11.5 C
London
Wednesday, October 18, 2017
Home Tags Analysis

Tag: Analysis

You don't want this pony Image: iStock A form of ransomware which also contains a data stealing Trojan has been updated to become more effective at attacking business targets with new techniques including the ability to install malware and encrypt mach...
Ransomware infections like Cerber are becoming an increasing problem for businesses. Image: Check Point The majority of organisations which become infected by ransomware will give into the demands of cybercriminals for reasons ranging from the importance of the encrypted data to the perceived low costs of ransom payments. However, some companies have discovered the hard way that cybercriminals are not to be trusted, with many only paying hackers to unencrypt their files only to find that they never get their data back. The figures on reactions to ransomware from Trend Micro come following a surge in cyberattacks using the file encrypting malicious software over the last year which has resulted in it becoming the largest threat to cybersecurity, as demonstrated by some cases of Locky infections against high-profile targets. While three quarters of organisations who haven't been the victim of a ransomware attack say they wouldn't give into the demands of hackers if infected, it seems that those do suffer a ransomware infection change their tune; two thirds of companies which have fallen victim to such an attack have paid up. It's because companies fear the repercussions of losing the data that those infected have given into ransom demands, with 37 percent of organisations worried about being fined if data became lost - the fact that quietly paying a ransom could mean that the business doesn't need to go public about a breach could also be a factor in this. Another reason given for doing business with cybercriminals is that the encrypted data is highly confidential, with a third of those who've paid hackers suggesting that this is the reason they gave into ransom demand, while almost as many view the cost of a ransom as low enough to justify paying as a means of avoiding any further issues. According to the Trend Micro figures unveiled at CloudSec London, the average ransom demanded is £540 ($722) - although the payment is usually requested in Bitcoin - with although 20 percent of organisations reported ransom demands of £1000 ($1338). For many companies, the figures simply represent a reasonable amount to pay in order to get potentially sensitive data back from hackers - however, this can backfire as if hackers know they can extort money from a particular company, they could repeatedly attack it and demand payments each time. "When faced with a ransom situation, most organisations simply cannot afford to part with the encrypted data and are forced to fork out the requested amount, often more than once.

Caving in to the demands of cyber-extortionists only reassure them of their strategy and perpetuates the threat cycle," says Bharat Mistry, cybersecurity consultant at Trend Micro. If it wasn't already obvious that cybercriminals aren't exactly trustworthy, Trend Micro's figures suggest that of those companies which paid a ransom to hackers, one in five never got their data back. There is however a silver lining as of those companies who refused to give into hackers' ransom demands, 60 percent said they were able to retrieve data from back up files, while there are also schemes by security firms which provide decryption keys for certain types of ransomware for free. Meanwhile, in a qauarter of cases, the company deemed the data being held to ransom as not valuable or confidential and thus not worth paying for. Organisations affected by ransomware estimate they spent 33 hours on average fixing the issues caused by the ransomware infection. Trend Micro's figures are based on a survey of 305 IT decision makers at organisations with over 1,000 employees in the UK. READ MORE ON CYBERCRIME
The Sir Francis Drake Hotel in San Francisco is one of the Kimpton Hotels affected by the malware. Kimpton Hotels Kimpton Hotels has become the latest hotel operator to ...
MICROSOFT HAS taken the trouble to warn Windows users about an attack that takes what trust people have left in the software and throws it out of the window. The firm explained that the problem involves macros and the use of social engineering. People are tricked into downloading and then enabling malicious content that ultimately leads to trouble when they innocently use Word. "Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigation investments in Windows," said the firm in a Microsoft TechNet blog post suggesting that this is a cheap shot by hackers. "Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. We recently came across a threat that uses the same social engineering trick but delivers a different payload." Microsoft explained that the payload's primary purpose is to change a user's browser Proxy Server setting, which could result in the theft of authentication credentials or other sensitive information. "We detect this JScript malware as Trojan:JS/Certor.A. What's not unique is that the malware gets into the victim's computer when the victim clicks the email attachment from a spam campaign," the post said. Microsoft added that people really ought not to click on links from people or outfits that they do not know or trust.

This is good, if perhaps hoary and often ignored, advice. "To avoid attacks like we have just detailed, it is recommended that you only open and interact with messages from senders and websites that you recognise and trust," explained the firm. "For added defence-in-depth, you can reduce the risk from this threat by following [our] guidance to adjust the registry settings to help prevent OLE Embedded Objects executing altogether or running without your explicit permission." Just don't click untrusted links, people. µ
Wildfire ransomware has plagued victims in The Netherlands and Belgium Image: McAfee Labs Victims of the Wildfire ransomware can get their encrypted files back without paying hackers for the privilege, after the No More Ransom initiative released a free decryption tool. No More Ransom runs a web portal that provides keys for unlocking files encrypted by various strains of ransomware, including Shade, Coinvault, Rannoh, Rakhn and, most recently, Wildfire. Aimed at helping ransomware victims retrieve their data, No More Ransom is a collaborative project between Europol, the Dutch National Police, Intel Security, and Kaspersky Lab. Wildfire victims are served with a ransom note demanding payment of 1.5 Bitcoins -- the cryptocurrency favored by cybercriminals -- in exchange for unlocking the encrypted files. However, cybersecurity researchers from McAfee Labs, part of Intel Security, point out that the hackers behind Wildfire are open to negotiation, often accepting 0.5 Bitcoins as a payment. Most victims of the ransomware are located in the Netherlands and Belgium, with the malicious software spread through phishing emails aimed at Dutch speakers.

The email claims to be from a transport company and suggests that the target has missed a parcel delivery -- encouraging them to fill in a form to rearrange delivery for another date.
It's this form which drops Wildfire ransomware onto the victim's system and locks it down. A spam email used to infect victims with Wildfire. Image: McAfee Labs Researchers note that those behind Wildfire have "clearly put a lot of effort into making their spam mails look credible and very specific" - even adding the addresses of real businesses in The Netherlands - arousing suspicion that there are Dutch speaking actors involved in the ransomware campaign. Working in partnership with law enforcement agencies, cybersecurity researchers were able to examine Wildfire's control server panel, which showed that in a one month period the ransomware infected 5,309 systems and generated a revenue of 136 Bitcoins (€70,332). Researchers suggest that the malicious code -- which contains instructions not to infect Russian-speaking countries -- means Wildfire operates as part of a ransomware-as-service franchise, with software likely to be leased out by developers in Eastern Europe. Whoever is behind Wildfire, victims no longer need to pay a ransom in order to get their files back,with the decryptor tool now available to download for free from the No More Ransom site.

The tool contains 1,600 keys for Wildfire, and No More Ransom says more will be added in the near future. READ MORE ON CYBERCRIME
More often than not, hackers will demand a ransom payment be made in Bitcoin Image: Proofpoint Ransomware is booming. Be it Locky, CryptXXX or one of the countless other variants of the data-encrypting malware, cybercriminals are making hundreds of th...
Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated. The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday. The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier.

A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run. In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said.

Those changes in the system are made using a PowerShell script. The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL. “It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome. The malware has no command and control communication.
Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued.

This is an attempt to bypass PowerShell execution policies, Assolini said.

The malware changes the file prefs.js, inserting the malicious proxy change. After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini. According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016. “Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March.

That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect. Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.
CONSTANT SECURITY WATCHDOG Kaspersky Lab has once again shaken us with its talk of Android users and the vulnerabilities they face. Ever vigilant Kaspersky has uncovered a banking trojan that is making itself available via Google AdSense and forces itself on users with no interaction like a smack in the face. "This morning we encountered a gratuitous act of violence against Android users.

By simply viewing their favourite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," said the Kaspersky researchers in a blog post. "It turns out the malicious program is downloaded via the Google AdSense advertising network.

Be warned, lots of sites use this network - not just news sites - to display targeted advertising to users.
Site owners are happy to place advertising like this because they earn money every time a user clicks on it. "But anyone can register their ad on this network - they just need to pay a fee.

And it seems that didn't deter the authors of the Svpeng trojan from pushing their creation via AdSense.

The trojan is downloaded as soon as a page with the advert is visited." These kind of attacks are not new, and Kaspersky blurted out an alert about an incident at the Meduza news portal in July which has since been fixed. "The Svpeng family of banking trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions.

After being installed and launched, it disappears from the list of installed apps and requests the device's admin rights," the post continued. "Svpeng can steal information about the user's bank cards via phishing windows, intercept, delete and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer) and counteract mobile security solutions that are popular in Russia by completing their processes. "In addition, Svpeng collects an impressive amount of information from the user's phone: the call history, text and multimedia messages, browser bookmarks and contacts." µ
A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.Technical support scams try to convince people to buy expensive software to fix imaginary problems.But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.He told the BBC he wanted to waste the man's time to make the scheme unprofitable.ScarewareTechnical support scams are designed to scare people into buying useless and sometimes harmful software.Scammers send out emails, create fake websites or place advertisements online, falsely warning people that their computers have been infected with viruses.They encourage victims to contact "technical support" via a supplied telephone number or email address."In most cases, the scammer's objective is to convince you that your machine is infected and sell you a snake-oil security product," Mr Kwiatkowski told the BBC. Not fooledWhen Mr Kwiatkowski's parents stumbled across one such website, he decided to telephone the company and pretend he had been fooled.The "assistant" on the telephone tried to bamboozle him with technical jargon and encouraged him to buy a "tech protection subscription" costing 300 euros (£260).Mr Kwiatkowski told the assistant that he could not see his credit card details clearly and offered to send a photograph of the information.But he instead sent a copy of Locky ransomware disguised as a compressed photograph, which the assistant said he had opened."He says nothing for a short while, and then... 'I tried opening your photo, nothing happens.' I do my best not to burst out laughing," Mr Kwiatkowski wrote in his blog.Tips for avoiding scarewareBe suspicious of messages on web pages that tell you your device has been infected by viruses or has other problems Be suspicious of advertisements that masquerade as system messages Avoid clicking on links and attachments in emails from unknown senders Contact your device or operating system manufacturer directly for advice Timewaster"I respond to email scam attempts most of the time, but this was the first time I responded to one over the telephone," Mr Kwiatkowski told the BBC."I'm curious about how criminals operate and what they're trying to accomplish."More often than not it ends up being fun and there's social utility in wasting their time.
I believe that if more people respond and waste their time, their activities might not be profitable enough to continue."Mr Kwiatkowski said he could not be absolutely certain whether the ransomware had infected the scammer's computer, but there was a fair chance it had."He did not let on that something had happened to his computer, so my attempt is best represented as an unconfirmed kill," said Mr Kwiatkowski."But encrypting a whole file system does take some time."He acknowledged that some people may have found his retaliation unethical, but said responses had been "mostly positive". "People respond well to the story because this is such a David versus the Goliath setting," he said.However, Professor Alan Woodward from the University of Surrey warned that "hacking back" could have consequences,"There's a lot of talk around hacking back - and while it may be very tempting, I think it should be avoided to stay on the right side of the law."But wasting their time on the phone I have no problem with.
I even do that myself!"
A RUSSIAN CHAP is on trial for his alleged involvement in $170m worth of fraudulent credit card purchases. Roman Seleznev is the son of a Russian lawmaker, which might make things awkward.

The US wants him, and is starting a jury trial this week. Seleznev faces a 40-count indictment for allegedly masterminding a multi-company hacking organisation that took millions of dollars from many victims. He was indicted in 2014 along with Sergei Nicolaevich Tšurikov and others.

Tšurikov has already been sentenced. "A leader of one of the most sophisticated cyber crime rings in the world has been brought to justice and sentenced," said US attorney Sally Quillian Yates in an FBI report at the time. "In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organised computer fraud attacks ever conducted. "Almost exactly one year later, the leaders of this attack were charged.

This prosecution was successful because of the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide." The credit card processor was RBS WorldPay, and the mayhem lasted for a month.

Financial outfits usually lose that kind of money only when it comes to dishing out worker bonuses. Seleznev was injured in an explosion at a café and has undergone some years of surgery and recovery. We bet he felt really positive about the future when he was given the all clear from the doctors.
Still, at least he will be well used to institutional food. He now faces a federal jury trial, to which 11 further counts have been added since 2014's proceedings. Associated Press reported that the trial is expected to last for two weeks, but Seleznev is low on English and will need an interpreter, so we can probably add a day or two to that estimate. Others from the same gang have already felt the pinch of the law on their collars. µ
A RUSSIAN CHAP is on trial for his alleged involvement in $170m worth of fraudulent credit card purchases. Roman Seleznev is the son of a Russian lawmaker, which might make things awkward.

The US wants him, and is starting a jury trial this week. Seleznev faces a 40-count indictment for allegedly masterminding a multi-company hacking organisation that took millions of dollars from many victims. He was indicted in 2014 along with Sergei Nicolaevich Tšurikov and others.

Tšurikov has already been sentenced. "A leader of one of the most sophisticated cyber crime rings in the world has been brought to justice and sentenced," said US attorney Sally Quillian Yates in an FBI report at the time. "In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organised computer fraud attacks ever conducted. "Almost exactly one year later, the leaders of this attack were charged.

This prosecution was successful because of the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide." The credit card processor was RBS WorldPay, and the mayhem lasted for a month.

Financial outfits usually lose that kind of money only when it comes to dishing out worker bonuses. Seleznev was injured in an explosion at a café and has undergone some years of surgery and recovery. We bet he felt really positive about the future when he was given the all clear from the doctors.
Still, at least he will be well used to institutional food. He now faces a federal jury trial, to which 11 further counts have been added since 2014's proceedings. Associated Press reported that the trial is expected to last for two weeks, but Seleznev is low on English and will need an interpreter, so we can probably add a day or two to that estimate. Others from the same gang have already felt the pinch of the law on their collars. µ
A new swathe of US hotels has fallen prey to point-of-sale (PoS) malware which may have exposed customer financial data. 20 US hotels operated by HEI Hotel & Resorts on behalf of Starwood, Marriot, Hyatt and Intercontinental may have leaked the fin...