15 total posts
Misleading advertisements lead to hijacked browser settings
A few hours ago Mrs. W was looking to install a fresh copy of iTunes on her PC and performed a quick Google search.
Above the first (and correct) result was an ad. Nothing unusual about that, except that this particular ad screamed "SCAM!" [Screenshot]
As you can see, the URL could lead one to believe it is the iTunes download site, so I thought I would check it out.
The site I arrived at had a long list of legitimate applications with links to download them, including the one Mrs. W was interested in, iTunes. [Screenshot]
This is where it is handy to have a virus lab hanging around. You can look into these things safely and see what the scam artists are up to with little to no risk.
I clicked the download button and was taken to a page with information on iTunes, some of which was very misleading. [Screenshot]
Continued : http://nakedsecurity.sophos.com/2014/02/05/misleading-advertisements-lead-to-hijacked-browser-settings/
Chrome Pop-Up to Warn Windows Users of Browser Hijacking
A rising number of online scams involve the modification of browser settings where a hacker spikes a free download or website with malware. The end result is generally a click-fraud scheme of some kind where the new browser settings might include spiked search engine pages or a new home page enticing the user to click on a link where the attacker would profit from the click.
Google says hijacked settings are Chrome users' No. 1 complaint, and late last week it enhanced an existing feature in the browser to get a little more in your face about fending off hijacking attempts.
Vice president of engineering Linus Upson said from now on, Windows users will be prompted via a dialog box that appears if Chrome settings have been changed. The warning will ask users if they would like to reset their Chrome settings to their original default.
Firefox 27 is out - Tuesday's 2nd non-Patch-Tuesday update
Even though yesterday wasn't a Patch Tuesday, we ended up with two major browser-related updates: an unscheduled Adobe Flash patch, and an update from Firefox 26 to Firefox 27.
Adobe's update came early when the company became aware of a vulnerability that was already being exploited (a so-called zero day).
Firefox's update is an as-expected release, but it neverthless closes the door on a number of so-far unexploited vulnerabilities.
Security holes patched proactively in this way can never be zero days, at least in theory, but if you don't apply security fixes promptly when they become available, you run the risk of being hit by what might as well be a zero day: a working exploit that appeared before you had closed the hole. [Screenshot]
Continued : http://nakedsecurity.sophos.com/2014/02/05/firefox-27-is-out-tuesdays-second-non-patch-tuesday-update/
Updates February 04, 2014: Mozilla Firefox v27.0 released
Vulnerabilities / Fixes : Mozilla Firefox Multiple Vulnerabilities
Alleged Silk Road Founder Indicted Again, This Time in NY
Federal authorities today announced a Grand Jury indictment against Ross Ulbricht, the alleged founder and owner of the underground drug emporium Silk Road.
The indictment, in New York, includes one count for narcotics conspiracy, one count of running a criminal enterprise, one count of conspiracy to commit computer hacking and one count of money laundering, according to the indictment (pdf).
It's the second indictment for the the 29-year-old, who was arrested last October in San Francisco. Ulbricht was previously charged in New York at the time of his arrest, but authorities had until December to obtain an indictment against him based on new evidence seized. They sought an extension of that time and announced the indictment today.
Continued : http://www.wired.com/threatlevel/2014/02/ross-ulbricht-indictment-ny/
How to Call Ransomware's Bluff
If your files have been taken over by the CryptoLocker ransomware, you had better hope your backups are current. Sure, you can pay the ransom, but that doesn't guarantee you'll get your files freed from hostile encryption. And if ransomware has taken over all of Windows, your best bet is a bootable rescue CD. But there's a new kind of ransomware spreading, a type that really doesn't have any teeth. I'll explain how to recognize it, and how to call its bluff.
Why would anybody write a ransomware program that can't make good on its threats? Well, all of the antivirus vendors naturally jump to develop protection against a high-profile threat like CryptoLocker. Every little change in its behavior is big news. And the system-level activities required by a ransomware tool that prevents normal Windows bootup are relatively easy to detect.
This new "paper tiger" type of ransomware escapes detection because it really doesn't do much. It displays its text and images, like any other Web page, and it users (or abuses) a common website tool that's actually needed by perfectly valid sites. That's it. And naturally the perpetrators constantly switch URLs, so a URL blacklist won't help.
Continued : http://securitywatch.pcmag.com/hacking/320316-how-to-call-ransomware-s-bluff
File Your Taxes Before the Fraudsters Do
Jan. 31 marked the start of the 2014 tax filing season, and if you haven't yet started working on your returns, here's another reason to get motivated: Tax fraudsters and identity thieves may very well beat you to it.
According to a 2013 report from the Treasury Inspector General's office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
There are countless shops in the cybercrime underground selling data that is especially useful for scammers engaged in tax return fraud. Typically, these shops will identify their wares as "fullz," which include a consumer's first name, last name, middle name, email address (and in some cases email password) physical address, phone number, date of birth, and Social Security number. [Screenshot]
The shop pictured above, for example, caters to tax fraudsters, as evidenced by its advice to customers of the service, which can be used to find information that might help scammers establish lines of credit (PayPal accounts, credit cards) in someone else's name:
Abused update of GOM Player poses a threat
From the Kaspersky Lab Weblog:
Several media reported the news on January 7th, 2014, that a PC associated with "Monju" (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of "GOM Player", which made it big news. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some; and it officially deploys a Japanese version. Its users are said to be more than 6 million in Japan.
We received the sample file named "GoMPLAYER_JPSETUP.EXE": [Screenshot]
The sample is an executable file compressed in RAR format. When it is executed, it unpacks itself and runs the executable file included in the archive. Fig1 shows the files included in the RAR archive:
Fig1: Files within "GoMPLAYER_JPSETUP.EXE" [Screenshot]
Continued : http://www.securelist.com/en/blog/208216055/Abused_update_of_GOM_Player_poses_a_threat
These Guys Battled BlackPOS at a Retailer
Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Target's cash registers.
Recently, I spoke at length with Tom Arnold and Paul Guthrie, co-founders of PSC, a security firm that consults for businesses on payment security and compliance. In early 2013, these two experts worked directly on a retail data breach that involved a version of BlackPOS. They agreed to talk about their knowledge of this malware, and how the attackers worked to defeat the security of the retail client (not named in this story).
While some of this discussion may be geektacular at times (what I affectionately like to call "Geek Factor 5"), there's something in here for everyone. Their observations about the methods and approaches used in this attack point to an adversary that is skilled, organized, patient and thorough.
So you first saw BlackPOS at a retailer in early January 2013?
Continued : http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retailer/
Target Hackers Broke in Via HVAC Company
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
Sources close to the investigation said the attackers first broke into the retailer's network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company's offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company's homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe's, Whole Foods and BJ's Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
Continued : http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
The Rise of Android Scarevertising
"Malwarebytes Unpacked" Blog:
Android scareware, in the form of mobile advertising pop-ups alert to a potential infection on your device, are on the rise. Fellow researcher Jerome Segura came across one using similar tactics we've written about in the past.
In this scam, the mobile ad pop-up warns of my device having 13 infections and offers a way to remove them. [Screenshot]
There is no actual scan or malware found, but links to an app with an unfamiliar name in security, Teebik. I was unable to find much information about Teebik Mobile Security.
Teebik's Facebook page is interesting in that their "Contact Info" links to Lookout Security and under "About" it says Armor for Android — two different companies with their own Mobile Security offerings — perhaps Teebiks way of adding some legitimacy, most customers wouldn't know the difference. [Screenshot]
Typically these scareware tactics are used by malicious apps, but what we're seeing more and more advertisers using them to drive traffic to generate revenue.
British spies cyberattacked Anonymous hackers, Snowden docs
A British spy agency waged cyberattacks against the online chat rooms of Anonymous and LulzSec hacktivists, documents leaked by Edward Snowden (pdf) and obtained by NBC News reveal. And they used computerized "weapons" similar to those used by the hacktivists themselves to do it.
In a PowerPoint presentation created for the 2012 NSA conference SIGDEV, slides show that Government Communications Headquarters Communications (GCHQ), Britain's NSA counterpart, used denial of service (DoS) attacks against IRC chat rooms used by Anonymous and LulzSec. The mission, dubbed Rolling Thunder, was carried out by GCHQ's special spy unit Joint Threat Research Intelligence Group (JTRIG), and is said to have scared off some 80-percent of the IRC chat room users.
Launched in 2011, Rolling Thunder came in response to Anonymous's late-2010 "Operation: Payback" campaign against PayPal, MasterCard, Visa, and others, which was itself launched in retaliation for these companies' blockage of donations to WikiLeaks. The hacktivists used a downloadable tool known as the Low Orbit Ion Cannon, or LOIC, to wage distributed denial of service (DDoS) attacks - which are similar to DoS attacks - against targeted websites.
Continued : http://www.digitaltrends.com/web/british-spies-attacked-anonymous-hackers/
GCHQ DoSed Anonymous' IRC server
GCHQ reportedly infiltrated and attacked hacktivist groups
UK government launched DoS attack against Anonymous hackers doing the same thing
Fake Flash App Targets Android
One of the early differences between iOS and Android was Flash support: Android had it, Apple ignored it. But it was short lived; even before the most recent version of Android, Flash was all but abandoned.
Still, people are very familiar with alerts from Adobe to update Flash on their computer. As F-Secure explained in their tip this week, this makes it a prime target for attackers trying to trick you into downloading malware.
This week, F-Secure analyzed a malicious application posing as Adobe Flash Player. "One of the most common social engineering tactics used by Android malware is pretending to be an update for a popular third-party application such as Adobe Flash Player," said F-Secure.
Though this particular application appears to be in Russian, F-Secure was unable to determine the origin of the app. But it's possible that this fake Flash app is being circulated on third-party Android marketplaces, which don't always have the same protections as Google Play. It's also possible that victims received text messages or emails encouraging them to download the malware.
Continued : http://securitywatch.pcmag.com/mobile-security/320339-mobile-threat-monday-fake-flash-app-targets-android
Sochi visitors entering hacking 'minefield' by firing up ..
"According to an NBC News report, Russian hackers are attacking Olympics visitors' computers and phones the instant they turn them on. Par for the course for the broken $51 billion event." - [VIDEO]
If you've read anything about the Sochi Olympics over the last few days, there's as much a chance that it was about broken and unfinished infrastructure as actual athletics. And now comes word that hackers are having a field day with unsuspecting Sochi visitors.
According to an NBC News report, unprepared Olympics attendees are being hacked the second they fire up their electronic devices.
NBC reporter Richard Engel worked with a security expert to set up two test computers in order to see just how quickly he'd be attacked when logging onto Russian networks. But, he reported, when sitting down at a cafe with the expert, "before we even finished our coffee" the bad actors had hit, downloading malware and "stealing my information and giving hackers the option to tap or even record my phone calls."
Continued : http://news.cnet.com/8301-1009_3-57618407-83/sochi-visitors-entering-hacking-minefield-by-firing-up-electronics/
Related: Hacked in Sochi in minutes: Russian cyberspace full of risks