Tag Archives: Malware

Phishing emails: U.S. nuke authority hit three times

America’s Nuclear Regulatory Commission was successfully attacked three times within the past three years, by unknown attackers, some foreign – and largely using standard phishing emails and similar techniques, according to the news site NextGov.

Two of the incidents have been traced to unknown foreign individuals, and another to an unidentifiable attacker, as records have been lost.

CNET reports that one incident led 215 employees of the nuclear agency to “a logon-credential harvesting attempt,” hosted on “a cloud-based Google spreadsheet.” The information was obtained through a specific request by NextGov.

Phishing emails: Lethal targets

A second spearphishing attack targeted specific employees with emails crafted to dupe them into clicking a link which led to malware on Microsoft’s cloud storage site SkyDrive.

The third attack was a spearphishing attack directed at a specific employee. Once his account credentials were obtained, emails were sent to 15 further employees, with malware-laced PDFs.

“It’s still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action. It’s also unclear how far the attackers got,” the Verge reports.

‘Team thwarts most attempts’

NRC spokesman David McIntyre said that his security team “thwarts” most such attempts.

“The few attempts documented in the OIG (Office of the Inspector General) cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken,” he said, speaking to CNET.

Slashgear reports, “The reasons for the hacks aren’t known, but are suspected to be an effort to harvest details about the nation’s nuclear infrastructure – another suggestion is that the NRC might not be a specific target, but instead swept up by chance in a more general attack by an individual hacker rather than a foreign nation’s government.”

A recent report on America’s energy agencies said such incidents were increasing 35% between 2010 and 2013.

The report, “INFORMATION SECURITY Agencies Need to Improve CyberIncident Response Practices.” said, “Our sample indicates that agencies demonstrated that they completed their eradication steps for the majority of cyber incidents. Specifically, our analysis shows that for about 77 percent of incidents governmentwide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents.”

The report made 25 suggestions about how agencies could improve responses, including that agencies should, “revise policies for incident response to include requirements for defining the incident response team’s level of authority, prioritizing the severity ratings of incidents based on impact and establishing measures of performance.”

The post Phishing emails: U.S. nuke authority hit three times appeared first on We Live Security.

Gamescom: How gaming grew up into a target for crime

With over double the attendance of San Diego’s Comic-Con (340,000 attendees last year, compared to Comic-Con’s 130,000), gamescom highlights not just how pervasive video games have become in our lives, but also how video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles; and there is a burgeoning market for dedicated gaming hardware for PCs ranging from specialized graphics processors from companies like AMD (formerly ATI) and Nvidia to exotic cooling solutions using liquid nitrogen and metalized thermal interface materials; to the creation of AAA games such as Electronic Arts‘ fifteen year old (and still going strong) The Sims franchise, and Blizzard‘s World of Warcraft, which redefined MMORPG gaming.

Gaming by the numbers

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

Game Crime

gamescom

As gaming has moved online, as with next-gen consoles such as Xbox One, crime has moved in

As it actually turns out, there’s actually quite a bit of undesirable activity that can occur online, such as trolling or griefing, which have occurred for as long as people have been playing games online.  The exact nature of these activities varies between games, as do their consequences, but while some online behavior is horrifying, it is not always clear whether an actual crime, prosecutable outside of cyberspace, has occurred and, if so, in what jurisdictions.  Likewise, cheating, while unsportsmanlike, may be a violation of a game’s acceptable-use policy, but not a criminal offense.

Doing time, online

Computer game companies police their virtual worlds to various degrees, as unwanted or objectionable in-game behavior could cause paying customers to leave en masse, with a corresponding drop in revenue.  If warnings are not sufficient, the usual sentence for abusive users is to ban them from playing the game for a fixed amount of time.  Repeat offenders, or those who may have done something especially offensive, may find themselves permanently banned from the game and their accounts closed.

Real thieves in a virtual world

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well:

Theft of Goods

The longer you play a MMORPG, the more likely you are to get items which are rare, limited edition, unique or otherwise contain powerful buffs for your character.  Game companies create these kinds of items and adjust their scarcity because it helps encourage gamers to pay real money, either for the items themselves, or for in-game currency.  Or the developer may charge a subscription fee to play the game.  And that use of real money is what makes some games lucrative targets for thieves.

In some games’ player-versus-player (PvP) combat, the losers of fights may drop items that they were using in their inventory or currency, upon their in-game death.  In some games, this has led to the creation of gangs or “mafias” who often target new players, either to “loot their corpses” or merely to threaten them with looting in order to obtain their items or currency.

In the real world, gamers are regularly targeted by criminal gangs with phishing emails, as well as password stealing software, in order to gain access to their account credentials.  From there, it is a simple matter for the criminals to empty out the gamer’s account, akin to taking the jewels out of some kind of high-tech safe deposit box.

While some game companies employ sophisticated geolocation tracking and even two-factor authentication systems identical to those employed by banks, others do not, and this makes those game accounts not only vulnerable to being emptied out, but to being stolen themselves.  It can take years of grinding away at some games to reach the upper levels.  For some unsporting game players, that represents an almost irresistible target.

Counterfeiting items

The amount of virtual items (including virtual currencies) is usually carefully calculated by gaming companies, even to the point of employing economists, to help ensure the stability of their virtual economy.  Unfortunately, as in the real world, some virtual worlds are subject to counterfeiting, where in-game items or currency is duped (“duplicated”) over and over again by criminal gangs by exploiting vulnerabilities or bugs in the game, network connection or timing issues, and so forth.

If an in-game item can be duped ad nauseam, it can generate a lot of money, especially if it is the in-game currency that is being copied, and not some scarce or unique item.  While item duping may not be enough to disrupt the in-game economy if the item is not being sold, it does disrupt game play and fairness when characters become seriously overbalanced.

Regardless of why it is being done, counterfeiting can be difficult to deal with, especially if the recipient of a duped item is not aware of its provenance.  This may not stop game admins from removing counterfeit items or currency from a gamer’s account, or even banning the gamer, though.

Gold farming

Although in-game currency is not always golden coins, gold farming is the generic term used to describe players who do nothing but play a game in order to generate in-game currency, which they sell online for real-world currency.  This is particularly problematic in China, where there have been reports that prisoners are used as slave labor to generate revenue for prison authorities.

As with item duping, gold farming is disruptive to gaming economies because it leads to inflation.  Aside from that, it also leads to other problems, both in-game and in the real world, with being spammed with advertisements for gold.  And, as with selling counterfeit or stolen goods, one runs the risk of having the items removed by the game admins or even being banned for having received counterfeit or stolen virtual property.

Companies under assault

Of course, computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts.

ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.  As a result, I am not going to discuss the details of the SONY breach in this article.  Readers should be aware that this sort of problem is not unique to SONY, either.  Almost exactly, two years ago, Blizzard Entertainment suffered a data breach themselves, although they responded in a different and—this author thinks—more responsible fashion.

The point here is that that computer game companies and their associated services face real threats from criminals:  If they charge customers for online play, the purchase of in-game items, or otherwise contain customer billing data in their computers, then those computers systems are targets for financial crime.  But even if they don’t charge customers, their systems might still be targeted by criminals seeking access to accounts for the reasons mentioned in the preceding section.  Game companies recognize this, of course, and as a result their security practices have improved greatly over the past couple of years.

Final thoughts

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

I would also suggest reading our Comic-Con 2014: Eight super-powered digital safety tips article.  While Comic-Con is not exactly the same type of conference as gamescom, going to any type of conference with your computer, tablet, smartphone and various digital devices poses similar risks these days, and you may find some helpful information in that article.

Thanks to my colleagues Bruce P. Burrell, David Harley and Righard Zwienenberg for their assistance with this article.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher, ESET

 

Selected Bibliography

For further reading, here is a fairly complete compendium of gaming-related articles from We Live Security:

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars

It’s still high season for security news, with the last days of DEF CON 22 luring out the best in the business – and causing controversy (as, of course, it should).

The biggest draw was a hack which knocked out the “ultra-private” encrypted Blackphone in just five minutes – although there was much discussion of the techniques used. Silent Circle, creators of the PGP encryption standard, took a secure, dignified response.

They patched – fast – and admitted their errors, saying, “No hard feelings — things get fixed by being found.”

Android versus RAT: Rodent wins

Android users in Russia were offered a bundle of free apps – with one catch. Each had been tweaked to hide malware – a RAT built to steal information. Remote Access Trojans (found on both PCs and Adroid devices) allows an attacker access to data – in the case of Android/Spy.Krysanec, GPS location, contacts lists, web history, contacts lists and more.

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security. Naturally, it was shared through third-party app stores and social sites – not Google Play.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network.

ESET’s Robert Lipovsky says: “users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.”

Wi-Fi: The skies are safe once more

The good news – your aeroplane will not plunge from the skies thanks to hackers armed with iPads – and the idea of hacking planes via Wi-Fi is silly. The bad news: things ARE getting worse.

Black Hat is no stranger to world-changing hacks – but Ruben Santamarta’s talk was described by CNET as “the hacking presentation that will get the most attention”, claiming that plane security could be hacked wirelessly, by Wi-Fi or even SMS.

The debunking didn’t take long. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners. He also recruited an even more qualified but anonymous pilot to help.

Short answer: planes cannot be hacked wirelessly – any model ever built. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

Several companies have already said wireless hacks were “impossible”, and that access to wired systems restricted: “In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said one.

Polstra warned, however, that “increasing automation” may lead to problems in the future.

Security news: Your router is a time bomb

No wonder cybercrime gangs target routers – yet another “live fire” test against the devices proved they were packed with vulnerabilities. More than a dozen were found in the challenge at DEF CON – and one router-hunter found 11 on his own.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – and a second challenge, to extract information from the devices, proved equally easy for the contestants.

Cyberjacking: It’s a word, and it’s happening (soon)

Two researchers who have previously demonstrated hacks against cars declared a new threat this week – in-car web browsers.

In an exhaustive analysis of top car brands, the researchers found that while it WAS possible to compromise systems, the results were limited. A BlueTooth hack, for instance, would not compromise the vehicle – but allow attackers to ‘pair’ devices.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

 

Two-factor security: We want it now!

Millions of Americans were directly affected by the breach at Target – and as cybercriminals increasingly take aim at POS terminals, similar tragedies look likely in future.

But American banks and card companies have been slow to reassure customers with measures such as two-factor security systems.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

An ESET video explains what two-factor is, and why it works, here.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

 

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

Gamescom 2014: World of Malware?

The gaming industry keeps growing in terms of popularity, and the large population of gamers, and the crowds at Cologne’s Gamescom 2014, represents an opportunity for miscreants to make money. In this blog post, we will explore various attacks specifically tailored to gamers, by starting with trojanized legitimate games, then by exploring some malicious software and targeted attacks against the video games industry. Finally, we will describe some recent exploits found in video games.

Gamescom 2014: Bitcoin Miners

Recent years have seen the introduction of Bitcoin, Dogecoin and other trendy and trending cryptographic currencies. These currencies are created by solving computationally-intensive cryptographic challenges, which require a lot of processing power. As gaming rigs are built with powerful processors and cutting-edge video cards, they can be considered one of the most efficient environments in which to “mine” these digital currencies, with the advantage of being widely spread among the Internet-using population.

In 2013, an employee of the ESEA Counter-Strike league silently introduced a Bitcoin miner into their anti-cheating software, which every member of the league had to install in order to participate. Fortunately the stratagem was uncovered rather quickly, and less than $4,000 worth of bitcoins were ‘earned’ by the malicious employee. More recently, a pirate version of the game ‘WatchDogs’ included a bitcoin mining Trojan which made a profit for the torrent’s author.

Keyloggers and Information Stealers

As the size of the gamer population has increased, some in-game goods have acquired some real monetary value. High-level/high-value characters, in-game currency, legendary items or even hats can be purchased with real money. But when something is worth money, it also means that for some people, it is worth stealing. Consequently, some malicious software focuses on stealing video games credentials. These information stealers are usually distributed under false pretenses, hiding behind so-called “game experience enhancers” or disguised as legitimate tools.

Keyloggers are the most prevalent type of malware in the gaming world, identified as Win32/PSW.OnLineGames by ESET. These programs can be pretty simple but have proven to be very effective at stealing players’ credentials, in order to resell items and characters. So many accounts are compromised that games editors are used to it and have implemented an FAQ and process to handle this situation.

To counter this type of malware, some MMORPG creators, such as Blizzard (who publish World Of Warcraft), have introduced two-factor authentication – and new titles introduced at Gamescom 2014 will do the same. This two-factor authentication takes the form of an electronic device (or a smartphone application) delivering unique six-digit codes that are active and valid only for a limited time before a new code has to be generated.

At the beginning of this year, malicious software named Disker was able to bypass this double-authentication mechanism. Disker appears to be as complex as malicious software that focuses on stealing banking information and it has the ability to steal both the victim’s account credentials and his or her authenticating six-digit passcode.

But as the passcode remains valid only for a short period of time, the attacker has to be behind his keyboard when the information is exfiltrated so as to be able to use it. So Disker implements a way to circumvent this problem: as it leaks the 6-digit passcode to the attacker, it will actually send a wrong passcode to the World Of Warcraft server, preventing the user from logging in. At this point, the victim will almost certainly disable the two-factor authentication in order to enjoy his game. Once this is done, the attacker is no longer restricted to operating within a short period of time.

Targeted Attacks

Players are not the only target in the gaming ecosystem, games companies can also be specifically attacked. For example Kaspersky discovered last year a malware targeting no less than 30 MMORPG game companies. In this case the attack was intended to:

  1. Deploy malware on gamers’ computers by using the MMORPG update server
  2. Manipulate in-game currencies
  3. Steal digital-certificate to create signed-malware, making the malware easier to propagate
  4. Steal the MMORPG source code to deploy it on rogue servers

Exploits

MMORPGs are not the only targeted type of games, other kinds of multiplayer games are also potential targets. Recently, security researchers Luigi Auriemma and Donato Ferrante have been looking for vulnerabilities in games and game engines.

The results are impressive: they found vulnerabilities in the Source Engine, making any game based on this engine vulnerable, such as the famous Counter-Strike Source, Team Fortress 2 and Left 4 Dead. Those vulnerabilities could be used to execute code on a player’s computer without their knowledge and consent, potentially leading to installation of malware without requiring any action from the user other than his usual gaming activity.

Today, no known malware spreads using vulnerabilities in games but the rising value of in-game goods could motivate malicious people enough to use this kind of attack to spread game-targeted malware.

Conclusion

The emergence of such malware shows that the high value of in-game goods is appealing to bad guys – and the titles shown at Gamescom 2014 will be high-value targets.

The complexity of these types of malware, and the implementation by Blizzard of protective measures similar to those used by banks, indicate that we are at the beginning of an arms race between criminals and the gaming world. In this race, everyone has a role to play, editors by securing players’ accounts adequately, and players by educating themselves about the dangers, the existing solutions, and how to behave in order to enjoy safer gaming.

The post Gamescom 2014: World of Malware? appeared first on We Live Security.