commerce customers are anticipating big sales, retailers are preparing for increases in store visitors, and financial infrastructures are getting ready for a huge increase in transactions; cybercriminals are preparing too.” (Source: Help Net Security)
  • Google, Facebook Move To Restrict Ads On Fake News Sites. “Alphabet Inc’s Google and Facebook Inc on Monday announced measures aimed at halting the spread of ‘fake news’ on the internet by targeting how some purveyors of phony content make money: advertising. Google said it is working on a policy change to prevent websites that misrepresent content from using its AdSense advertising network, while Facebook updated its advertising policies to spell out that its ban on deceptive and misleading content applies to fake news.” (Source: Reuters)
  • Twitter Updates Its Abuse Policy And Adds Muting And Reporting Tools To Combat Trolls. “In the wake of the U.S. Election, as Facebook and Google come under fire for the dissemination of fake “news” in their News Feed and search results, Twitter is tackling another area that’s been a flashpoint issue not only recently, but for years: the social media platform today is unveiling some major updates to its safety policy, aimed at helping users weed out abusive Twitter accounts and Tweets. Abusive or hateful content — defined by Twitter as ‘specific conduct that targets people on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, disability, or disease’ — can now be reported to Twitter for removal not just by the targets of that abuse, but by bystanders.” (Source: TechCrunch)
  • Secret Back Door In Some U.S. Phones Sent Data To China, Analysts Say. “For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence. International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.” (Source: The New York Times)
  • The Election Is Over But Spammers Aren’t Conceding. “The subject lines were enticing: ‘Trump – I uncovered a secret’ or ‘Has Trump gone too far? The shocking statement you won’t see on the news.’ Political emails with click-bait subject lines overloaded inboxes during the contentious presidential campaign – and many were too irresistible not to open. But all too often, messages were full of fake news and contained ploys designed to infect recipients’ computers with harmful software or steal personal and financial information. And while the campaigns have ended, the spammers haven’t quit. Amid protests following Republican Donald Trump’s victory, and much of the ongoing internet uproar over the election, cybersecurity experts continue to spot malicious email messages that promise to reveal ‘the “shocking” truth about election rigging in the United States’ or, erroneously, assert ‘elections outcome could be revised.'” (Source: The Christian Science Monitor)
  • Wi-Fi Shadows Cast By Your Fingers Could Leak Your Password. “Researchers in a team from Shanghai, Boston and Tampa recently published an temptingly titled paper about password stealing. Dubbed When CSI Meets Public Wi-Fi: Inferring Your Mobile Phone Password via Wi-Fi Signals, the paper makes you think of Crime Scene Investigation, but that’s just a handy collision of acronyms.” (Source: Sophos’s Naked Security Blog)
  • Barclays Has Plans To Let Customers Use Facebook For Banking. “Like most other global banks, Barclays has faced challenges in adapting to modern digital banking. Most banks still operate on mainframes, which means that there is a single point of failure and any sort of glitch or outage can leave customers without access to their services for hours, if not days. Last year Barclays made the headlines with two outages, which caused its customers problems. However, Barclays is using NoSQL database provider MongoDB to accelerate its digital banking capabilities, with future plans to even let customers carry out some of their banking transactions on Facebook, under the new PSD2 EU directive.” (Source: Diginomica)
  • How To Protect Yourself From The Malware Grinch That Wants To Steal Your Christmas. “The National Retail Federation predicts that 56.5% of American consumers will shop online this holiday season and Adobe predicts they will spend over $90 billion. Online retailers are getting ready to feast. So are online criminals. Internet security company Enigma Software reports that malware infections in the month before Christmas have increased steadily for the past two years and they see no reason why the trend won’t continue this year.” (Source: Forbes)
  • Ransomware Threatens To Expose Child Pornography. “Security researchers have discovered a new ransomware variant designed to harvest social and comms data and scan for evidence of child exploitation and pirated content in a bid to guarantee payment of the ransom. Proofpoint explained that ‘Ransoc’ has more in common with the ‘Police Locker’ malware popular between 2012 and 2014 than crypto-ransomware which dominates today.” (Source: InfoSecurity Magazine)
  • Carbanak Attacks Shift To Hospitality Sector. “The Carbanak cybercrime gang, best known for allegedly stealing $1 billion from financial institutions worldwide, have shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware. According to security researchers at Trustwave, over the last several weeks Carbanak has been targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target is credit card data scraped from the memory of point-of-sale systems.” (Source: Kaspersky’s ThreatPost)
  • Malware Hunters Catch New Android Spyware For Governments In The Wild. “A group of malware hunters has caught a new Android spyware in the wild. The spyware is marketed to governments and police forces and was made in Italy—but it wasn’t built by the infamous surveillance tech vendor Hacking Team. On Monday, researchers released a technical report on a new type of Android malware designed to surreptitiously record video and audio, turn the GPS on and off, steal data from the phone and take screenshots, among other functions—”run-of-the-mill, boring, commercial spyware junk,” as one of the researcher put it in the report. What’s interesting is that the researchers said the spyware infected a victim working for a government, and they suspected it was made by Hacking Team. But in reality, the spyware was likely made by another Italian company, who hasn’t gotten much public attention yet.” (Source: Motherboard)
  • Gamers Giving Away More Than Their High Scores. “Millions of mobile app gamers are putting themselves at risk of social engineering by voluntarily allowing apps from official play stores to access, and in some cases control, their devices. A study conducted by AppRiver, the cloud-based email and Web security specialist, found that the top games listed in Google’s Play Store – which have had millions of global downloads – demand permissions for full network access and read the contents of storage. This type of information if accessed by hackers, or even legitimately collected by criminals, can be used to create tailored scams that are will spoof even the most security savvy individuals.” (Source: IT Security Guru)
  • 66% Of Organizations Won’t Recover After Cyberattack, Study Says. “A recent study performed by IBM’s Resilient and the Ponemon Institute found that 66% of organizations would be unable to recover from a cyberattack. The results of the 2016 Cyber Resilient Organization study were released Wednesday, and show a decline in organizational resilience against cyberattacks. Of the respondents, 32% of IT and security professionals ranked their resilience as high. That same number was 35% in 2015, marking a drop over the past 12 months. A press release announcing the study defined resilience as ‘an organization’s ability to maintain its core purpose and integrity in the face of cyberattacks.'” (Source: TechRepublic)
  • Here’s How Quantum Cryptography Will Make Online Shopping Truly Secure. “Data security has become a chief concern for retailers and banks that need to protect their customers against the growing threat of cybercrime, the costs of which hurt businesses to the tune of $400 billion each year. Conventional methods of securing data over the internet, most commonly SSL, have shown to be vulnerable against a variety of attacks, creating the need for a new, more robust method of encryption that will stand the test of time. Quantum cryptography may be the answer we’re looking for to resolve our security woes in data-sensitive applications like banking and online shopping.  By cutting out third parties from the encryption process and exploiting the laws of physics, quantum cryptography can detect when a man-in-the-middle attack is happening and can resist exhaustive key searches since it doesn’t use mathematical functions to generate encryption keys.” (Source: TechCrunch)
  • Security Experts Divided On Ethics Of Facebook’s Password Purchases. “Last week, Facebook CSO Alex Stamos told conference attendees in Lisbon that the company buys stolen passwords on the black market, and some security experts are questioning the ethics and benefits of this approach. ‘Paying for stolen passwords only reinforces the criminal business model and further encourages hackers to steal passwords,’ said Amichai Shulman, founder and CTO at Redwood Shores, Calif.-based security vendor Imperva, Inc. Paying off hackers has other consequences as well.” (Source: CSO)
  • Google Removing SHA-1 Support In Chrome 56. “The home stretch for SHA-1 deprecation is in full effect with Google on Wednesday announcing its final deprecation deadlines for the Chrome browser, and a cryptographic services provider warning that there’s still a long way to go to get sites off SHA-1 certificates. Google said it will remove its support for SHA-1 certificates in Chrome 56, which is scheduled to be released at the end of January. Mozilla and Microsoft have already announced similar deprecation cutoff dates for early next year.” (Source: Kaspersky’s ThreatPost)
  • Ransomware Delivered By 97% Of Phishing Emails By End Of Q3 2016 Supporting Booming Cybercrime Industry. “PhishMe Inc., the leading provider of human phishing defense solutions, released findings today that show the amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1. Remaining at the forefront is the Locky encryption ransomware, which has introduced a number of techniques to resist detection during the infection process. Published today, PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months.” (Source: Business Wire)
  • Data Integrity, The Next Big Threat. “Imagine in a 2016 remake of the classic film Gaslight, a young security professional is driven to the brink of insanity – and impending disaster – by a cyber schemer who unbeknownst to IT security has over time moved around and corrupted bits of data, manipulating, let’s say, the design of a jumbo jetliner or perhaps the composition of a vaccine, to execute an unspeakable attack. A little dramatic? Not really. While cybercriminals to date have mostly focused on stealing credentials for financial gain or disrupting businesses or organizations, the corruption of data, sometimes years in advance of an attack, is a growing – and more challenging – threat.” (Source: SC Magazine)
  • Android Banking Malware Remains Active When Infected Devices Sleep To Save Power. “A new Android banking trojan can stay connected with its command & control servers, even after infected devices have gone dormant. At issue here is something known as Doze. First introduced in Android 6.0 Marshmallow, Doze is a power mode that activates once a user hasn’t interacted with their device for a period of time. Once Doze is activated, the Android operating system restricts applications’ access to the network and other services on the phone to conserve battery…” (Source: Graham Cluley’s Blog)
  • Millions Of Three Customers’ Information At Risk After Database Hacked. “Leading mobile phone company Three has admitted millions of its customers’ private information is at risk after hackers broke into their security system. The company said hackers used an employee login to access its customer upgrade database, leaving nine million customers at risk. A spokesman for Three said: ‘Over the last four weeks, Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.'” (Source: Express)
  • Wickedly Clever USB Stick Installs A Backdoor On Locked PCs. “You probably know by now that plugging a random USB into your PC is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But serial hacker Samy Kamkar‘s latest invention may make you think of your computer’s USB ports themselves as unpatchable vulnerabilities—ones that open your network to any hacker who can get momentary access to them, even when your computer is locked. Today Kamkar released the schematics and code for a proof-of-concept device he calls PoisonTap: a tiny USB dongle that, whether plugged into a locked or unlocked PC, installs a set of web-based backdoors that in many cases allow an attacker to gain access to the victim’s online accounts, corporate intranet sites, or even their router. Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.” (Source: Wired)
  • Fake Executive Social Media Accounts Threaten Enterprises. “New research has uncovered numerous duplicative Twitter and LinkedIn accounts among Fortune 500 leaders, raising concerns about potential security vulnerabilities. Analysts at BrandProtect reviewed profiles for the 54 CEOs at Fortune 500 companies using Twitter and the 187 CEOs using LinkedIn. Of these CEOs, 19 percent were represented online by multiple Twitter accounts, while 9 percent had multiple LinkedIn accounts.” (Source: Help Net Security)
  • Once Again, Siri Helps Attackers Bypass Your iPhone’s Passcode. “Over the years iPhones and iPads have been plagued on many occasions by passcode bypasses – a secret method that allows an attacker to unlock your iOS device and access your private data. It would be nice to think that as we’re now up to iOS 10 that Apple would have prevented such bypasses from working once and for all. But no such luck – for users who have left Siri enabled from the lockscreen at least. Here is how an attacker could break into your iPhone, even if you have a passcode or Touch ID turned on.” (Source: Bitdefender’s Hot For Security Blog)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR