This Thursday, September 18, is the biggest day in Scottish political history, as the country votes on whether it should become independent from the United Kingdom – but an ESET security expert has warned cybercriminals could strike.
The post Scottish independence poll – warning over phishing scams appeared first on We Live Security.
The dangers of clicking on links in eBay scam postings were highlighted after a fake posting advertising iPhones linked to a phishing site designed to steal usernames and passwords for the site.
The post eBay scam: site ‘slow to react’ after iPhone phishing attack appeared first on We Live Security.
Facebook scams tend to crop up in the run-up to a big Apple launch with around the same regularity as big Apple launches themselves. This week’s iPhone 6 launch is no exception, with Help Net Security noting that a Facebook page ‘offering’ free iPhone 6 units is, as usual, a total fraud.
This time, the scam promises a free iPhone 6 as soon as “three easy steps†are completed, which, as usual, involve a survey, which allows you to download a “participation application.â€
When a victim completes the free iPhone 6 survey, all their friends are spammed with the fake promotion, Hoax Slayer reveals, but the three “easy†steps are anything but.
Each time someone completes a survey, the page claims there is an error, and they are directed to a further survey, according to Help Net. As always, the “free iPhone 6†never materializes.
“Some of the available surveys want you to provide your mobile phone number, ostensibly to go in the draw for extra prizes or offers. But, by submitting your number, you will actually be subscribing to a very expensive text messaging ‘service’ that will charge you several dollars every time they send you a message,†Hoax Slayer says.
“Alternatively, you may be asked to provide your name, address, and phone details, again, to supposedly enter you into a prize draw. But, fine print on the page will state that your details will be shared with third-party marketers. Thus, after submitting your details, you will likely be inundated with annoying phone calls, emails, and junk mail.â€
“Meanwhile, the scammer who created the fake promotion will earn a commission. But, no matter how many surveys you complete, you will still not get to download your ‘application’.â€
The site cautions against clicking on any link this week which offers a free iPhone 6, as this sort of big product launch is a prime target for cybercriminals, and any link is potentially suspect.
Mark James, ESET security specialist, says, “We all like the idea of something for free, that’s the approach these type of scams use. Deep down we know it’s not going to happen, but a lot of people will still click the like button or share that simple post in the hope it’s going to arrive.â€
“We have seen these types of scams for years but they are still as effective today as they were when started, once we like or share the page we do all the marketing and advertising for the scammers thus providing a very valuable and potential dangerous page to initiate future scams or attacks.â€
“I still encourage people to use the “front door†policy, i.e treat it like your front door: ‘When was the last time someone banged on your front door to offer you an iPhone 5 or 6 just for filling out a survey or a £10/£50 supermarket voucher for free?’ It just does not happen.â€
The post Free iPhone 6 Facebook scam does the rounds, right on time appeared first on We Live Security.
When Malaysia Airlines Flight 17 (MH17) was shot down in Ukrainian airspace in July of this year, the world was understandably shocked.
The news of an civilian passenger flight from Amsterdam to Kuala Lumpur being possibly downed by a surface-to-air missile was horrifying enough, but coming just months after the loss of another Malaysian Airlines flight (MH370) in mysterious circumstances made the headlines seemed even harder to believe.
As we have previously documented on We Live Security, the earlier lost aircraft has been the subject of various scams including a fraudulent message that spread on Facebook claiming it had been found, a fake video of the supposed rescue of its passengers, as well as claims that hackers had stolen secret classified documents held by Malaysian government officials.
Now it appears, the cold-hearted scammers are exploiting the tragic events that befell MH17 over Ukraine too.
Part of the spammed out message reads as follows:
<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>
I am a German Solicitor resident in Germany. I was the personal Attorney to Mr.Foo Ming Lee, a national of Malaysia who used to work with a contruction company here in Germany.
Mr.Foo Ming Lee 52 years old made a fixed deposit of funds valued at Nineteen Million Euros with a Bank here in Europe and unfortunately lost his life in the
Malaysia Airlines Flight MH 17 from Amsterdam to Kuala Lumpur that was shot down by pro-Russian separatists on 17 July 2014, killing all 283 passengers and 15 crew on board as you can see on the following link: http://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17
To the best of my knowledge as his personal attorney, Mr.Foo Ming Lee has no living beneficiary or next of kin therefore, I want you to reply me immediately after reading this email so that, I can prepare the necessary legal documents and present you to the bank as the only surviving relative to Mr.Foo Ming Lee and instruct the bank to wire the deposit funds Nineteen Million Euros into your provided account.
Yes, it’s “yet another 419 scam”.
Also commonly known as “Letters from Nigeria” or “Advanced Fee Fraud”, the scams typically involve the promise of a vast fortune – but sooner or later (once you have begun to be sucked in and lost all wariness) you will be told that you need to advance an amount of money for logistical reasons, or share sensitive information such as your passport or banking details.
You might not fool for a scam like this, but unfortunately there are plenty of vulnerable people out there who do. And it only requires one person to fool for the scam for it to be worthwhile to the fraudsters, who have typically spammed it out to thousands.
But what makes this scam particularly sick is that it uses the name of a genuine victim of the MH17 tragedy.
As media reports confirm, Foo Ming Lee, who lived in Geneva and was a sales and marketing chief for a Japanese tobacco company, was indeed a passenger on MH17 and was amongst the 43 Malaysians who perished in the downing of MH17 over Ukraine.
It’s clear that whoever is behind this scam has scooped up the name of a victim from media reports, and exploited it in an attempt to defraud the unwary.
After all, anyone who was dubious about the unsolicited message might Google some of the details in an attempt to confirm if any elements of it could be confirmed to be true or not.
Yes, the plane crash happened on the date the scam claims, and Mr Foo Ming Lee was amongst the victims.
What is not true, however, is the claim that he had no next of kin. Another news report confirms that his widow, son and daughter laid his ashes to rest at Nirwana Memorial Park on August 24th.
If scammers had any conscience, they wouldn’t compound the misery of those who have been left bereaved and heartbroken by using the names of victims and details of horrendous accidents and tragedies in their money-making plots.
But the sad truth is that the scammers and fraudsters don’t have any conscience, and are prepared to do anything if it might net them a rich reward.
Hat-tip: Thanks to ESET researcher Pierre-Marc Bureau for bringing this scam to my attention.
The post MH17 plane crash victims exploited by cold-hearted scammers appeared first on We Live Security.
Three weeks ago, iSIGHT Partners discovered a new Ransomware encrypting victims’ documents. They dubbed this new threat TorrentLocker. TorrentLocker propagates via spam messages containing a link to a phishing page where the user is asked to download and execute “package tracking informationâ€. In August, only Australians were targeted with fake Australian Post package-tracking page.
While tracking this new threat, ESET researchers found the malicious gang is targeting new victims. Internet users from the United Kingdom should be aware that fake Royal Mail package-tracking pages are online and distributing TorrentLocker.
Royal Mail phishing page
The scheme is the same: you type a captcha then click to download a zip file containing the executable payload. It is interesting to note that the fake Royal Mail page will only show if the visitor is from the UK. Filtering seems to be based on the IP address of the request. If the request does not come from a UK IP address, the victim will be redirected to google.com. Three new domains are hosting the fake Royal Mail page:
royalmail-tracking.info registration information
As you can see, registration date for these domains is September 2nd so this campaign started very recently.
Executable file properties
Encrypted files in users’ pictures
Warning is shown upon execution of the malware
Once installed, victims’ documents are encrypted and they are being asked for a ransom of 350 GBP if paid within 72 hours or 700 GPB otherwise. Payment is done via Bitcoin transaction (1.19 BTC or 2.38 BTC). To hide their infrastructure, the web server is hosted on a .onion host on the Tor network.
To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don’t have to install additional software to reach the .onion website. Interestingly, door2tor.org, the domain name of one of the suggested Tor2Web node, was registered only 2 weeks ago. Perhaps its purpose is only to allow TorrrentLocker’s victims to contact the server selling the decryption software.
“Decryption software” sold on the Tor network
This threat caries the TorrentLocker name because it use the “Bit Torrent Application†Windows registry key to store its settings. It is unrelated to the BitTorrent protocol.
Bitcoin transaction details
As discovered by iSIGHT Partners, the Australian variant they analyzed asked for Bitcoins to be sent to 15aBFwoT5epvRK69Zyq7Z7HMPS7kvBN8Fg. In our case, the Bitcoin address changed to 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X. If you look at the transactions on both wallets, the Bitcoins are then transferred to 17gH1u6VJwhVD9cWR59jfeinLMzag2GZ43.
Since March 2014, this Bitcoin wallet has transferred over 82 272 BTC. With 1 BTC currently valued at US$480, the total transactions are roughly equal to 40 millions US$. This wallet has been associated with other scams in the past, including wallet stealing and selling fake mining hardware. We do not know if this account is owner by the TorrentLocker gang or it is some kind of exchange service used by different groups.
Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)
ESET products detect this threat as Win32/Filecoder.NCC or Win32/Injector.
The post TorrentLocker now targets UK with Royal Mail phishing appeared first on We Live Security.
A YouTube scam where users are threatened with suspension for an unspecified “violation†of the video site’s guidelines has been circulating via email, according to Softpedia’s report.
The phishing YouTube scam is common enough to be causing users to raise questions on Google Groups, according to the site’s report.
The YouTube scam email reads, “We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message.â€
This form of scam is more common on Facebook, Softpedia notes. Other We Live Security reports describe such typical Facebook scams. As with Facebook, it’s likely that multiple variants of the scam email are circulating, so the text may vary.
The particular variant seen by Softpedia continues, “After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content.
“Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.â€
ESET security specialist Mark James says, “The problem with phishing emails is that it’s their job to trick you into thinking they are legit, often using the same graphics or templates from legitimate emails from real companies.â€
“The methods they use include rewards for following links, penalties for not taking action and sometimes topics that offend easily forcing you not to take advice for fear of being judged or even prosecuted.â€
In this case, Softpedia says, the link in the emails directs the users to a series of surveys, some of which ask for the user’s phone number – which can lead to further SMS scams.
James says, “There are many ways to spot these false emails, firstly, most companies will have layers of procedures before sending out emails (especially intent of termination emails) that are proofread and checked over again before being sent, also look to see who its written to, if it is about a service that’s going to be cancelled then it SHOULD be directed to YOU not “Dear customer” or “Dear user”. They want your business and its important for you to feel your important.
“Check the sending email address. Don’t be fooled by the company name if it appears in the address, look to see if it looks right, most organizations want you to remember their details, so a long winded email address from PayPal with “pay” and “pal” in there somewhere won’t be from them, look for unrealistic threats – if it’s going to happen in 24 hours, or some other short time period, chances are it’s fake.â€
“DON’T open any attachments regardless of how enticing they seem, if you need to fill a form out to continue the service you are okay to call the company and ask them to mail the form to you, at that point you can verify if it is legitimate. DON’T follow any links, if the email has a link then check to see not only what it says but move your mouse over it and see WHERE it goes.â€
A detailed We Live Security guide to the latest phishing scams (and how to avoid them) can be found here.
The post YouTube scam warning after fake “suspension†emails strike users appeared first on We Live Security.
A data breach of staggering proportions has hit South Korea – involving 27 million people and 220 million private records – and affecting 70% of the population between the ages of 15 and 65, according to Forbes.
Sixteen hackers were arrested for the attack, which targeted registration pages and passwords for six online gaming sites – with the aim of selling game currency. South Korea has a strong online gaming culture, and people of all ages indulge in the hobby.
South Korean authorities said that the gang had stolen 220 million items of personally identifying information, with the goal of breaking into online game accounts. A 24-year-old man, surname Kim, bought these records from a Chinese hacker he met in another online game in 2011, according to the Korea JoonGang Daily.
According to police, Kim reportedly received 220 million personal information items from a data breach of unknown origin, including the names, resident registration numbers, account names and passwords, of the 27 million people from a Chinese hacker he met in an online game in 2011.
Kim and his associates are thought to have used a hacking tool known as an “extractor†to log in to accounts and steal virtual currency to and items to sell – earning in the process 400 million won ($390,919).
The Register reports that, “Kim bagged almost $400,000 by hacking six online games using the details and gave the Chinese cracker a $130,000 cut. The buyer used the creds to steal items from gaming accounts and sold off to other players.”
Police estimate that secondary damages from the data breach cost at least $2m.
When Kim’s gang could not break into accounts, they bought yet more personal information including identity cards from a cellphone retailer in Daegu, and then changed passwords to gain access.
Kim is also accused of having sold his hoard of personally identifying information to mortgage fraudsters and illegal gambling advertisers.
The post Data breach in South Korea hits 27 million – half the population appeared first on We Live Security.
An image of a Russian car crash has piled up in Google Images, regardless of what users search for. Time magazine searched for ‘puppy” and instead saw multiple images of the crash – leading to speculation that the service has been hacked. What’s less clear is why, or who might have done it.
One user says that regardless of what he searches for, he sees dozens of images of the same car crash, “Every time I search something in Google images, these creepy images are appearing. It’s apparently a crashed truck or something, but I didn’t look it up. People could say that it had something to do with what I was searching, but if I click on it, a different image appears. I have some screenshots attached.â€
The issue is not affecting all users, but Google product forums are full of complaints about the image, which shows a fatal car crash from several years ago.
Time magazine reports that the images vary –  Google’s own support forums tracked back and found the image came from a report on a Ukrainian news site. We’ve not linked to the report as it contains many more grisly images of the crash.
Time also reported that a related Reddit chain say that images of basketball player and occasional actor Kevin Durant have also been reported by some user.
Jalopnik says, “In the meantime, Reddit user anvile noticed that the original photos stem from a story about a car crash in Moscow that killed three people. The driver, a 28-year-old woman, was reported to be intoxicated.”
“Weirder still, the crash occurred in November of 2012, according to this Pravda article, so it isn’t recent.â€
Google has as yet not offered comment on the images, or their origin.
The post Google Images hacked? Searches fill with morbid image appeared first on We Live Security.
Looking like an idiot on social networks like Facebook and Twitter is not too difficult. Many people have achieved this state of being without much thought at all. So c’mon! With a little effort and commitment you can lose your job, get arrested, or alienate your friends! 
Here are the top 3 ways you can look like a total nincompoop on social media.
Like this woman: After being passed over for a promotion at work, an Arizona woman posted an angry Facebook message in reaction. How good it must have felt to let her frustration out. Since she was friends with her co-workers, they all saw it. It said,
This place is a joke!!! I wonder if I passed up a good opportunity by being at this place. I absolutely hate fake and lazy ppl!!! Ugh, the ones who actually work are the ones to blame??? WTF? #TwistedMinds.â€
Those co-workers of hers, not the fake or lazy ones, were sure to surround her with support and encouragement after reading how distressed she was.
Oh. Oops. They couldn’t encourage her. She was fired shortly after that rant.
Here’s an example of a proud daughter bragging about her father. That’s really sweet, isn’t it? Most teenagers complain about their parents, but this Florida girl took to Facebook right away to express her joy about an $80,000 age-discrimination lawsuit her father won from a former employer, a posh private school. She had plenty of classmates at the school who saw the post. She wrote,
 Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.
It’s so nice that a young girl wants to travel in Europe for the summer…all that history and culture…and the food…
Oh. Oops. The school’s administrators and lawyers also got to see her message. The lawyers were not amused, so they invoked the confidentiality order and voided her father’s settlement.
Read more on our blog about dumb things people post.
TIPS
A Florida drug dealer shared a selfie of himself in his car with a wad of cash and illegal drugs in his lap. Through the window of the car, you can plainly see a sheriff’s vehicle pulled alongside. He posted it to Facebook with a comment about how easy it was to deal drugs under cops’ noses. His friends probably got a good laugh out of that, and I’ll bet he got plenty of likes and shares.
Oh. Oops. This guy must not have heard that Facebook has privacy settings, and he apparently didn’t know that he could tweak the settings for Friends only. Since his newsfeed was set to public, that nosy Sheriff’s office was able to see the photos. They must have gotten a good laugh from it, too.
TIP:
Who doesn’t love spending a rainy afternoon watching videos of their favorite celebrities in compromising positions? Rihanna’s sex video, and that crazy Justin Bieber…what will he think of next? Filling out a little survey is no inconvenience. And if you don’t like it, there’s that famous Dislike button you can download for free. Never mind the unwanted toolbar that comes with it!
It is heartening to know that people are concerned about privacy, and many of them shared it with this notification. Too bad it was meaningless.
In response to the new Facebook guidelines I hereby declare that my copyright is attached to all of my personal details, illustrations, graphics, comics, paintings, photos and videos, etc. (as a result of the Berner Convention). For commercial use of the above my written consent is needed at all times!…
Unfortunately, sad things are also shared. This past week, 24 million people shared a video that claimed to be the last good-bye from Robin Williams. It is a fake meant to scam people out of their personal data.
// <![CDATA[
(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = “//connect.facebook.net/en_US/all.js#xfbml=1”; fjs.parentNode.insertBefore(js, fjs); }(document, ‘script’, ‘facebook-jssdk’));
// ]]>
Many avast! users were incredulous that this type of scam could still happen, and indeed, this video and others of it’s ilk are fakes. Cybercrooks use our morbid curiosity to tempt us into clicking on wall posts, videos, and links.
TIPS
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
This week in security news saw two of the scariest targets for hacks ever – nuclear plants and city-wide traffic systems. The stories delivered the goods, too — the traffic-light hack could basically have been carried out by anyone, and paralyze any one of 40 American cities, and America’s  Nuclear Regulatory Commission was successfully attacked three times within the past three years, by unknown attackers, some foreign – and largely using standard phishing emails and similar techniques. It is still unknown who the attackers were.
In terms of novel malware, it was a bit of a dry week (always a good thing) bar the return of scareware  – this time armed with an even more annoying method of making you pay up.
In Cologne, gamers gathered for Gamescom – and ESET’s Aryeh Goretsky took a look at how gaming has evolved, and cybercrime along with it, with discussions of gold-farming, theft of virtual goods, and how gaming companies are now fully awake to the threat of cybercrime.
Often, when one reads a paper behind a cybercrime story, it’s disappointing – not so in the case of the novel attack against city-wide traffic systems described by University of Michigan researchers, which is genuinely terrifying. Little skill was required – radios are unencrypted, or used default passwords, and control units had known vulnerabilities.
An attacker, like the film’s ‘crew’ on robbery, could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.
The researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.
“This paper shows that these types of systems often have safety in mind but may forget the importance of security,†the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.
Over the past months, ‘scareware’ – windows that warn users that their machine is infected, then, ironically, persuade them to download malware – has dropped, says Microsoft, as users wise up.
But a new variant, Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the internet – it displays warning windows instead of sites. Now that really is cruel.
The malware targets 300 websites, and when a user tries to access them, they instead see the following fake message, ““Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene.â€
Rogue AV is still found – indeed ESET has been repeatedly ‘honored’ with fake scareware versions of  of its products such as when ESET researchers discovered a Trojan packaged to look like antimalware products,  – but Microsoft reports that in the past 12 months, scareware had fallen out of fashion.
Microsoft researcher Daniel Chipiristeanu says, “Lately we’re seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families,  It’s likely this has happened due to the anti-malware industry’s intense targeting of these rogues in our products, and better end-user awareness and security practices.â€
Chipiristeanu says that “education†has played a part – but new gangs have simply moved on to new methods to target victims.
Silent Circle, makers of Blackphone, are not smarting overly from their handset’s humiliation, it seems – and their mission to stop everyone spying on us continues. They have support, it seems - a poll of 2,000 people found that almost all of us believe we are being spied on, and about a third would pay to stop it.
Privacy issues have become an increasing concern outside the security community – in part thanks to revelations of government surveillance, as discussed by ESET researcher Stephen Cobb. Silent Circle carried out the survey in May this year, via OnePoll and found that 88% of UK workers believe their calls and texts are being listened to, versus 72% of Germans – it’s not clear by whom.
Nearly a third – 31% – of Germans would pay for a service which guaranteed their texts and calls were not being listened to. In Britain, 21% would do so. Germany is traditionally more privacy-conscious – services such as Google StreetView are not permitted there.
The scandal over Facebook’s Messenger app – and the overstated responses of many media outlets, served to highlight this. Cosmopolitan writes, “Basically, it can control your whole phone. And, most scarily of all, CALL PEOPLE.†Cosmopolitan had not been previously known for its concern with online privacy.
The spear-phishing attacks against the Nuclear authority were hardly hacker whizkid territory, but nonetheless, hundreds fell for them.
CNET reports that one incident led 215 employees of the nuclear agency to “a logon-credential harvesting attempt,†hosted on “a cloud-based Google spreadsheet.†The information was obtained through a specific request by NextGov. A second spearphishing attack targeted specific employees with emails crafted to dupe them into clicking a link which led to malware on Microsoft’s cloud storage site SkyDrive.
The third attack was a spearphishing attack directed at a specific employee. Once his account credentials were obtained, emails were sent to 15 further employees, with malware-laced PDFs.
“It’s still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action.
NRC spokesman David McIntyre said that his security team “thwarts†most such attempts.
Our last story really is the stuff of conspiracy theorist’s dreams: the very next day after Malaysia Airlines Flightt MH370 disappeared, “sophisticated†malware was used to steal documents from government officials working the case.
A mysterious attacker in China purloined “classified documents†in “significant amounts”, details of which remained vague – stoking the fires of conspiracy still further.
The Malaysian Star claims that the attack targeted officials with a PDF document which appeared to be a news report about Flight MH370, and was sent to a group of investigators. Around 30 computers were infected by the malware.
“We received reports from the administrators of the agencies telling us that their network was congested with e-mail going out of their servers,†CyberSecurity Malaysia chief exec Dr Amirudin Abdul Wahab said.
“Those e-mail contained confidential data from the officials’ computers, including the minutes of meetings and classified documents. Some of these were related to the Flight MH370 investigation.â€
Business Insider says that the attack occurred one day after the Boeing 777 went missing, and took the form of an .exe file disguised as a PDF (a common office file format).
It’s unclear who the attacker – or attackers – were, but information from infected computers was transmitted to an IP address in China. Officials in Malaysia blocked the transmission, The Star said.
The post Week in security: Nuclear attack, scareware back and traffic-light hack appeared first on We Live Security.
