Detail of a calendar page with dates

A week in security (Jan 08 – Jan 14)

Last week, we talked about what Windows environmental variables are, more phishy sponsored tweets in the wild, and—if you haven’t actually considered this already—how to take selfies in a safe manner that doesn’t compromise your security and/or privacy.

We also took a deep dive into a post-holiday spam campaign, which delivered a booby-trapped Word document that downloads and executes a Neutrino bot. If you may recall, we published an article by hasherezade about the inner workings of the Neutrino botnet builder.

Finally, we revealed a clickjacking campaign that abuses Google’s AdSense while, at the same time, avoiding ad fraud bots. Senior Malware Intelligence Analyst Jérôme Segura provided us details on how this campaign works, how the criminals behind them profit from organic user clicks, and how this is related to a previous campaign that took advantage of European law on browser cookies.

Below are notable news stories and security-related happenings:

  • WordPress, Joomla, And Magento Continue To Be The Most Hacked CMSs. “Based on statistical data gathered by Sucuri from 7,937 compromised websites, WordPress, Joomla, and Magento, in this order, continued to be the most hacked CMS platforms in the third quarter of 2016 (months of July, August, and September). Among all hacked websites, 74% ran WordPress, which isn’t surprising if we take into account the CMS’ massive market share among today’s sites.” (Source: Bleeping Computer)
  • Is! Yahoo! Dead?! Why! Web! Biz! Will! Rename! To! Altaba! – The! Truth! “Marissa Mayer, the CEO of perennial drain-circler Yahoo!, will step down from its board of directors, along with five other members, after Verizon finishes gobbling up most of the internet portal. And once the acquisition is over, the remaining carcass of Yahoo! will change its name to Altaba Inc. In an SEC filing today, Yahoo! stated that once the Verizon takeover is complete – presumably after the US telco haggles Yahoo! down from its $4.8bn price tag following some serious brand tarnishing – Mayer will quit Yahoo!’s board of directors.” (Source: The Register)
  • Cyber Becomes Mainstream: The Lessons Learned For 2017. “In a year of change, one issue has become so tied to our daily lives that its emergence has been somewhat masked—and that issue is cyber. Just a few short years ago, cyber was seen as an edge issue that impacted technology companies. Now one need only look at the continuing discussion regarding the presidential election and the effect of the alleged interference by state-sponsored threat actors to see that cyber is embedded in our daily lives in a way that many did not imagine.” (Source: LegalTech News)
  • Spora Ransomware Works Offline, Has The Most Sophisticated Payment Site As Of Yet. “A new ransomware family made its presence felt today, named Spora, the Russian word for “spore.” This new ransomware’s most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, which is the most sophisticated we’ve seen from ransomware authors as of yet.” (Source: Bleeping Computer)
  • Hello Kitty Database Of 3.3 Million Breached Credentials Surfaces. “A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend. The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery.” (Source: Kaspersky’s Threatpost)
  • 49% Of Businesses Fell Victim To Cyber Ransom Attacks In 2016. “Nearly half of businesses report that they were the subject of a cyber-ransom campaign in 2016, according to Radware’s Global Application and Network Security Report 2016-2017. Data loss topped the list of IT professionals’ cyber attack concerns, the report found, with 27% of tech leaders reporting this as their greatest worry. It was followed by service outage (19%), reputation loss (16%), and customer or partner loss (9%).” (Source: Tech Republic)
  • Will 2017 Be The Year Of Ransomworm? “It’s safe to say that 2016 was the year of ransomware. More specifically, the year of crypto-ransomware, that nefarious variant that encrypts files and holds them captive until a ransom is paid. Since the release of Cryptolocker in late 2013, crypto-ransomware has exploded, and 2016 was a banner year. As a matter of fact, according to the FBI, cyber criminals used ransomware to steal more than $209 million from U.S. businesses in just the first quarter of 2016. And according to a recent report from Kaspersky Labs, from January to September of 2016, ransomware attacks targeting companies increased by a whopping 300 percent.” (Source: Help Net Security)
  • FDA Confirms That St. Jude’s Cardiac Devices Can Be Hacked. “The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said on Monday. The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks.” (Source: CNN Money)
  • 5 Cyber Resolutions For 2017. “As we jump into the new year, here are five key resolutions to add to your list to have a cyber-secure 2017.” (Source: Orlando Business Journal)
  • The Limitations Of Phishing Education. “In the past 12 months, millions of organizations, spanning all industries and sizes, became targets of cyberattacks. According to a recent report, 400,000 phishing sites were detected per month in 2016, and the Anti-Phishing Working Group concluded that phishing attacks reached an “all-time high” in the second quarter. Not only are attacks proliferating, but the perpetrators have evolved into professional cybercriminals with plenty of time and resources. For these reasons, it’s unrealistic to entrust the workforce with the massive responsibility of stopping phishing.” (Source: Dark Reading)
  • Germany’s Plan To Fight Fake News. “In May 2015, hackers infected some 20,000 computers in Germany’s parliament with malicious software designed to steal sensitive data. The vast and damaging cyberattack was the most expansive in the government’s history. The culprits? Experts and officials blamed the hacking group “APT 28,” the same outfit that the US government says hacked the Democratic National Convention in July 2015 and helped Russia execute an extensive influence operation to discredit Hillary Clinton’s presidential campaign.” (Source: The Christian Science Monitor’s Passcode)
  • 74 Percent Of Organizations Using Two-Factor Authentication Face User Complaints. “A recent SecureAuth survey of 300 cyber security professionals or IT decision makers found that 74 percent of respondents who use two-factor authentication (2FA) said they receive complaints about 2FA from their users — and 9 percent say they simply ‘hate it.’ ‘It’s not surprising that organizations are receiving an increasing amount of complaints about 2FA,’ SecureAuth CEO and founder Craig Lund said in a statement. ‘IT professionals face an ongoing battle as they are frequently forced to choose between user experience and increased security.'” (Source: eSecurity Planet)
  • Beware Phishing Scams In Amazon Listings. “Be careful what you click: There’s a new phishing scam hitting Amazon listings that look like legitimate deals, offering great prices on ‘used – like new’ electronics. If you click these links on Amazon, you’ll be redirected to a very convincing Amazon-looking payment site, where the phishy merchant will grab your money and run.” (Source: Sophos’s Naked Security Blog)
  • South African Bank Tells Its Tale Of Battling Ransom Attacks. “In November of 2015, a bank in South Africa received a ransom email from the Armada Collective, which was quickly followed by a teaser flood attack that the bank proactively mitigated. Sort of a shot across the bow to make sure the bank knew the criminals were serious. Bank officials didn’t flinch. According to a verbatim in Radware’s recently released Global Application & Security survey, the bank detected and mitigated the teaser flood attack before officials discovered the email, which had been sent to an unattended mailbox while the company was closed. With a hybrid DDoS mitigation solution in place, the flood attack had no impact and was immediately diverted to a scrubbing center for cleanup.” (Source: CSO)
  • Alice: A Lightweight, Compact, No-Nonsense ATM Malware. “Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • Hacker Siblings Arrested For Targeting Italian Elite – Infecting 20k Emails. “Two London-based hackers namely 45-year old Giulio Occhionero and 48-year old Francesca Maria Occhionero have been arrested by Italian police for attempting to hack the communications of Italian elite including former Prime Minister Matteo Renzi and economist Mario Monti. The hackers, who happen to be siblings, not only tried to hack communications of Italian PM but also targeted other senior executives and business tycoons. It is being reported that the siblings were running a cyber-spying campaign to get sensitive financial and political information.” (Source: Hack Read)
  • Is Your Data Breach Response Plan Good Enough? Stress Test It. “As the chances of a data breach incident increase, savvy businesses have invested time and thought in a response plan. But plans never survive first contact with the enemy. Stress test your incident response plan to find and resolve its weaknesses while time is on your side.” (Source: LegalTech News)
  • UK Businesses Were Hit 230,000 Times Each By Cyber-attacks In 2016, Says Internet Service Provider. “Analysis has shown that U.K. businesses were subjected to an average of 230,000 cyber-attacks each in 2016. The number of attacks on individual companies’ firewalls breached 1,000 per day, on average, in November last year, according to internet service provider (ISP) Beaming.” (Source: CNBC)
  • Airline Passengers’ Bookings And Info Leaked By Boarding Gate Displays. “An airport’s boarding gate displays leaked information that could have allowed attackers to gain access to passengers’ bookings and their personal details. While waiting for his flight at an airport in Europe, Candid Wueest of Symantec’s security research team saw a timed-out web browser window on one of the boarding gate displays. Curious, he noted the window’s IP address and tried to open it on his smartphone.” (Source: Graham Cluley’s Blog)
  • How to Encourage Employees to Not Only Practice, but Actually Promote Cybersecurity Awareness. “It’s a curious reality that, although employees are swiftly punished for violating information security policy, such an extreme lack of interest in providing those employees with adequate cybersecurity awareness training exists amongst organizations. In a survey conducted by Enterprise Management Associates (EMA), only 56 percent of employees said that they receive cybersecurity awareness and policy training. While this finding is bewildering enough on its own, let’s delve deeper and ask an even more important question; of this 56 percent, how many organizations employ behavioral conditioning practices to reinforce the information their employees are being taught?” (Source: InfoSecurity Magazine)

Safe surfing, everyone!

The Malwarebytes Labs Team