Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

Go to Source
Author: Gleb Malygin

Panic attack: Apple scams apply pressure

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails

First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

fake apple cloud purchase

Click to enlarge

The general rule of thumb is to try and be as inconspicuous as possible, so we’re not really sure why the scammers went with one of the most well-known privacy advocates on the planet to fill in the personal information box. Not only that, but they used a randomly-grabbed address from a property website sporting nine bedrooms and four bathrooms.

Maybe the plan is to hit the potential victim with something so utterly ludicrous, that they’ve already clicked the link before they’ve had time to think about it. For a lot of people, simply seeing a “Thanks for the order of this thing that costs you money” would be enough to have panic set in.

The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page.

That link is down

Click to enlarge

The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

Someone else logged in

Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

ipod login

Click to Enlarge

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device

Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari

If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare

There’s also some dubious texts going around claiming to be from Apple Care:

final notification

It reads as follows:

Final Notification

Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at

appleid-revise(dot)com

Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases

We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

The post Panic attack: Apple scams apply pressure appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Bank robbers 2.0: digital thievery and stolen cryptocoins

Imagine running down the street (and away from law enforcement) with 2,000 pounds of gold bars. Or 1,450 pounds in $100 bills. With both of these physical currencies amounting to roughly US$64 million, you’d be making quite a steal…if you could get away with it.

That’s exactly what the next generation of thieves—bank robbers 2.0—did in December 2017, when they stole more than $60 million in Bitcoin* from the mining marketplace NiceHash. It turns out stealing Bitcoin is a lot less taxing on the body.

*Disclaimer: I used the value of Bitcoins as they were at the time of the robbery. Current values are volatile and change from minute to minute.

Crime these days has gotten a technical upgrade. By going digital, crooks are better able to pull off high-stakes sting operations, using the anonymity of the Internet as their weapon of choice. And their target? Cryptocurrency.

Old-school bank robbers

The amount of money stolen from NiceHash is comparable to arguably the biggest physical heist to date, the theft of nearly $70 million from a Brazilian bank in 2005. Noted in the Guinness Book of World Records, the robbers managed to get away with 7,716 pounds of 50 Brazilian real notes. There were 25 people involved—including experts in mathematics, engineering, and excavation—who fronted a landscaping company near the bank, dug a 78-meter (256-foot) tunnel underneath it, and broke through 1 meter (about 3.5 feet) of steel-reinforced concrete to enter the bank vault.

The largest bank robbery in the United States, meanwhile, was at the United California Bank in 1972. The details of this bank robbery were described by its mastermind, Amil Dinsio, in the book Inside the Vault. A gang of seven, including an alarm expert, explosives expert, and burglary tool designer, broke into the bank’s safe deposit vault and made off with cash and valuables with an estimated value of $30 million US dollars.

What these robberies have in common is that, in order to pull them off, there were large groups of criminals involved with various special skills. Most of the criminals of these robberies were either caught or betrayed—physical theft leaves physical traces behind. Today’s physical robbers run the risk of getting hurt or hurting others, or leaving behind prints or DNA. And they are often tasked with moving large amounts of money or merchandise without being seen.

heavy loot

Bank robbers 2.0

So here comes the bank robbers 2.0. They don’t have to worry about transporting stolen goods, fleeing the crime scene, digging or blowing things up. They are in no—immediate—physical danger. And if they’re smart enough, they work alone or remain anonymous, even to their accessories. Their digital thievery has been proven successful through several methods used to obfuscate their identity, location, and criminal master plan.

Social engineering

One of the most spectacular digital crimes targeted 100 banks and financial institutions in 30 nations with a months-long prolonged attack in 2013, reportedly netting the criminals involved over $300 million. The group responsible for this used social engineering to install malicious programs on bank employees’ systems.

The robbers were looking for employees responsible for bank transfers or ATM remote control. By doing so, they were able to mimic the actions required to transfer money to accounts they controlled without alerting the bank that anything unusual was going on. For example, they were able to show more money on a balance than was actually in the account. An account with $10,000 could be altered to show $100,000 so that hackers could transfer $90,000 to their own accounts without anyone noticing anything.

The alleged group behind this attack, the Carbanak Group, have not yet been apprehended, and variants of their malware are still active in the wild.

Ponzi schemes

Bitcoin Savings & Trust (BST), a large Bitcoin investment firm that was later proved to be a pyramid scheme, offered 7 percent interest per week to investors who parked their Bitcoins there. When the virtual hedge fund shut down in 2012, most of its investors were not refunded. At the time of its closing, BST was sitting on 500,000 BTC, worth an estimated $5.6 million. Its founder, an e-currency banker who went by the pseudonym pirateat40, only paid back a small sum to some beneficiaries before going into default. It was later learned that he misappropriated nearly $150,000 of his clients’ money on “rent, car-related expenses, utilities, retail purchases, casinos, and meals.”

Hacking

Even though details are still unclear, the NiceHash hack was reported as a security breach related to the website of the popular mining marketplace. Roughly 4,732 coins were transferred away from internal NiceHash Bitcoin addresses to a single Bitcoin address controlled by an unknown party. The hackers appear to have entered the NiceHash system using the credentials of one of the company’s engineers. As it stands now, it is unknown how they acquired those, although it’s whispered to be an inside job.

Stolen wallet keys

In September 2011, the MtGox hot wallet private keys were stolen in a case of a simple copied wallet.dat file. This gave the hacker access to not only a sizable number of Bitcoins immediately, but also the ability to redirect the incoming trickle of Bitcoins deposited to any of the addresses contained in the file. This went on for a few years until the theft was discovered in 2014. The damages by then were estimated at $450 million. A suspect was arrested in 2017.

Transaction malleability

When a Bitcoin transaction is made, the account sending the money digitally signs the important information, including the amount of Bitcoin being sent, who it’s coming from, and where it’s going. A transaction ID, a unique name for that transaction, is then generated from that information. But some of the data used to generate the transaction ID comes from the unsigned, insecure part of the transaction.As a result, it’s possible to alter the transaction ID without needing the sender’s permission. This vulnerability in the Bitcoin protocol became known as “transaction malleability.”

Transaction malleability was a hot topic in 2014, as researchers saw how easily criminals could exploit it. For example, a thief could claim that his transactions didn’t show up under the expected ID (because he had edited it), and complain that the transaction had failed. The system would then automatically retry, initiating a second transaction and sending out more Bitcoins.

Silk Road 2.0 blamed this bug for the theft of $2.6 million in Bitcoins in 2014, but it was never proven to be true.

Man-in-the-middle (by design)

In 2018, a Tor proxy was found stealing Bitcoin from both ransomware authors and victims alike. A Tor proxy service is a website that allows users to access .onion domains hosted on the Tor network without having to install the Tor browser. As Tor proxy servers have a man-in-the-middle (MitM) function by design, the thieves were able to replace the Bitcoin address that victims were paying ransom to and insert their own. This left the ransomware authors unpaid, which in turn left the victims without their decryption key.

Cryptojacking

Also known as drive-by mining, cryptojacking is a next-generation, stealthy robbing trick that covers all mining activities completed on third-party systems without the users’ consent. Stealing little amounts from many can amount to large sums. There are so many methods to achieve this that Malwarebytes’ own Jérôme Segura published a whitepaper about it.

Unlike drive-by downloads that push malware, drive-by mining focuses on utilizing the processing power of visitors’ computers to mine cryptocurrency, especially those that were designed to accommodate non-specialized processors. Miners of this kind come to us in advertisements, bundlers, browser extensions, and Trojans. The revenues are hard to guess, but given the number of blocks Malwarebytes records on Coinhive and similar sites daily, criminal profit margins could be potentially record-breaking.

Physical stealing of digital currency

This last one brings us full circle, as someone actually managed to steal Bitcoins the old-fashioned way. In January 2018, three armed men attempted to rob a Bitcoin exchange in Canada, but failed miserably as a hidden employee managed to call the police. However, others have had more success. The Manhattan District attorney is looking for the accomplice of a man that robbed his friend of $1.8 million in Ether at gunpoint. Apparently this “friend” got hold of the physical wallet and forced the victim to surrender the key needed to transfer the cryptocurrency into his own account.

Summary

As we can conclude from the examples above, there are many ways for cybercriminals to get rich quick. With a lot less risk of physical harm and even less hard labor, they can score larger amounts for less risk than the old-fashioned bank robbers. The only pitfall to robbing digital currency is how to turn it into fiat money without raising a lot of suspicion or losing a big chunk to launderers.

While the diminished use of violence is reassuring, it’s still beneficial to think about how we can avoid becoming a victim. Much of it has to do with putting too much trust in the wrong people. We are dealing with a very young industry that doesn’t have a lot of established names. So how can you avoid getting hurt by these modern thieves? Here are a few tips:

  • Don’t put all your eggs in one basket.
  • Use common sense when deciding who to do business with. A little background check into the company and its execs never hurt anyone.
  • Don’t put more money into cryptocurrencies than you can spare.

Additional links

The post Bank robbers 2.0: digital thievery and stolen cryptocoins appeared first on Malwarebytes Labs.

Go to Source
Author: Pieter Arntz

New Flash Player zero-day comes inside Office document

A new Flash Player zero-day has been found in recent targeted attacks, as reported by KrCERT. The flaw, which exists in Flash Player 28.0.0.137 and earlier versions, allows an attacker to remotely execute malicious code. On February 1, Adobe published a security advisory acknowledging this zero-day:

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT. While not obvious at first, an ActiveX object has been embedded into the document and contains the Flash exploit. Highlighting cells reveals a small white rectangle that represents the embedded object:

Upon opening the spreadsheet, one of several South Korean websites will be contacted via a GET request containing the following three parameters:

  • a unique identifier
  • the Flash Player version
  • the Operating System version

This is an important step because it retrieves a key used to decrypt the malicious shell code.

By the time we had access to this sample, the websites hosting it were down, which proved to be a showstopper in the exploitation and payload. Malwarebytes detects the remote administration tool that was dropped, as well as blocks the sites known to have hosted the key and payload.

Adobe has said it will issue a patch for this zero-day sometime during the week of February 5. In the meantime, users are advised to disable or uninstall the Flash Player. We expect that this exploit will be used in larger scale attacks, including via malicious spam. We will keep you updated of any further developments.

Indicators of compromise

1588-2040.co[.]kr/design/m/images/image/image.php?

SWF exploit

FEC71B8479F3A416FA58580AE76A8C731C2294C24663C601A1267E0E5C2678A0

The post New Flash Player zero-day comes inside Office document appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Boomerang spam bombs Malwarebytes forum—not a smart move

Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.

Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.

As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:

  • Posted ads to our forums
  • Posted ads to blog comment sections
  • Maintained Twitter accounts to direct traffic to their domains
  • Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.
  • Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems

As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad here.)

Indicators

Our counterfraud team has observed the following Indicators of Compromise (IOCs) related to Boomerang activity:

Website Twitter handle
Antivirus-support-number[.]com @Malwrebytes ‏
Boomerangtechnologies[.]info @malwarebytes4 ‏
www.antivirustechnicalhelp[.]com @malwarebytes_ ‏
www.wisdomsquad[.]com @malwarebytetech ‏
www.seccurityexperts[.]com @quickencontact2 ‏
liveantivirushelp[.]com n/a
antivirusconsulting[.]com n/a

www.bluenetworksecurity[.]com

How Boomerang rips us off

When Boomerang first came on our radar about a year ago, we called them up to see precisely how victims are being targeted. As you can see in the video of our call below, there’s nothing at all original here. Boomerang tells us that we are bedeviled by “illegal connections” sending our data overseas. The only slightly unusual parts are the relatively high quality of their website (most of these guys struggle with HTML), and the phone rep who told us that Malwarebytes does not protect from “viruses coming from the Internet.” Check out the video to see the standard Boomerang pitch.

How to stay safe

First and foremost, be a little extra suspicious of any company that is resistant to accept payment with a credit card. If they can’t process credit payments easily, there’s probably a good (bad) reason why. If you’ve had a run-in with these or any other tech support scammer (on our site, forum, or anywhere else), you can find information on what to do next here.

Have you been contacted by someone claiming to be us or our representative? See how to evaluate those claims here. Lastly, if you’ve dealt with anyone from Boomerang yourself, post to the comments below to let others know your experience. Stay suspicious and stay safe.

The post Boomerang spam bombs Malwarebytes forum—not a smart move appeared first on Malwarebytes Labs.

Go to Source
Author: William Tsing

“Who visits your Twitter profile” spam app brings week of chaos

Twitter spam has been around forever, and rogue apps asking for installs in return for a cool feature (to be more accurate, spamming your contacts) is a constant thorn in our Twittery sides. Over the weekend, we observed a new Twitter app doing the rounds and causing a lot of congestion on people’s timelines.

What is it?

We first noticed this when a number of my contacts using the #FBPE (follow back, pro Europe) hashtag to form networks and make new friends started spamming Tweets similar to the below:

hijacked contact Click to enlarge

The spam reads as follows:

Goooo!! Click for more information:

Who visits your Twitter profile

100% safe, 100% working

Click here, available for iOS and Android

Here’s another one:

another hijacked contact

Click to enlarge

Sign in and download this fantastic app – only available today

Regardless of the spam message used, all the tweets directed people to visit a website located at

checkvisitss(dot)tk

How does it spread?

People click the link and are presented with the below website:

who visits?

Click to enlarge

There’s not a lot to do besides hitting the large “Connect with Twitter” button, and sure enough, doing just that will direct eager clickers to the app install page.

authorize recent visits?

Click to enlarge

It says:

Authorize Recent Visits 24H to use your account?

This application will be able to:

Read tweets from your timeline

See who you follow and follow new people

Update your profile

Find Tweets for you

Will not be able to:

Access your Direct Messages

See your email address

See your Twitter password

In other words, a fairly standard Twitter app permission list.

Tracking the spread

This could have been a bit of a disaster for those on the FBPE hashtag mentioned, which itself is being used to grow follower count and connect with like-minded individuals. Any app claiming to provide information about “profile views” in this situation could have resulted in an accelerated spread, though we doubt they were specifically targeted—it was spreading just fine elsewhere, as we’ll see.

Either way, those on the hashtag quickly figured out it was a scam and took steps to purge it:

app removed

One of the other primary drivers of these spam messages was the below message:

Touch the screen and enter the web – You can know who has visited your profile

This was still actually doing the rounds as of yesterday, with a little over 900 results in a simple browser search before it refused to load any more entries:

lots of spam

Click to enlarge

spam search

What damage can it do?

As with all things, that depends on the ultimate aim of the scammer. Some just want to spam their website; others will pop an advert or 12, and the worst of the bunch may try to have you download and run some malware. At the time of testing, all this seemed to do was promote the app across timelines and encourage more installs, so the main aggravation here is the knowledge that you installed something useless, and then started beaming said uselessness to all of your contacts. Not a great look, however you stack it.

How do I remove it?

Thankfully, this is an easy one to pull off. Head over to your Applications tab in Twitter via Settings and Privacy, and give your apps list a Spring clean:

app control

Click to enlarge

Some of the apps you may find there could be outdated or no longer updated; if that’s the case, remove them. You don’t want to end up in a situation such as this. Once you’re happy with the end result, simply save and go back to your homepage safe in the knowledge that you won’t be posting any more bad tweets (at least, not automated ones).

Elsewhere…

A similar number of campaigns were tracked and mapped out by Erin Gallagher, one of which was making use of the URL ultimasvisitass(dot)tk, with some amazing graphs mapped out across three days using Gephi, the open source visualization program. At the time of writing, some of the URLs in play don’t load and checkvisitss redirects to lasttvisitss(dot)tk which is fully functional and offering up an app install. All of the sites involved seem to be registered through a number of anonymous registration services so there’s no real way to figure out who’s behind this batch of app installs.

No matter how you come across these sites, we’d advise you not to bother giving these apps permission. The “See who visited you” routine has been around for years on Twitter and Tumblr, and going even further back to Myspace. In all cases, none of these things ever seem to work and only serve to annoy, spam ads, or offer surveys.

While it’s useful to find out who’s been on your page, it’s really not worth the effort involved in installing a spam app and alienating all of your visitors from wanting to interact with you.

Profile viewer apps offer much, but deliver little. Move your hand away from the Install button and go about your day. Your social media profile’s reputation will thank you for it.

The post “Who visits your Twitter profile” spam app brings week of chaos appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Fake Spectre and Meltdown patch pushes Smoke Loader malware

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, those same fraudulent domains have links to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:

sicherheit-informationstechnik[.]bid

Fake patch (Smoke Loader):

sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip
CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru
localprivat-support[.]ru
service-consultingavarage[.]ru

The post Fake Spectre and Meltdown patch pushes Smoke Loader malware appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Facebook phishers want you to “Connect with Facebook”

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

facebook phish landing page

Click to Enlarge

…or

another phish landing page

Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Fake Facebook warning page

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Dear Facebook users

Your account is reported to have violated the policies that are considered annoying or insulting Facebook users. Please confirm your account with accurate data to avoid blocking. Note: if you do not verify your account permanently disabled automatically. Thanks, the Facebook team

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

fake lock landing pageClick to Enlarge

After that, they go straight for security questions:

fake lock

Click to Enlarge

The text on the page reads as follows:

We will temporarily lock your account. Please answer a few security questions to ensure that the actual owner of your account. We will provide 1X24 hours, to verify the identity of your account. If you do not confirm, the system will automatically shut down your Facebook account permanently.

This information will help us to restore your Facebook account

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

sites.google.com/site/wwwpagesinfoterms12/

sites.google.com/site/info30021033700i/

sites.google.com/site/policyclaming767005/

sites.google.com/site/recoveryfbunblockingcenter/

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

sites.google.com/site/wwwpagesconfirms1202/

sites.google.com/site/noticereportslogsinfoo050/

sites.google.com/site/wwwpagesinfonet/

sites.google.com/site/help151054141104105140/

sites.google.com/site/info20012001320i1/

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.

The post Facebook phishers want you to “Connect with Facebook” appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

The seven most colossal data breaches of 2017

By Logan Strain

If it seems like the words “leak,” “compromised data,” and “breach” are constantly in the news, it’s not just you. The frequency of major data breaches is increasing. According to the Identity Theft Resource Center, the number of breaches is expected to top 1,500 in 2017. That’s a 37 percent annual increase over 2016, which itself was a record year for exposed personal data.

But while most data breaches are small and contained, this year saw a handful of spectacularly bad security fails. Here are the most massive sets of compromised data and data breaches of 2017.

1. Equifax

Let’s start with the Mother of All Breaches.

Equifax, one of the four major credit reporting agencies, revealed in September that cybercriminals had penetrated their network. The breach exposed the data of 143 million Americans—basically, every single adult in the country. Exposed information included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers.

It gets worse. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people were also exposed.

In response, Equifax offered a suite of identity theft protection services to all Americans, regardless of whether they were impacted or not. The services, which include up to $1 million in ID theft insurance and social security number monitoring, are free for anyone who signs up by January 31, 2018. (Though we doubt the efficacy of these identity theft protection services and don’t recommend people purchase them.)

2. Uber

This data breach actually occurred in 2016. But due to general shadiness on Uber’s part, we didn’t learn about it until November of this year. Compromised data included the names, email addresses, and phone numbers of 50 million Uber customers. The personal data of about 7 million drivers were also exposed, including around 600,000 driver’s license numbers.

Hackers pulled off the data heist by first getting access to a private GitHub site used by Uber engineers. From there, they learned Uber’s Amazon Web Services login credentials and accessed the personal data. The hackers then used the data to blackmail Uber. In an attempt to keep the incident under wraps, Uber executives paid the hackers $100,000 to delete the data and keep quiet.

The incident only came to light after new Uber CEO Dara Khosrowshahi discovered it and reported the incident to regulatory authorities.

In a blog post, Khosrowshahi said that “None of this should have happened, and I will not make excuses for it.”

3. Edmodo

Adults aren’t the only ones getting their info compromised. In May, Motherboard reported that social learning platform Edmodo was hacked. The service, which is used by educators and students, has around 78 million users—and a hacker named “nclay” claimed that he acquired the account data of 77 million of them.

The data was put up for sale on the Dark Web, but apparently, accounts for a site that is primarily used to assign homework and create lesson plans aren’t particularly valuable. The hacker priced the entire database of data at just over $1,000.

4. Verizon

Did you call Verizon customer service in the first six months of 2017? Then it’s possible your data was inadvertently exposed.

ZDnet reported that Nice Systems, an Israel-based company, failed to secure an Amazon S3 storage server that contained records for 14 million Verizon customers. The compromised records include customer names, cell phone numbers, and account PINs.

Fortunately, Verizon was able to protect the data before anyone else could access it. In a statement to CNBC, a Verizon spokesperson said, “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”

5. Deep Root Analytics

The data analytics firm Deep Root Analytics, which was contracted by the Republican National Committee, revealed that they the exposed data of 198 million citizens. That means almost two out every three Americans were impacted. Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.

The breach was discovered by security researcher Chris Vickery on June 12. His analysis revealed that the firm’s database was stored on an Amazon cloud server without password protection for about two weeks. Anyone had the ability to download the 1.1 terabytes worth of data.

6. Sonic Drive-In

Millions of customers who only wanted to order a cheeseburger and a shake may have inadvertently gave their credit card info to identity thieves.

The fast-food chain Sonic Drive-In acknowledged that an unknown number of restaurant payment systems were compromised and customer credit card information was breached. Security researcher Brian Krebs revealed that stolen credit card numbers made their way to underground markets where cybercriminals buy and sell sensitive financial data.

7. All WiFi devices

In 2017 we also discovered that essentially all data transmitted over WiFi networks is vulnerable. Computer scientist Mathy Vanhoef announced that a vulnerability in WPA2 encryption protocol made WiFi networks accessible without login credentials. Hackers are able to access WiFi data through a key reinstallation attack, or KRACK. It’s unknown if any data was actually stolen using this method, but the vulnerability has existed since the beginning of WiFi.

Fortunately, tech companies started releasing patches shortly after the problem was discovered. Earlier this month Apple fixed the security hole for all iPhones. And several routers manufacturers have released updated firmware that protects against KRACK attacks.

The growing number (and size) of data breaches indicates that threats are outpacing security measures taken by organizations. Until companies can improve their security posture, the responsibility for keeping data breaches from doing serious damage will fall on individuals.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

The post The seven most colossal data breaches of 2017 appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

Tech support scammers make browser lockers more resilient

Tech support scammers have been relying on fraudulent pop-ups for many years in order to scare potential victims into calling for remote assistance. These so-called browser lockers (or browlocks) typically originate from malicious ads (malvertising) that can appear on any website, including trusted online portals.

The purpose of browser lockers is not only to scare but also to create the illusion that the computer has been locked, which is not quite true. What’s happened is simply that the browser is stuck in between a flurry of alert dialogs that won’t seem to go away, no matter how many times they are clicked on.

Google Chrome is often the most-targeted browser because of its dominant market share, but pop-ups come in as many different flavors as browser types, with landing pages specific to those browsers. For example, a particularly vicious technique abused the history.pushState HTML5 API to literally freeze machines while displaying the fake pop-up.

Historically, browser makers have let users down by not being to handle those tricks cleanly. However, they appear to have taken note, fixing many of the issues that have to do with poor user experience, while also suggesting other ways for (legitimate) webmasters to send notifications, for example via the proper Notifications API.

Unfortunately, crooks are adapting as well. Despite browser developers’ best intentions, browlocks are still the best bet to scam innocent folks. The following shows a browser locker that went into full screen mode after the user clicked somewhere on the page. Pressing the Escape key to exit full screen (as instructed by the browser) triggered a malicious loop in the code that prevented closing the fraudulent pop-up (without resorting to Task Manager):

This is a similar technique to what we reported on recently with persistent drive-by mining attacks in that it uses a pop-under as a “helper.” There are actually three different layers in play to make this work:

  • a background window in full screen mode
  • another window that is superimposed (triggered on click or Escape key)
  • the pop-under (triggered on click)

The crooks have positioned and sized the pop-under in such a way that it only displays the “Stay” part of the “Leave” or “Stay” dialog window, leaving users very little choice.

Keep in mind that at the same time the user is trying to close the page, a constant reminder is being played on the computer speakers, to add to the victim’s distress:


From a technical stand point, browser lockers are on the low side of the scale compared to malware such as ransomware. However, they benefit from great distribution channels via malvertising, guaranteeing that millions of people are affected by them. Consider that scammers charge an average of $400 per victim, and you soon realize that this is a highly-profitable business.

On this blog, we have long said that awareness is critical in order to avoid falling for tech support scams, but we also recognize that browsers have a big role to play in how they handle and block such annoying alerts. Unfortunately, scammers try to trick people by abusing regular warnings and creating fake buttons. In the case mentioned above, it would have been possible to close the page from the beginning by clicking on the top window’s X before it went into full screen mode. But if a user can be enticed to perform a certain action, they essentially lock themselves out.

The rule of thumb here is to avoid panicking and simply close the browser via the Task Manager (if all else fails). Remember that the pop-ups themselves are usually harmless. You are safe as long as you haven’t dialed the toll-free number that is being advertised.

The post Tech support scammers make browser lockers more resilient appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura