3.1 C
Sunday, November 19, 2017

Malware on the Smart TV?

In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs: My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.iff The Reddit post included this image: We immediately got to work trying to figure out if this threat was targeting connected televisions specifically or whether this was an accidental infection. Trying to connect to the webpage mentioned in the URL from the photo does not work — the domain name does not resolve to an IP at the moment. We used our favorite search engine and found many hits while looking for the domain. Besides the host “ciet8jk” (ciet8jk.[maliciousdomain].com), 27 other hosts have been assigned to that domain name and pointed to same IP address. The domain ***-browser-alert-error.com was registered on August 17th 2015. Two days later, an IP address was assigned: It appears that there were just a few days when this scam was online and thus, we’re sure the image from the TV is at least four months old. These kind of attacks are nothing new, so we started looking for a server which is currently online to see what exactly the page tries to do. Unfortunately, we weren’t able to find a live page from that very source, but while searching for the alert message shown in the photo, we found similar domains used for the same scam. A few examples: ***sweeps-ipadair-winner2.com ***-browser-infection-call-now.com The last domain listed is still online but there is no reply from the server.All the domain names mentioned have been blocked by Kaspersky Web Protection for several months. Interestingly, all the IPs belong to Amazon’s cloud (54.148.x.x, 52.24.x.x, 54.186.x.x). Although they used different providers to register the domain, they decided to host the malicious pages in the cloud. This could be because if offers another layer of anonymization, because it’s cheaper than other providers or because they were unsure about the traffic and needed something scaleable. Still unable to find a live page, we kept searching for parts of the alert message and one hit took us to HexDecoder from ddecode.com. This is a webpage that de-obfuscates scripts or entire web pages. To our surprise, all previous decodings were saved and are publically viewable. This led to a decoded script and the original HTML file. The script checks the URL parameters and displays different phone numbers based on the location of the user. Phone numbers: DEFAULT (US)          : 888581****France                         : +3397518****Australia                      : +6173106****UK                               : +44113320****New Zealand               : +646880****South Africa                : +2787550**** The JavaScript selecting the phone number was uploaded to Pastebin on July 29th 2015 and it includes all the comments that were also present in the sample we got from HexDecoder. This is another indicator that this is not a new threat. Now having the right sample, we took a look on a test machine and got this result, which is quite close to what we can see on the image from the SmartTV: The page loads in any browser and displays a popup dialog. As you can see above, it even works on Windows XP. If you try to close the dialog or the window, it will pop up again. We also ran the file on a LG Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings. Keep in mind that you should never call those numbers! You might get charged per minute or someone at the end of the line might instruct you to download and install even more malware onto your device. So in this case, it’s not a new type of malware specifically targeting Smart TVs, but a common threat to all internet users. There are also reports that this scam has hit users on Apple MacBooks; and since it runs in the browser, it can run on Smart TVs and even on smartphones. These kinds of threats often get combined with exploits and may take advantage of vulnerabilities in the browser, Flash Player or Java. If successful, they may install additional malware on the machine or change DNS settings of your system or home router which may lead to similar symptoms. Such behaviour could not be observed in this case, since they malicious pages have been removed already.Keep in mind, there might be vulnerabilities in the software on your TV! Therefore it’s important to check if your device is up to date. Make sure you installed the latest updates for your Smart TV! Some vendors apply updates automatically, while others leave it to the user to trigger the update manually. There is malware that works on Smart TV, but it’s not really “in the wild” at the moment. There are several reasons why criminals focus on PC and smartphone users instead of Smart TVs: Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS. Hardware and OS may even change from series to series, causing malware to be incompatible. There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices. But remember, for example, that it’s possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone might even work on your TV. In a nutshell, this case isn’t malware specifically targeting Smart TVs, but be aware that such websites, as with phishing generally, work on any OS platform you’re using.Keep your eyes open!

Eight Arrested In Eastern Europe Over ATM Malware Attacks

January 07, 2016 Share this article: Tyupkin ATM trojan Europol has announced the takedown of an international criminal group believed to be behind a series of ATM malware attacks dating back to at least 2014. Said to be one of the first operations of this type in Europe, it resulted in multiple house searches and arrests in Romania and the Republic of Moldova. Using malware dubbed Tyupkin, the suspects were allegedly able to empty cash from ATM machines on demand following the successful installation of a trojan. Called “ATM jackpotting”, the exploit allowed attackers to empty infected machines by issuing commands via the machine's pin pad. The malware was identified in 2014 by Kaspersky Lab following a request from a financial institution to investigate multiple attacks in eastern Europe. At the time of the investigation, Kaspersky reported that it had found the malware on more than 50 ATMs at banks in eastern Europe, but based on listings at VirusTotal, it was convinced that the virus had been deployed in the US, India, China, Russia, Israel, France and Malaysia. However, according to a video posted on YouTube, the affected manufacturer may be NCR. We reported in March 2015 that the Russian Ministry of Internal Affairs had made the identification of the Tyupkin malware gang a priority as they targeted an increasing number of ATMs in the country. Kaspersky said that the attackers were able to install the malware via a bootable CD after gaining physical access to the PC inside the cash dispenser. The malware enabled users to check the amount of cash in each cash cassette in the machine and dispense up to 40 notes at a time. It also had its own security built in by requiring the user to enter a session key based on a random seed and a secret algorithm before it would accept any commands. The criminal investigation was conducted by Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), assisted by Europol, Eurojust and other European law enforcement authorities. Wil van Gemert, Europol's Deputy Director Operations, commented: "Over the last few years we have seen a major increase in ATM attacks using malicious software. The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes. To match these new technologically savvy criminals, it is essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations". This article originally appeared on SC Magazine UK.

Canadian Cyberthreats Differ From Those In The U.S.

January 06, 2016 Share this article: Researchers at Trend Micro examined Canada's threat landscape including malware and its dark web. The U.S. and Canada both see their fair shares of malware such as Dridex and other banking trojans, but there was one threat conspicuously absent from Canada's list of common threats - ransomware While prominent in the U.S., ransomware is just not a thing north of the border Trend Micro researchers revealed in it Canada threat landscape report. “For whatever reasons the market forces just aren't driving them in that direction,” Christopher Budd, global threat communications manager at Trend Micro, told SCMagazine.com. Though the report didn't specify a reason for ransomware's absence, Budd hinted that cost-benefit analyses by cybercriminals could show that using ransomware may have a low-yield because Canadians are not culturally attuned to falling victim such attacks. Budd pointed out that ransomware attacks have worked their way around the globe, initially rising to prominence in New Zealand and the U.K., before cybercriminals used it to target Americans. So, it is possible that Canadians may be targeted more in the future, he said. OpenCandy (see chart at left) adware toolbar and Dridex malware are currently the most prominent threats in Canada. Cybercriminals in the U.S. influence the Canadian threat landscape by providing the infrastructure for hosting malicious content. And the majority of malicious sites that Canadians visit are predominantly hosted in the U.S. - malicious hosting in Canada simply isn't as sophisticated as it is in other countries.   Underground toolkits and infrastructure services such as VPN services, botnet toolkits and DDoS services aren't widely found in Canada, the researchers said. And, the study showed, there is little market for violent crimes for hire in Canada's dark web. Budd said it's likely that cybercriminals look to the U.S. for toolkits and infrastructure services, noting, “If you have a mature marketplace where you can buy what you need there's no need to build a new one.” The parts of the dark web hosted in Canada are primarily focused on the sale of fake and stolen documents and credentials such as driver's licenses, passports and dumps of personal information. 

BlackEnergy Drains Files From Ukraine Media, Energy Organizations

Malware writers are wiping hard drives of Ukraine media outlets and energy companies using a cocktail of backdoors. Eset threat bod Anton Cherepanov says VXers are attacking the unnamed organisations with the BlackEnergy trojan's new KillDisk component, capable of destroying some 4000 different file types and rendering machines unbootable. The attackers are hitting specific files and documents journalists and staff are likely to have stored on their machines. Cherepanov says attackers have set a delayed execution for when the 35 file types will be erased, along with Windows logs and settings, and the miscreants are also overwriting a specific industrial control software executable. "ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry," Cherepanov says . The researcher also found a previously unknown SSH backdoor attackers used as an alternative to BlackEnergy for accessing infected systems. Build identity numbers suggest possible Russian links, but ESET avoids confirming the attribution. BlackEnergy was first discovered in 2007 and has undergone capability upgrades from a basic distributed denial of service attack malware to a polished modular trojan over ensuing years. Targets in Ukraine and Poland have been attacked through known and unknown vulnerabilities and vectors, the company says. The attack software can install rootkits and defeat Windows' user access control and driver signing requirements. ® Youtube Video Sponsored: Building secure multi-factor authentication

Social Networks – A Bonanza for Cybercriminals

What do you think when you receive yet another spam or phishing message on your mobile phone? Most likely it is: “Who are these people, and how on earth did they get my phone number?” Initially, suspicion usually falls on an unscrupulous employee at some organization that you gave your number to. However, it’s not uncommon for spammers and cybercriminals to use a database harvested from a social network using special software, rather than a “leaked” database of cellphone subscribers. Information security experts, including us, have for years reiterated: cybercriminals can make use of any information that you publish about yourself on a social network. However, a huge amount of users still continue to share news and a plethora of personal information with their virtual friends as well as incidental onlookers. This may lead to unpleasant and, at times, unforeseen consequences. To show that this isn’t just scaremongering, let me offer an example from the recent activities of our cybercrime investigation team. A run-of-the-mill cybercrime This autumn, we helped law enforcement agencies halt the activities of a small Russian cybercriminal gang that specialized in distributing Android malware and stealing money from online banking accounts. The group’s plan of action was fairly straightforward: they used a database of cellphone numbers they already had to send short messages containing a link to a banking Trojan. If infected successfully, the mobile device became part of a botnet, and the Trojan began to search for information about any banking services used by the victim, collecting any data required to access them. The cybercriminals then had the relatively simple task of transferring the victim’s money to their own accounts. It is interesting to note that none of the cybercriminals were professional programmers. When people talk about hackers and stealing money, an image springs to mind of some corrupt programmer who writes malicious code and then uses it to infect the devices of unwitting users. This time, however, we are not talking about professionals with the relevant education and experience. Instead, we assume they spent just enough time on public hacking forums to garner the information and tools required to commit cybercrimes. One of the tools they employed is of particular interest: it is a parser program that harvests mobile phone numbers from public profiles on the popular Russian social network VKontakte. With the help of this tool, the cybercriminals have created a database of cellphone numbers that was later used to send malicious messages. As far as we know, the social network was the sole source of information from which the cybercriminals harvested their data. A post on a popular Russian hacker forum advertising an app to harvest the phone numbers of social network users Russian cybercriminal forums (especially the open forums frequented by amateur fraudsters) have loads of adverts offering this type of software for sale or rent. It is capable of collecting and structuring all valuable information about users, including their first and last names, all published contact data and profile settings – not just mobile phone numbers. The availability of this information offers cybercriminals plenty of opportunities for fraud. The most obvious ways the gathered data can be used are: sending spam (including both advertising and malicious spam), stealing money through premium SMS services, and creating fake SIM cards. In less than a year the cybercriminals have managed to steal an estimated 600,000 RUR (approximately $8,500). This is a relatively small amount compared to the millions stolen by larger, more advanced cybercriminal groups. However, in this case it is not the amount of money stolen that defines the scope of the problem, but rather the number of similar non-professional cybercriminal groups that are conducting the same sort of activity. Judging by the user complaints that get posted on the support forums of online banks, dozens of these criminal groups appear to be operating. Beyond Russia The fact that these types of fraudulent activities mostly take place in Russia and neighboring countries does not mean there is nothing to fear for people living in other countries. For instance, the early banking Trojans for PCs and mobile devices mostly targeted users living in Russia. However, with time the Russian-language cybercriminals behind those Trojans either radically changed their target “audience” and switched to residents of other countries, or expanded it by creating versions that targeted the residents of other countries. The criminal group we are looking at used an application that collected the personal information of users from just one social network – VKontakte. However, there are offers on hacking forums for similar tools designed to collect data from other social networks, including Facebook and Instagram. So, it is quite possible that similar schemes exploiting data collected from public sources are already emerging in countries beyond the former Soviet Union, or are likely to emerge in the near future. An advert posted on a popular Russian public hacking forum offering a parser program designed to harvest users’ mobile phone numbers and other information from Instagram The countries at most risk include those where pre-paid phone contracts are prevalent and various SMS services are popular, including those that allow bank card operations via SMS. What to do? In summary, we would like once again to urge users to publish as little information about themselves in social networks as possible. In particular, do not publish your mobile phone number, or remove it if you already have. This will not completely eliminate the problem of cybercriminals harvesting users’ personal information from social networks, but at least it prevents the easiest ways of stealing your money. If you or your family and friends use mobile banking services, you should also apply these basic security measures: Block installation of apps from third-party sources on the Android device you use for mobile banking; Set withdrawal limits for your bank account; Restrict or disable the sending of text messages to premium-rate numbers; Use a reliable security solution capable of protecting your device from infections. If you should still fall victim to an attack and your money is stolen, contact the appropriate law enforcement agencies. It is important you do this, because we are seeing an ominous trend: the broad availability of various tools, including malicious ones, and the perceived anonymity of cybercrime create a false sense of security in cybercriminals, which is only exacerbated by the passive attitude of the victims. This encourages an increasing number of people to start acting as cybercriminals in the hope of easy gains. The more cybercriminals that are arrested for these illegal activities, the more obvious it will be that cybercrime doesn’t pay and those contemplating it will be less likely to start committing crimes on the web. This will help make the Web a safer place.

Riddle Of Cash-For-Malware Offer In New Raspberry Pi Computers

The Raspberry Pi Foundation was offered cash to smuggle malware onto its bargain-basement credit-card-size computers, we're told. Liz Upton, the Foundation's director of communications, today revealed an email from a "business officer" called Linda, who promised a "price per install" for a suspicious executable file. "Amazing. This person seems to be very sincerely offering us money to install malware on your machines," said Liz. The name of the company Linda claimed to represent was redacted, so we are unable to check the veracity of the offer. Plus the email, dated Wednesday, does contain a number of odd details – like writing exe. rather then .exe, and using "u" in place of "you." Some of the language also points to someone whose first language is not English. Amazing. This person seems to be very sincerely offering us money to install malware on your machines. pic.twitter.com/1soL0MIc5Z — Raspberry Pi (@Raspberry_Pi) December 23, 2015 It's fair to say Linda's approach wasn't exactly professional. However, the offer seems genuine, and it shines a light on the murky world of paid-for malware distribution. There are countless examples of software nasties being installed on systems via unrelated applications – toolbars and spyware bundled with legit-looking apps, mainly. Sometimes the developer directly plants the dodgy code, but more often than not the malware comes from a third-party willing to pay for access to PCs and devices. While some malware is relatively benign and easy to remove, others severely compromise computers – allowing them to hold files to ransom, snoop on passwords, hide within operating systems, and so on. Some ad-injecting software nasties even come bundled with new PCs, right, Lenovo? More than five million Raspberry Pis have been sold to date, which is quite an install base. The Foundation declined Linda's offer, and described her company as "evildoers." ® Sponsored: Building secure multi-factor authentication

Java Plug-In Malware Alert To Be Issued By Oracle

Image copyright JAva logo Image caption ...

Sneaky Skimmer Scam Stings Several Safeway Supermarkets

US grocery chain Safeway has confirmed that registers at several stores in California and Colorado had somehow been fitted with "skimmer" hardware to collect payment card information. According to a report from Krebs on Security citing investigators involved with the case, registers at two stores in northern California and five stores in Colorado were found to have been fitted with the skimming devices. Safeway believes these were unrelated incidents. The source of the devices is not known. The Krebs report noted that the Colorado discovery was only made after bank customers had reported unauthorized cash withdrawals and that reports of the activity have been coming in since September of 2015. Safeway said that no card data had been stolen by either of the two skimmers in California, and that a total of three skimmers had been found in Colorado in November. "When our store teams find evidence of criminal activity like this, we have been able to pinpoint with surveillance video when the devices were installed and how many transactions were processed," Safeway said in a statement to The Register. "We immediately followed the proper protocol of contacting law enforcement and the banks that service the few cards that were used on those pin pads." Safeway is advising customers in Colorado to check their bank statements and report any unauthorized activity. Cash registers and sales terminals have become favorite targets for criminals looking to collect credit card information. Attackers use skimmers or specialized malware packages to collect and then upload card numbers and data for fraudulent transactions or bulk resale online. ® Sponsored: Building secure multi-factor authentication

Microsoft SmartScreen Claims It Can Block Zero-Day Attacks

REDMOND COMPANY Microsoft has approached its customers with some boasts about SmartScreen and how much better it is as protecting people today than it was earlier this week. The firm said that the SmartScreen system has been a capable security option for some time, and has made its bones in protecting against phishing attacks and malware and that kind of thing. Microsoft does not hang about, though, and it has added to this apparently perfect specimen with protection against drive-by zero-day attacks. "SmartScreen has protected users from billions of web-based attacks in the last eight years. Over time, SmartScreen has expanded its scope from phishing attacks and socially engineered malware to include warnings for deceptive advertisements and scam support sites," said the firm in a blogpost. "Today, we're happy to announce that with the latest Windows 10 updates, we've extended SmartScreen to include protection from drive-by attacks in Microsoft Edge and Internet Explorer 11." The extra protection provides coverage against exploit kits, which Microsoft said are common, bad, capable and fast moving. Microsoft, and it ought to know, added that patching does not offer adequate protection against the menace. Or at least it didn't. "Fortunately, Microsoft has cultivated a broad set of data from sources like Microsoft Edge, Internet Explorer, Bing, Defender and the Enhanced Mitigation Experience Toolkit to be able to see these attacks as they emerge, and to turn this information into the intelligence that powers SmartScreen drive-by protection in the browser," explained the firm. "This cross-company data intelligence effort is unique since it brings together information not just about the browsing experience or web infrastructure, but about behavioural telemetry from across the Windows operating system. "This can help us to detect potential attacks in progress and detect emerging threats. With SmartScreen drive-by protection, these types of threats may be prevented before a user is infected, even if a patch isn't yet available." µ

Norway Police Nab Five In Remote Access Trojan Europol Swoop

One of the computers just seized by Norwegian police in its anti-malware operation undergoes analysis. Image: Kripos Norway's Kripos national criminal investigation service today announced the arrest of five males, aged between 16 and 24 years, for possessing, using, and selling malware.Police say they have seized "substantial amounts" of computer equipment for analysis, as well as taken control of several internet accounts. One of those arrested has confessed to running his own web store where malware was sold, according to a Kripos statement. The software found at the addresses of several of those arrested is a type of remote-access Trojan, or RAT, malware, police said. The malware is designed to take control of target computers, logging keystrokes, and harvesting passwords and other personal information. It can hijack webcams in real time, as well as steal documents, images, and videos.Norwegian police said the web store in question offered a packaged product for customers who wanted to infect and control a network of computers, by employing computer viruses and Trojans.The growth of this kind of marketplace has been a source of concern for Norwegian security authorities this year.The country's police action is part of a Europol initiative, called OP Falling sTAR, which is aimed at data criminals all over Europe. This week, arrests have been made in Romania and France, in addition to those in Norway."We've seen young hackers who start up small-scale, but later commit larger and more serious computer crimes. Accordingly, this internationally-coordinated action is an important measure to prevent these types of crime", Kripos computer crime section leader Håvard Aalmo said in a statement.Europol's drive against computer crime targets a number of levels, from organized backers and developers, to young people who possess and use malware. According to Kripos, this work calls for tight international cooperation. Information derived from these Norwegian cases will be shared internationally.Read more about malware

Cybercriminals Will Target Apple In 2016, Say Experts

Image copyright Getty Images Image caption ...

US Embassy Worker Hacked For Sex Images

Image copyright Thinkstock Image caption Ford committed the crimes while working at the US embassy in London A former US official has admitted stalking women and extorting sexually explicit material from them after hacking into their emails.Michael Ford, who worked in the American embassy in London, pleaded guilty to nine charges of cyber-stalking, seven of computer hacking to extort and one of wire fraud.He preyed on sorority members at US universities and aspiring models.Ford used the details he learned after hacking the women to find new victims.Women undressingThe 36-year-old, from Atlanta, in the American state of Georgia, posed as technical support staff from a well-known email company and sent phishing messages to thousands of potential victims.Pretending to be a member of the non-existent account-deletion team, he told them their accounts would be closed unless they sent him their passwords.He then accessed their email and social media accounts in search of explicit photos and other personal information, such as home and work addresses, employment information and details about family members.He used that information to demand additional sexually explicit material, such as videos of the women undressing in changing rooms at pools and shops.Explicit photos If they refused, Ford would respond with escalating threats that included messages such as: "Don't worry, it's not like I know where you live."He also posted explicit photos of the women online or sent them to friends and family.Between January 2013 and May 2015, while employed at the embassy, he hacked into more than 400 online accounts belonging to at least 200 victims and forwarded at least 1,300 messages to himself from those accounts.Arrested in May at Atlanta's airport, preparing to board a flight to London, he was charged in August and had initially pleaded not guilty in September.He will be sentenced on 16 February 2016. The cyber-stalking and hacking charges each carry a maximum of five years in prison, while the wire fraud charge carries up to 20 years in prison. Each of the 17 charges is punishable by a fine of up to $250,000 (£165,000).