Tag Archives: Malware

Week in security: Home Depot speaks, Gmail and Android ‘leak’

American home-improvers haven’t had a great week, with Home Depot once again dominating the security news – and this week, Android and Gmail users have had things to fret over, too. On the home improvement front, not only has Home Depot confirmed that there was a large-scale data breach at the world’s largest home improvement chain, the indefatigable security reporter Brian Krebs uncovered evidence of PIN-protected debit card information stolen in the breach being used for large-scale fraud, due to weak protection against criminals changing PIN codes by phone using basic information such as ZIP codes.

Meanwhile, University of New Haven researchers tormented Android chat app users all week, with a series of videos showing just how leaky chat apps on the platform could be: a dozen apps were shown to have serious privacy issues, including big names such as Instagram, OoVoo, OKCupid and Grindr.

Many Gmail passwords were changed in a hurry, too, as a dump of five million usernames and passwords appeared online. Things turned out not to be QUITE as bad as they seemed, but it might be time to change that dusty old password anyway…

Security news: Home Depot tops the bill, again

The news for anyone who’s shopped in Home Depot’s American stores, and used plastic, started bad, and is just getting worse and worse.

This week, the world’s largest home improvement chain store, Home Depot, confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.

Reports by security reporter Brian Krebs broke the even more unwelcome news that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.

In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to such customers. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.

ESET senior security researcher Stephen Cobb offers an important reminder about who the real villains are in such hacks: it’s not the beleaguered corporations themselves, but the criminals who install malware in shop POS terminals to steal from the innocent. In a thoughtful blog post, Cobb analyzes where guilt REALLY lies in both the recent leak of celebrity photos and the Home Depot hack.

Gmail: Passwords leaked online, but service ‘not hacked’

Users of Google Mail got a fright earlier this week when a dump of what appeared to be five million username-password combinations for the site appeared online on a Russian Bitcoin security forum.

The truth, however, wasn’t quite as bad as it appeared: although if you haven’t changed your Gmail password in years, it might be worth a quick refresh.

Google pointed out in an official statement that less than 2% of the leaked passwords actually worked – although, as Forbes points out, that’s still 100,000 passwords which do, and that there was speculation that the list had simply been cobbled together from hacks on other sites where Google was used as a login.

ESET senior security researcher Stephen Cobb wrote, “The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.”

“A website called isleaked.com appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site —Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.”

Chat apps fingered for leaking data

Chat apps on Android are not a particularly good way to have a genuinely private conversation, it seems – University of New Haven researchers spent the week drip-feeding a series of videos showing serious security flaws in everything from Instagram to OoVoo and from OKCupid to Grindr.

With many of the most popular chat apps on Android affected, tech news site CNET calculates that nearly a billion(968 million) users could be putting highly private data in the hands of apps that transmit and store it unencrypted.

Many of the Android apps (the researchers focused on Android rather than iOS, although there is no evidence the iOS apps behave differently), send text wirelessly unencrypted, and store images on servers for weeks without encryption or authentication.

The researchers used PC ‘sniffer’ software such as Wireshark and Network Miner to monitor the data transmitted by the apps, and found images and text transmitted and stored unencrypted – and potentially at risk from snoopers.

Facebook freaks out world… again

A simple case of mistaken identity? Or a dark hint at what Facebook’s algorithms might be able to do? The answer might well be both, after a young data scientist was mistakenly ‘tagged’ in a series of photos he’d posted – of his mother as a young woman.

The case raised several intriguing questions: for instance, if genetic similarities are enough to trigger mistaken identity, could Facebook’s algorithms identify someone who had never used the site?

And could the biometric identification systems in use by law enforcement mistake someoone for a relative?

Fred Benenson, who was mistaken for his (very similar-looking) mother, said that the “oddly compelling” incident “opens the door to larger and more difficult questions,” according to a report in The Verge.

Clearly in this case, they made an error, Fred Benenson, a data scientist at KickStarter, says, but he said the case raises serious questions: “What about the cases where this algorithm isn’t used for fun photo tagging?”

“What if another false positive leads to someone being implicated for something they didn’t do? Facebook is a publicly traded company that uses petabytes of our personal data as their business model — data that we offer to them, but at what cost?”

NEC’s Neoface biometric software is already being used by police forces in the U.S. and the UK to identify people from video footage, as reported by We Live Security.

The post Week in security: Home Depot speaks, Gmail and Android ‘leak’ appeared first on We Live Security.

Key Flaw Enables Recovery of Files Encrypted by TorrentLocker

Crypto ransomware, a relatively unknown phenomenon a couple of years ago, has exploded into one of the nastier malware problems for Internet users. Variants such as CryptoLocker and CryptoWall have been siphoning money from victims for some time, and now researchers have dissected a newer variant known as TorrentLocker and found that the creators made […]

Salesforce software – millions of users at risk of Dyre malware

A strain of malware which previously targeted banks has turned its attention to users of the popular Customer Relationship Management (CRM) software Salesforce, used by 100,000 organizations and millions of subscribers, according to SC Magazine’s report.

Dyre, detected by ESET software as Win32/Battdil.A, is believed to be an entirely new strain of malware, and has in the past targeted users of large banks, siphoning data from machines to steal logins, with additional features allowing it to bypass some two-factor authentication systems.

Salesforce software posted a warning on its site this month saying, “Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”

Dyre has previously targeted Bank of America and Citigroup customers, as well as a number of British banks such as NatWest. It is thought to be delivered as a “service” to criminal customers: on sale to the highest bidder.

Salesforce software: Under threat from hi-tech malware

The Register says of the remote-access Trojan (RAT), “Once it’s installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.”

It’s unclear why Salesforce software users are being targeted. SC Magazine speculates that the switch may be due to a specific order from a “customer”.

The magazine points out that while the company does not publish specific customer numbers of its Salesforce software, it’s estimated that 160,000 organizations and around five million subscribers use the cloud software.

Dyre: New strain of malware on sale to highest bidder

Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware. The news that it is targeting Salesforce software users is an entirely new “use” for the malware.

Dyre was initially designed to target certain banks in particular – Bank of America, CitiGroup, NatWest, RBS and Ulsterbank. It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.

The phishing campaign first used to spread the malware worked via asking users to download a zip file that claims to contain invoices or federal tax information. Dropbox quickly removed the links from its system, but the hackers switched to Cubby, a similar service, to continue their campaign.

The post Salesforce software – millions of users at risk of Dyre malware appeared first on We Live Security.

Online ad threat – Yahoo, Amazon, YouTube ‘victims of malvertising’

Anyone who has visited popular domains such as YouTube.com, Amazon.com or Ads.Yahoo.com could be a victim of a new, mutating malware attack distributed through the online ad network adverts displayed on the sites, according to a new blog by networking specialist Cisco.

The blog describes how the online ad malware (which comes in two forms, one for PC, one for Mac), is distributed via online advertising networks – basically by conning one of the large companies whose ads are seen on thousands of sites into forwarding an ad with a malicious payload.

The Register describes the process as, “The high-profile serving domains – along with many others – are, of course, receiving the “malvertising” from online ad networks that have been tricked into hosting the attack content.”

Online ad threat: How it works

The Cisco bloggers say that a number of major domains, listed in their original blog post, have been affected by the current attack. The attack has been nicknamed Kyle and Stan, due to the naming scheme of the subdomains within the group – “stan.mxp2099.com” and “kyle.mxp2038.com”.

Threatpost reports that the likely size of the attack is probably much larger than the 700 domains analyzed by Cisco, and says, “700 domains and nearly 10,000 users have hit these domains and been exposed to the malicious advertisements.”

Threatpost points out that the attack vector is not new – the New York Times has previously fallen victim to a malvertising campaign – but that ‘Kyle and Stan’ takes a unique approach.

Cisco says that the attack delivers a unique malicious payload for every visitor, packaged with a legitimate media player, and a piece of malware which is tailored to each user.

 “Extremely effective attack”

“The idea is very simple: use online advertising to spread malware. This attack form is not new, but extremely effective,” Cisco says.

“The world of online ads has only a few major players. If an attacker can get one of those major online ad networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

The attack comes in various forms, Cisco reports, but so far relies on pure social-engineering, rather than ‘drive-by downloads’ where users who don’t click are infected. Different malware packages are delivered according to platform and user, and the attack is evolving, the bloggers warn.

A discussion of the murky world of malvertising, adware and ‘badware’ by ESET researcher Joan Calvet can be found here.

The post Online ad threat – Yahoo, Amazon, YouTube ‘victims of malvertising’ appeared first on We Live Security.

Home Depot credit cards: chain confirms breach, fraud spikes

The world’s largest home improvement chain store, Home Depot, yesterday confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.

Reports by security reporter Brian Krebs and others have said that the malware used in the attack was the same used in the Target breach, and that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.

In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to customers who used Home Depot credit cards or debit card in-store. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.

Home Depot credit cards: Who is at risk?

Veteran security reporter Brian Krebs said that the news had been accompanied by a spike in debit card fraud, after a vast haul of Home Depot credit card and debit card numbers were sold on an underground forum last week.

Krebs said, “multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.”

Home Depot said that there was no evidence PIN numbers had been compromised during the breach, and that, “Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware.”

Technology site GigaOm reports that the malware involved in the breach has been reported as being BlackPOS, the same used in the Target breach earlier this year.

“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Frank Blake, chairman and CEO.

“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”

How criminals withdraw cash without needing PINs

GigaOm reports that the chain is to roll out EMV chip-and-PIN technology by the end of the year, offering a secure chip rather than a magnetic stripe which is more easily copied by malware such as BlackPOS.

Krebs said that the current glut of fraud relies on working out a customer’s ZIP code using criminal services which sell such information, starting from the ZIP code of the Home Depot they shopped at.

Krebs writes, “Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card; the card’s expiration date; the customer’s date of birth; the last four digits of the customer’s Social Security number.”

Krebs said that this authentication process was weak enough that one large bank told him that a single West Coast bank had lost $300,000 in less than two hours due to debit and credit card fraud perpetrated with cards stolen in the breach.

ESET researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”

Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

The post Home Depot credit cards: chain confirms breach, fraud spikes appeared first on We Live Security.

‘Kyle and Stan’ Malvertising Network Targets Windows and Mac Users

A malvertising network that has been operating since at least May has been able to place malicious ads on a number of high-profile sites, including Amazon and YouTube and serves a unique piece of malware to each victim. The network, dubbed Kyle and Stan by the Cisco researchers who analyzed its activities and reach, comprises […]

TorrentLocker now targets UK with Royal Mail phishing

Three weeks ago, iSIGHT Partners discovered a new Ransomware encrypting victims’ documents. They dubbed this new threat TorrentLocker. TorrentLocker propagates via spam messages containing a link to a phishing page where the user is asked to download and execute “package tracking information”. In August, only Australians were targeted with fake Australian Post package-tracking page.

While tracking this new threat, ESET researchers found the malicious gang is targeting new victims. Internet users from the United Kingdom should be aware that fake Royal Mail package-tracking pages are online and distributing TorrentLocker.

Royal Mail phishing pageRoyal Mail phishing page

The scheme is the same: you type a captcha then click to download a zip file containing the executable payload. It is interesting to note that the fake Royal Mail page will only show if the visitor is from the UK. Filtering seems to be based on the IP address of the request. If the request does not come from a UK IP address, the victim will be redirected to google.com. Three new domains are hosting the fake Royal Mail page:

  • royalmail-tracking.info
  • royalmail-tracking.biz
  • royalmail-tracking.org

royalmail-tracking.info registration informationroyalmail-tracking.info registration information

As you can see, registration date for these domains is September 2nd so this campaign started very recently.

Executable file propertiesExecutable file properties

Encrypted files in users' picturesEncrypted files in users’ pictures

Warning is shown upon execution of the malwareWarning is shown upon execution of the malware

Once installed, victims’ documents are encrypted and they are being asked for a ransom of 350 GBP if paid within 72 hours or 700 GPB otherwise. Payment is done via Bitcoin transaction (1.19 BTC or 2.38 BTC). To hide their infrastructure, the web server is hosted on a .onion host on the Tor network.

To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don’t have to install additional software to reach the .onion website. Interestingly, door2tor.org, the domain name of one of the suggested Tor2Web node, was registered only 2 weeks ago. Perhaps its purpose is only to allow TorrrentLocker’s victims to contact the server selling the decryption software.

"Decryption software" sold on the Tor network“Decryption software” sold on the Tor network

This threat caries the TorrentLocker name because it use the “Bit Torrent Application” Windows registry key to store its settings. It is unrelated to the BitTorrent protocol.

The Bitcoin trail

Bitcoin transaction detailsBitcoin transaction details

As discovered by iSIGHT Partners, the Australian variant they analyzed asked for Bitcoins to be sent to 15aBFwoT5epvRK69Zyq7Z7HMPS7kvBN8Fg. In our case, the Bitcoin address changed to 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X. If you look at the transactions on both wallets, the Bitcoins are then transferred to 17gH1u6VJwhVD9cWR59jfeinLMzag2GZ43.

Since March 2014, this Bitcoin wallet has transferred over 82 272 BTC. With 1 BTC currently valued at US$480, the total transactions are roughly equal to 40 millions US$. This wallet has been associated with other scams in the past, including wallet stealing and selling fake mining hardware. We do not know if this account is owner by the TorrentLocker gang or it is some kind of exchange service used by different groups.

Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)

ESET products detect this threat as Win32/Filecoder.NCC or Win32/Injector.

SHA-1 hashes

  • 491C8276667074B502BD98B98C74E4515A32189B (exe)
  • 46A2426D7E062E76D49707B58A5DF28547CBC0F4 (zip)
  • 7C62651C5F4CB1C780C8E9C4692F3BF24208A61E (exe)

References

The post TorrentLocker now targets UK with Royal Mail phishing appeared first on We Live Security.

Neverquest Trojan Adds New Targets, Capabilities

Researchers have found some recent modifications to the Neverquest banking Trojan that indicate the malware is no longer just targeting online banking sites, but also is going after social media, retailers and some game portals. The new changes also give the Trojan the ability to insert extra fields into targeted Web forms in order to steal […]