Tag Archives: General

Avast

Apple removes malicious apps from App Store

Leave a comment
Apple slow internet

image via TechInsider

While the rest of us were soaking up the last of the season’s sunshine, Apple researchers spent the weekend removing hundreds of malicious apps for iPhone and iPad from the iOS App Store.

The recent exploit on Apple has shown us that even Apple’s system can be compromised quite easily,” said Avast security researcher Filip Chytry. “While this time nothing significant happened, it is a reminder that having everything under an Apple system could potentially make a system vulnerable.”

The malware seems to have been focused on Chinese users. Chinese media reported more than 300 apps including the popular instant messaging service WeChat, Uber-like taxi hailing program Didi Kuaidi, banks, airlines, and a popular music service were infected.

The malicious software programs got by Apple’s strict review process in an ingenious way. Hackers targeted legitimate app developers by uploading a fake version of Xcode, Apple’s development software used to create apps for iOS and OS X, to a Chinese server. It’s a large file, and reportedly quite slow to download from Apple’s U.S. servers, so to save time, unwitting Chinese developers bypassed the U.S. server and got their development tools from the faster Chinese server. Once their apps were completed, the malicious code traveled Trojan-horse style to the App Store.

“If hackers are able to exploit one entry point, they are able to attack all of the other iOS devices – and the fact that Apple doesn’t have a big variety of products makes it easier,” said Chytry.

Apps built using the counterfeit tool could allow the attackers to steal personal data, but there have been no reports of data theft from this attack.

“Regarding this specific vulnerability, consumers shouldn’t worry too much, as sandboxing is a regular part of the iOS system,” said Chytry.

A sandbox is a set of fine-grained controls that limit the app’s access to files, preferences, network resources, hardware, etc.

“As part of the sandboxing process, the system installs each app in its own sandbox directory, which acts as the home for the app and its data. So malware authors cannot easily access sensitive data within other apps,” said Chytry.

In a statement Apple said, “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Ads: Love or hate?

Leave a comment

Ad-injection is an increasingly annoying and dangerous problem

Ad injecting in action on Amazon

Malvertising attacks. Image via Google Security Blog

There are basically two reactions people have when they see ads in their browser. Some think they add interesting content and possibilities, insights and ideas or even, opportunities. The other group considers them as a distraction, an invasion and a disruption to what they were doing.

But most everyone will agree, once you begin something on your laptop or mobile, especially if it’s work-related task, you want to continue what you started. Lots of people get so into what they’re doing that they don’t see or think of anything else, and when an unwelcome ad comes through, it breaks the concentration. Some will say this is a man’s perspective. But even some women I talk to agree; even though they always say they are multitasking and (cough, cough) never lose focus.

When it comes to security, ads are becoming more and more a vehicle for malware. Ad-injecting malware is really a threat nowadays. Once on your device – computer or mobile – the malware will drop new ads into any (or most) sites you visit, sending ad revenue back to remote cybercriminals. For example, malicious porn ads use this type of redirection and clicking techniques.

Research conducted by Google from June to October of 2014 concluded that deceptive ad injection is a significant problem on the web today.  They identified tens of millions of instances of ad injection and detected 5.3 million different IP addresses infected with adware, 5% of the total testing group. The research also found that Superfish, one of the notorious businesses that have ad injection libraries,  was alive and well, not only pre-installed on Lenovo laptops, but breaking SSL protections for any other computer running it in background.

Ways to control unwanted ads in your browser

Inside Avast, we are convinced that adware toolbars and browser add-ons play an important role in the ads market.

Our Browser Cleanup feature detects millions of different adwares that target browsers.

TIP: Run Avast Browser Cleanup on your computer. It has identified more than 60 million different browser add-ons which are often bundled with free software, such as video players, Java and Flash updates.

Besides toolbars and browser add-ons, free software is often bundled with unwanted extra programs making it bloatware and a PUPs vector. Again, all the ad revenue is driven back to the bundles creators. Do we really need to see – and worse, have all that garbage installed in background?

TIP: Slow down when installing free software. Read all the screens and make sure you uncheck any boxes that ask you to install a 3rd party program that you don’t know anything about. You may even consider testing it in the Avast Sandbox first.

Another door for unwanted ads to enter is through outdated software which can be a backdoor for malvertising.

TIP: Keep your browser and software up-to-date. Avast Software Updater can help you keep up with that task.

You could read our blog to learn how to reduce data collection of Windows 10 or to correctly set your Facebook settings. However, there are other measures when it comes to webpages. There are two major ad blockers for browsers: AdBlock and uBlock.

TIP: Visit our user forum to learn and discuss the right ads protection for you. You will find some of our Evangelists that can guide you with easy-to-understand hints.

Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

What does the Avast Sandbox do?

Leave a comment
The Sandbox is like a hamster ball. It keeps potential troublemakers isolated.

The Sandbox is like a hamster ball. It keeps potential troublemakers isolated.

The Avast Sandbox lets you run a questionable program without risking your computer.

The Avast Sandbox is a special security feature which allows you to run potentially suspicious applications automatically in a completely isolated environment. This is particularly useful if you don’t completely trust whatever you just downloaded or you visit dodgy websites because programs running within the sandbox have limited access to your files and system, so there is no risk to your computer or any of your other files.

Here’s how it works: By default, if an application is started and Avast detects anything suspicious, it will automatically run the application in the Sandbox.  The advantage of running an application in the Sandbox is that it allows you to check suspicious applications while remaining completely protected against any malicious actions that an infected application might try to perform.

The browser or other application will then open in a special window, indicating that it is being run inside the Sandbox. When the Sandbox is closed, it will be restored to its original state and any downloaded files or changed browser settings will be automatically deleted.

Avast Sandbox

The sandbox window in Avast Premier.

The Avast Sandbox is part of Avast Premier 2015, Avast Internet Security 2015 and Avast Pro Antivirus 2015.

 

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Taking a closer look at cracked Ashley Madison passwords

Leave a comment
Photo via The Times UK

Photo via The Times UK

People create terrible passwords. As simple as this might sound it unfortunately remains news to millions — if not billions — of individuals who use the Internet. As proof, we’ll take a look at a selection of passwords that were revealed in the Ashley Madison leak.

Regardless of any shortcomings Ashley Madison had in terms of securing their perimeter against breaches, one thing that they did right (to the surprise of many security researchers and disappointment of many black hats) was encrypting their users’ passwords.

The leak contained a database of around 36 million usernames, with bcrypt-hashed passwords. There is no known way to crack all of these passwords before the heat death of the universe, especially assuming that some are truly random, but we can crack the worst ones.

Conveniently, the web is full of known-password lists that anyone can just download. The two we chose for this crack, which are widely available, are the so-called 500 worst passwords of all time (compiled in 2008) and the 14-million-strong password list from the rockyou hack.

Cracking the bcrypt

It should be noted that we did not use the full list of 36 million password hashes from the Ashley Madison leak; we only used the first million. So, that may skew the results towards passwords created near the beginning of the site’s existence, rather than the end. Also, since the system used contains a 6-core CPU and two GTX 970 GPUs, we set the CPU to test the 500 worst list, and the GPUs to test the rockyou list. Because we’re SMRT, we used the same million for both the CPU and GPU cracks, which therefore produced redundant results in our output files. This has the side-effect of being less efficient overall, but allows us to make an apples-to-oranges comparison of the effectiveness of the two password lists, as well as the CPU vs GPU cracking speed.

Before we get into the results, let’s take a quick diversion to explain why this hack was so difficult and only revealed a small number of passwords.

What is encryption? What is bcrypt? Why is it significant?

If you know the answer to these questions, you may safely skip this section and move on to the juicy innards of the dissection. For those who stick around, we’ll try to keep it simple… no promises.

Encryption algorithms can be broken into two broad categories: reversible and irreversible. Both have their uses in different contexts. For example, a secure website, such as Google, wants to send you data, and wants you to see the data that it sends you. This would be a case for reversible encryption:

[ plain text ] -> (encryption black box) -> encrypted data -> (decryption black box) -> [ plain text ]

The other method is irreversible encryption, which looks more like this:

[ plain text ] -> (encryption black box) -> encrypted data

Notice that there’s no decryption — the encryption black box makes that impossible. This is how passwords are stored on a server administered by someone who cares about security.

At first glance, this seems a bit strange. “If my password is encrypted and you can’t reverse the encryption, how do you know if the password is correct?”, one might inquire. Great question!  The secret sauce lies in the fact that the encryption black box will always produce the same output with the same input. So, if I have some plain text that is claiming to be the password, I can input that text into the black box, and if the encrypted data matches, then I know that the password is correct. Otherwise, the password is incorrect.

There are many irreversible encryption algorithms (the more formal word for “black box”), including but not limited to:

  • md5
  • sha1
  • sha2 (sometimes shown as sha256 or sha512 to indicate its strength)
  • PBKDF and PBKDF2
  • bcrypt

All of these algorithms take an input password and produce an encrypted output known as a “hash”. Hashes are stored in a database along with the user’s email or ID.

From the above list, md5 is the simplest and fastest algorithm. This speed makes it the worst choice of encryption algorithm for passwords, but nonetheless, it is still the most common. It’s still better than what an estimated 30% of websites do, which is store passwords in plaintext. So why is being fast bad for an encryption algorithm?

The problem lies in the way that passwords are “cracked”, meaning that given a hash, the process of determining what the input password is. Since the algorithm can’t be reversed, a hacker must guess what the password might be, run it through the encryption algorithm, and check the output. The faster the algorithm, the more guesses the attacker can make per second on each hash, and the more passwords can be cracked in a given amount of time with the available hardware.

To put the numbers in perspective, a common password cracking utility, hashcat, can do about 8.5 billion guesses per second on a GeForce GTX 970 (this is not the best card on the market, but we happen to have two available for use). This means that one card could take the top 100,000 words used in the English language and guess the entire list of words against each md5 password hash in a database of 85,000 hashes in a single second.

If you want to test every two-word combination of words from the top 100,000 (10 billion guesses per password hash), it would take 1.2 seconds per hash, or just over a day to test that same list of 85,000 hashes. And that’s assuming we have to try every possible combination on each password hash, which, given how common terrible passwords are, is likely not the case.

Enter bcrypt.  

By design, bcrypt is slow. The same card that can test 8.5 billion hashes per second with md5 can test on the order of 50 per second with bcrypt. Not 50 million, or even 50 thousand. Just 50. For that same list of 85,000 passwords being tested against 100,000 common English words that took one second with md5, bcrypt would take over 50 years. This is why security experts unanimously agree that bcrypt is currently one of the best choices to use when storing password hashes.

But, even it only protects good passwords.

Enough about bcrypt — what did we find?

After about two weeks of runtime, the CPU found 17,217 passwords and the GPU found 9,777, for a total of 26,994; however, 25,393 were unique hashes, meaning that the CPU and GPU redundantly cracked 1,601 hashes. That’s a little bit of wasted compute time, but overall not bad. Of the 25,393 hashes cracked, there were only 1,064 unique passwords.

For reference, the top 20 most common passwords according to the 500-worst list are:

1:123456

2:password

3:12345678

4:1234

5:pussy

6:12345

7:dragon

8:qwerty

9:696969

10:mustang

11:letmein

12:baseball

13:master

14:michael

15:football

16:shadow

17:monkey

18:abc123

19:pass

20:fuckme

Below are the top 20 from the Ashley Madison list cracked so far, formatted as “rank: count password”:

1:   6495 123456

2:   3268 password

3:   2024 12345

4:    880 12345678

5:    768 qwerty

6:    453 pussy

7:    248 secret

8:    209 dragon

9:    201 welcome

10:    198 ginger

11:    173 sparky

12:    168 helpme

13:    164 blowjob

14:    152 nicole

15:    134 justin

16:    129 camaro

17:    120 johnson

18:    117 yamaha

19:    113 midnight

20:    103 chris

It’s important to note that this ranking is NOT the ranking of passwords used by the users of Ashley Madison at large. It is simply the ranking of passwords cracked so far from a subset of 1 million users of the site, which may also be the first (oldest) million. And by “so far”, we mean that the CPU crack is about 4.8% complete, and the GPU crack is about 0.0008% complete. The estimated completion time is so far in the future, hashcat is having a difficult time computing it, but it’s certainly on the order of decades or centuries.

Given those caveats, we can still make a few conclusions about the data with high confidence:

  • “123456” and “password” reign supreme as the two worst possible and most-used passwords. They are constantly encroached by “12345678” and “qwerty”.
  • “pussy” is, surprisingly, not significantly more or less common on a website promoting marital infidelity than it is on the web at large.
  • “helpme” is, we think unsurprisingly, more common.
  • “blowjob” is likely what many users want out of their membership on the site.
  • Female names or nicknames appear to also be relatively common. Especially “ashley” and “madison”, for some unknown reason.

If you’re interested, here are the results of just the CPU crack so far using the 500-worst list:

1:   6495 123456

2:   3268 password

3:   1940 12345

4:    880 12345678

5:    716 qwerty

6:    454 pussy

7:    233 secret

8:    202 dragon

9:    201 welcome

10:    198 ginger

11:    173 sparky

12:    168 helpme

13:    164 blowjob

14:    152 nicole

15:    129 camaro

16:    128 justin

17:    120 johnson

18:    113 midnight

19:    110 yamaha

20:    103 chris

And just the GPU crack so far using the rockyou list:

1:    619 123456

2:    349 password

3:    279 12345

4:    116 qwerty

5:    103 123456789

6:     83 696969

7:     82 abc123

8:     82 12345678

9:     76 football

10:     73 baseball

11:     71 1234567

12:     70 fuckme

13:     69 ashley

14:     61 fuckyou

15:     58 asshole

16:     57 mustang

17:     52 superman

18:     50 111111

19:     47 password1

20:     47 hockey

This list is a little different from the list that another security researcher came up with using the same rockyou wordlist on the first 6 million passwords, but at least the top few are pretty consistent.

Outside of the top 20, there are some other interesting observations. Again, none of these are conclusive or precise, and even the order-of-magnitude may be off, but the sample size is at least large enough to see some trends:

There are at least 25 unique passwords with the word “love” in them:

78:     27 iloveyou

132:     18 lover

236:     11 lovers

237:     11 loverboy

266:     10 mylove

270:     10 loveme

304:      9 lovely

338:      8 onelove

454:      6 lovebug

522:      5 loveyou

606:      4 lovelove

723:      3 iloveu

828:      2 lover1

848:      2 iloveyou1

849:      2 iloveme

918:      1 truelove

969:      1 loveya

970:      1 loves

971:      1 loveme1

972:      1 lovehurts

973:      1 love123

974:      1 love12

985:      1 iloveyou2

987:      1 iloveu2

1038:      1 babylove

We’re not sure how sincere those 8+ people are who used “onelove”, or if those 27+ people using “iloveyou” are lying or using “you” as a plural, but we’re pretty sure those 2+ people who used “iloveme” were at least honest with their password. And “babylove” is a bit weird.

The passwords “fuckme” and “fuckyou” were both used by 60+ people, which in this test was about as common as “baseball” and “football”:

31:     76 football

33:     73 baseball

34:     70 fuckme

38:     61 fuckyou

76:     28 fuckoff

105:     21 basketball

217:     12 fuckyou1

241:     11 fuckyou2

274:     10 football1

308:      9 fucker

431:      6 softball

500:      5 snowball

547:      5 baller

The password “panther” was also pretty common, ranking about 40th. If you are unsure why that is, it’s the opposite of “cougar”, which did not appear on the list. It’s not hard to guess what a lot of the site’s men wanted, and what demographics they fell into. There were only 3 unique passwords that we found referencing large cat species, and the other two likely reference sports teams:

40:     59 panther

259:     10 tigers

337:      8 panthers

Tigger is plausibly the most popular Winnie the Pooh character among Ashley Madison users:

108:     20 tigger

158:     16 christopher

390:      7 rabbit

443:      6 poohbear

590:      4 piglet

658:      3 winnie

664:      3 tigger1

870:      2 eeyore

Kanga and Roo fans will be disappointed, and Gopher doesn’t really count anyway.

Only 3 unique superheroes that we found:

44:     52 superman

94:     24 batman

295:      9 spiderman

380:      7 superman1

But on the bright side, “superman” is about as popular as “boobs” and “asshole”.

There were 76+ unique all-numeric passwords found, with the top 20 being:

1:   6495 123456

3:   2010 12345

4:    880 12345678

21:    101 123456789

29:     81 696969

32:     74 1234

35:     70 1234567

47:     50 111111

58:     38 654321

68:     33 121212

75:     29 1234567890

83:     26 54321

84:     26 123123

85:     26 000000

90:     25 11111

96:     24 131313

113:     20 666666

126:     19 222222

162:     16 777777

163:     16 55555

The only surprising thing about this is that, given the site in question, why 696969 isn’t ranked higher. And no, 8675309 was not in the list (although someone probably did use it, we just hadn’t found it).

This string of words caught our eyes:

118:     19 newyork

119:     19 maggie

120:     19 jackass

121:     19 dallas

122:     19 cowboy

123:     19 cookie

We’re not going to read anything into that.

Or this:

127:     18 taylor

128:     18 stupid

129:     18 princess

130:     18 patrick

131:     18 mother

132:     18 lover

George Carlin’s Seven Dirty Words didn’t all make an appearance (yet), but the list included a few additional profanities:

6:    450 pussy

34:     70 fuckme

38:     61 fuckyou

42:     57 asshole

76:     28 fuckoff

120:     19 jackass

176:     15 bullshit

217:     12 fuckyou1

241:     11 fuckyou2

308:      9 fucker

680:      3 pussycat

871:      2 dick

The months were not evenly represented:

277:     10 december

339:      8 november

502:      5 september

550:      5 august

645:      4 april

721:      3 january

Nor were the States:

118:     19 newyork

134:     18 dakota

243:     11 florida

352:      8 georgia

363:      8 california

395:      7 mississippi

404:      7 hawaii

414:      7 carolina

659:      3 virginia

Searching for the word “star” brought up “starwars”, but not “startrek”:

97:     23 stars

227:     11 starwars

231:     11 rockstar

326:      8 superstar

Below are a few amusing passwords, in that multiple people used them:

186:     14 police

189:     14 justme

348:      8 internet

351:      8 google

366:      8 booger

403:      7 hotmail

497:      5 unicorn

548:      5 badgirl

549:      5 babyboy

592:      4 peewee

620:      4 gangsta

621:      4 friend

632:      4 creative

699:      3 loser

737:      3 disney

860:      2 genius

861:      2 gangster

Creative?  Genius?  Just you?  I think not.

Conclusion

There is no excuse for using terrible passwords, considering that the usage of intelligent passwords plays a key role in keeping you safe from attacks and breaches. Even with one of the strongest password encryption algorithms out there, it was trivial to get a large list of weak passwords by checking known passwords against the list of hashes.

As citizens of the Internet, it’s up to us to choose strong passwords. We are responsible for our own security, and cannot trust anyone on the Internet to do it for us. Especially not a company whose mission is to promote cheating.

Are there any other trends you’d like us to look for in the recovered passwords list? Let us know by leaving a comment below! Do you have an Ashley Madison account?  If so, are you worried that your password might be leaked? Leave your username and password in the comments and we’ll check for it! (Just kidding, please don’t do that.)

If you ever had an Ashley Madison account created before July 15th, 2015, then the hash was definitely leaked. The password may have been cracked already by us or someone else, especially if it was weak. If you haven’t already, go and change it. Even if it was strong, change it anyway. Here is a useful guide on how to create a strong password. Better yet, use a password manager, and only create one strong password that you must remember, and use randomly generated passwords for the rest.

Stay smart and be safe out there!

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Mr. Robot Review: zer0-day.avi

Leave a comment

via: USA Networks

The season finale of Mr. Robot left me asking myself many questions. The big question that most of the characters in the show asked themselves as well was: Where is Tyrell?

What exactly happened while Elliot was in Tyrell’s car? Did Tyrell execute the plan to bring down E Corp or did Elliot? Why is Angela now working for E Corp? Who really put that video of Elliot falling from the boardwalk on the James Bond-like sunglasses USB stick? Did Angela really have to go shopping for designer shoes after James Plouffe’s suicide? Does she not own more than one pair of high heels? Who is knocking on Elliot’s door at the end of the episode?

I admit, I initially stopped watching as the credits came, but then I read online that that was a big mistake. There is a scene that comes after the credits, which, of course, left me asking myself two more questions: Why is White Rose meeting with the CEO of E Corp? Does E Corp really know that Elliot is behind the take down?

However, one very important question that I have been asking myself for the last 15 years was finally answered in this episode. FSociety let the dogs out.

In addition to the numerous plot questions, I had two technical questions after watching the episode. I sat down with senior malware analyst, Jaromir Horejsi, who kindly answered my questions for me.

In the opening scene, Krista meets with her ex-boyfriend Michael, aka Lenny. Lenny needs more evidence to prosecute Elliot. “He was routing through something called proxies or something, out in Estonia, he’s untraceable,” Lenny told Krista.

Stefanie: What is a proxy? How did this process make Elliot untraceable?

Jaromir:  A proxy, or proxy server, acts as the middleman when you request information from servers over the web. Proxies are used for a variety of reasons. Schools and commercial organizations sometimes use proxies to control which content is accessed within the school or organization. Proxies can also be used to circumvent geo-location content restrictions. In this case, the person’s true IP address is not revealed to the server the person is accessing, rather the person connects to the server via a proxy located in a different country.

In this case, Elliot used a proxy to anonymize his web traffic. The server that Elliot requests a web page from receives his request from an anonymizing proxy server, which in the example Lenny gives, was located in Estonia. The proxy server then forwards the web page to Elliot. If configured properly, anonymizing proxy servers delete all logs and traces of requests made ,in addition to keeping the user’s IP address anonymous.

At minute 14:35  Elliot tries to figure out what exactly happened. He mentions a simple program, a worm that can make data unreadable. Malware that took Darlene maybe two hours to code. He also mentions that Darlene encrypted everything with 256-bit AES and that because of this, it would take an incomprehensible amount of time to crack the encryption.

Stefanie: What is 256-bit AES and why is it so hard to decrypt?

Jaromir: AES is an encryption method that was established by the U.S. National Institute of Standards and Technology. AES is a symmetric-key algorithm, which means the key used to encrypt the data is the same key that can decrypt the data. The lengths of the encryption key can be three different lengths: 128, 192 and 256 bits.

A 256-bit AES key is made up of 256 bits, which are made up of 1s and 0s. Meaning the key has 2e256  possible combinations, making it impossible to crack. A year ago, a reddit user posted his calculations of how long it would take to crack a 256-bit AES encryption. Here are his results:  “The universe itself only existed for 14 billion (1.4e10) years. It would take ~6.7e40 times longer than the age of the universe to exhaust half of the keyspace of a AES-256 key.”

I would like to thank all of the Avast experts who helped me understand the Mr. Robot hacks this season and look forward to discussing season two’s hacks with you :)

What did you think of the finale episode? Let us know us know in the comments below!

 

Avast

Apple jailbroken phones hit with malware

Leave a comment
Chinese jailbroken iPhone users targeted

Chinese jailbroken iPhone users targeted

“Biggest iPhone hack ever” attacks jailbroken phones

In what has been called the biggest iPhone hack ever, 250,000 Apple accounts were hijacked. That’s the bad news.

The good news is that most Apple device users are safe. Why? Because the malware dubbed KeyRaider by researchers at Palo Alto Networks, only infects “jailbroken” iOS devices. (there’s that bad news again)

When you jailbreak a device like an iPhone or iPad, it unlocks the device so you can do more with it like customize the look and ringtones, install apps the Apple normally would not allow, and even switch carriers!

The KeyRaider malware entered the jailbroken iPhones and iPads via Cydia, a compatible but unauthorized app store, which allows people to download apps that  didn’t meet Apple’s content guidelines onto their devices. The malware intercepts iTunes traffic on the device to steal data like Apple passwords, usernames, and device GUID (“Globally Unique Identifier” which is your ID number similar to your car’s VIN). Users reported that hackers used their stolen Apple accounts to download applications from the official App Store and make in-app purchases without paying. At least one incident of ransomware was reported.

Chinese iPhone users with jailbroken phones where the primary attack target, but researchers also found incidents in 17 other countries including the United States, France, and Russia.

Other potential risks associated with the hack

  • Taking control of the device through iCloud and stealing private data like contact lists, photos, emails, and iMessage logs. This is reminiscent of the celebrity iCloud hack where compromising photos were leaked.
  • Apple account usernames can be sold to spammers which could then use it for premium SMS.
  • Unscrupulous developers can use the stolen data to raise their app installation count which results in a better position in the App Store rankings. Since the victims reported abnormal downloading activity in their App Store, this is quite likely.

The best way to protect yourself from KeyRaider and similar malware is to keep your iPhone or iPad the way it was intended, that means never jailbreaking your device.

The researchers who discovered this malware offer a service on their website to query whether your Apple account was stolen.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Technical support phone scams are still going strong

Leave a comment

Every day, millions of people get scam phone calls. In the U.S. alone there are more than 86 million scam calls each month.

Consumer phone scammers often use cheap robocalling services; automatic dialers that make thousands of phone calls every minute for a low cost. They hope to catch someone who is not aware of the system or hasn’t heard of phone scams. A recorded message will say you qualify for a special program to lower your credit card interest rate or that something is wrong with your computer. When you press a number to learn more, the scam kicks in. The unfortunate victims are often elderly people, recent immigrants, and young college students.

Elderly people are targeted for phone scams

Elderly people are targeted for phone scams

‘We have detected a virus’

The most popular type of phone scam is the bogus tech support claim. The one that has been around for a few years (also read Don’t be fooled by support scams) involves a caller claiming they are a computer technician employed by Microsoft, McAfee, or even, Avast. They say they have detected a problem, commonly a virus or malware, on your computer and can fix it for a fee – sometimes as high as $450.

Once the frightened consumer agrees, the phone scammer has them download software for remote access. You can imagine what changes a crook can make to computer settings which allows them access later.

Other tactics tech support scammers take include:

  • Enroll their victim in a bogus computer maintenance program
  • Collect credit card information to bill for services
  • Install malware that can steal personally identifiable information like passwords and account numbers

‘Your computer is damaged’

Another type of tech support scam begins with a pop-up message designed to scare the user which says, “Your computer is damaged.” These scams usually occur after the computer user downloads software that includes a toolbar, an unwanted add-on, or adware. When the user clicks the pop-up to learn more, they are redirected to a website with instructions to call a number to activate or register the bogus software. From there the scam looks similar to the previous technical support scam in which they try to sell other products or services.

How to protect yourself from tech support scams

Be cautious when installing free software. Some programs include additional software that is bundled with the regular download. Make sure you uncheck any boxes for additional software installations.

Activate Avast ‘Potentially Unwanted Programs’ (PUPs) detection. PUPs include search bars, intrusive adware, and browser extensions that Avast does not detect by default. To enable this detection open the Avast program and go to Settings. Click Customize next to Web Shield. Go to Sensitivity and put a check mark beside PUP and suspicious files.

Do not give control of your computer to a person that calls out of the blue claiming to be from tech support. If it is a real technical support person, then they will schedule a time to call you.

Never share your credit card information or passwords with someone who calls you claiming to be from technical support.

Make sure your antivirus software is up-to-date and running, and apply security patches and updates to your browser and software.

 

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.