Home Tags Austria

Tag: Austria

Cambium Networks renews commitment to DACH region with expansion of Connecting...

Tabatha von Kouml;lichen has been appointed as Regional Sales Director DACH to lead the initiative Munich, GERMANY, 20 July 2017 – Cambium Networkstrade;, a leading global provider of trusted wireless solutions that connect the unconnected, today announced the appointment of Tabatha von Kouml;lichen as its Regional Sales Director for the regions of Germany, Austria, Switzerland (DACH), reporting to Alessio Murroni, Senior Sales Director for Europe.Based in Munich, Germany, von Kouml;lichen will drive sales of Cambium... Source: RealWire

Austria wants to spy on messaging apps, Australia not far behind

Austria has asked experts for ideas on how to draft laws so police can spy on messaging apps like WhatsApp and Skype for criminal activity.

Basefarm acquires The unbelievable Machine Company, the leading Big Data and...

LONDON – 13 June, 2017 - Basefarm today announced their acquisition of the Berlin-based The unbelievable Machine Company (*um), the leading service provider for Big Data, cloud and managed cloud services in Germany and Austria. With the acquisition, Basefarm extends their target market from the Nordics and the Netherlands to include Germany and Austria, thus becoming a leading European player. The combined business will have ~100m€ in revenues this year in addition to a wider... Source: RealWire

What Interests Children Online

As part of this report, we analyze the collected data in our quest for the answer to the question of what interests the current generation of children online.

aicomp is Partner of Europe’s biggest Developers Conference

Wien/Walldorf, May 2nd 2017 – On the 11th and 12th of May of this year, over 3,000 developers, IT specialists, IT managers, and IT leaders, will come together at Austria’s largest developers conference (www.wearedevelopers.org), discussing the newest developments on the Web, as well as on the software market.

The aicomp group is a strongly growing software and consulting company, and as a partner, exhibitor, and presenter, we bring information and information seekers together.Inspiration through exchangeOn... Source: RealWire

Spam and phishing in 2016

2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant.

These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.

baramundi software recorded 20% growth in 2016

Augsburg, 01/26/2017 – baramundi software – a leading provider of endpoint management solutions – today announced it grew its sales by more than 20 percent compared to 2015.
In addition, it welcomed more than 400 new customers across Europe and 2 UK partners.
In order to keep up with business growth and surging customer demand, the company also hired 21 new employees and opened a branch in Vienna, Austria, in line with its expansion plans."We... Source: RealWire

Researchers work to save trusted computing apps from keyloggers

SGX needs I/O protection, Austrian boffins reckon Intel's Software Guard Extensions started rolling in Skylake processors in October 2015, but it's got an Achilles heel: insecure I/O like keyboards or USB provide a vector by which sensitive user data could be compromised. A couple of boffins from Austria's Graz University of Technology reckon they've cracked that problem, with an add-on that creates protected I/O paths on top of SGX. Instead of the handful of I/O technologies directly protected by SGX – most of which have to do with DRM rather than user security – the technology proposed in Samuel Weiser and Mario Werner's Arxiv paper, SGXIO, is a “generic” trusted I/O that can be applied to things like keyboards, USB devices, screens and so on. And we're not talking about a merely esoteric technology that might soothe the fears of people running cloud apps on multi-tenant infrastructure. The Weiser/Werner proposal would create an SGX-supported trusted path all the way to a remote user's browser to protect (for example) an online banking session – and provide “attestation mechanisms to enable the bank as well as the user to verify that trusted paths are established and functional.” SGXIO as a way to protect a banking app The shortcoming SGXIO is trying to fix is that SGX's threat model considers everything outside itself a threat (which isn't a bad thing, in context). The usual approach for trusted paths is to use encrypted interfaces. The paper mentions the Protected Audio Video Path (PAVP) – but that's a DRM-specific example, and most I/O devices don't encrypt anything. Hence SGXIO, an attempt to add a generic trusted path to the SGX environment – and with that trusted path reaching to the end user environment, it's an attempt to protect an application from nasties like keyloggers that a miscreant might have installed on a victim's box. The key architectural concepts in SGXIO are: A trusted stack – which contains a security hypervisor, secure I/O drivers, and the trusted boot (TB) enclave; and The virtual machine – hosting an untrusted operating system that runs secure user applications. A user application communicating with the end user: 1. Opens an encrypted channel to the secure I/O driver; 2. This tunnels through the untrusted operating system, and establishes secure communication with the “generic” user I/O device. The hypervisor binds user devices exclusively to I/O; I/O on unprotected devices passes directly through the hypervisor; the trusted path names both the encrypted user-app-to-driver communication; and the exclusive driver-to-device binding; The TB enclave provides assurance of the trusted path setup, by attesting the hypervisor. The paper illustrates this process like this: SGXIO's trusted stack components An implementation wouldn't be seamless: the SGXIO paper devices a fair chunk of copy to application design, enclave programming (fortunately something Intel provides resources for), driver design, and hypervisor choice. Application developers, for example, have to work out a key exchange mechanism (Diffie-Hellman is supported, and SGXIO offers its own lightweight key protocol). For hypervisors, the paper suggests the seL4 microkernel. Originally developed by Australia's NICTA and now handled by the CSIRO Data61 project, seL4 is a mathematically verified software kernel that was published as open source software in 2014. SGXIO will get its first public airing at the CODASPY'17 conference in March, being held in Scottsdale Arizona. ® Sponsored: Customer Identity and Access Management

Wick Hill Feature: Delivering Secure Wi-Fi

Tony Evans from Wick Hill (part of the Nuvias Group) highlights the risks of Wi-Fi and provides some advice for delivering a secure hotspot

The fact that Wi-Fi stands for Wireless Fidelity hints at how long Wi-Fi has been around, but it was only in 1999 that the Wi-Fi Alliance formed as a trade association to hold the Wi-Fi trademark, under which most products are sold.

Today, Wi-Fi is on the top of the list of must-haves for businesses of all types and sizes. People will simply vote with their feet if good and, usually free, Wi-Fi is not available.

But this demand for anytime, anyplace connectivity can mean that some of us are prepared to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only a fleeting consideration of security – a fact that has not gone unnoticed by cyber criminals.

There are over 300,000 videos on YouTube alone explaining how to hack Wi-Fi users with tools easily found online.

Risks from unprotected Wi-Fi:

Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack. Hotspots that invite us to log in by simply using social network credentials are increasingly popular, as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.

Eavesdropping
Without encryption, Wi-Fi users run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected network.

Rogue Hotspots
Cyber criminals can set up a spoof access point near your hotspot with a matching SSID that invites unsuspecting customers to log in leaving them susceptible to unnoticed malicious code injection.
In fact, it is possible to mimic a hotspot using cheap, portable hardware that fits into a backpack or could even be attached to a drone.

Planting Malware
There are common hacking toolkits to scan a Wi-Fi network for vulnerabilities, and customers who join an insecure wireless network may unwittingly walk away with unwanted malware.

A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information.

Data Theft
Joining an insecure wireless network puts users at risk of losing documents that may contain sensitive information.
In retail environments, for example, attackers focus their efforts on extracting payment details such as credit card numbers, customer identities and mailing addresses.

Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.

Adult or extremist content can be offensive to neighbouring users, and illegal downloads of protected media leave the businesses susceptible to copyright infringement lawsuits.

Bad Neighbours
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if the initial victim is oblivious to the threat.

Best practices
There are established best practices to help secure your Wi-Fi network, alongside a drive, from companies such as WatchGuard, to extend well-proven physical network safeguards to the area of wireless, providing better network visibility to avoid blind spots.

Implementing the latest WPA2 Enterprise (802.1x) security protocol and encryption is a must, while all traffic should, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats.

Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.

The use of strong passwords, which are changed frequently, should be encouraged, along with regular scanning for rogue Access Points (APs) and whitelisting MAC addresses, when possible.

WatchGuard’s latest cloud-managed wireless access points also have built-in WIPS (Wireless Intrusion Prevention System) technology to defend against unauthorised devices, rogue APs and malicious attacks, with close to zero false positives.

While WIDs (Wireless Intrusion Detection Systems) are common in many Wi-Fi solutions, WIDs require manual intervention to respond to potential threats.

This may be OK for large organisations with IT teams that can manage this, however WIPs is a fully-automated system, which makes it far more attractive to SMEs and organisations such as schools and colleges.

Using patented, Marker Packet wireless detection technology, WatchGuard WIPS differentiates between nearby external access points and rogue access points.
If a rogue access point is detected, all incoming connections to that access point are instantly blocked. WIPS also keeps a record of all clients connecting to the authorised access points, so if a known device attempts to connect to a malicious access point, the connection is instantly blocked. WIPS will also shut down denial-of-service attacks by continuously looking for abnormally high amounts of de-authentication packets.

Wi-Fi as a marketing tool
While Wi-Fi networks have traditionally been viewed as part of the IT infrastructure and the responsibility of the IT department, the latest Wi-Fi systems deliver more than just connectivity, which makes them an attractive proposition for customer services and marketing departments.

For example, the WatchGuard Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics and also makes it possible to have direct communication with individual customers in the form of SMS, MMS or social networks.

And with customised splash pages, businesses can personalise the customer Wi-Fi experiences by offering promotional opportunities or surveys and promoting all-important branding.

It is clear that Wi-Fi is here to stay and is becoming much more than simply a way to get online. While the rapid speed of Wi-Fi adoption has led to a disconnect between physical and wireless security, this is now changing and there is no longer any excuse for providing insecure Wi-Fi.

ENDS

About Wick Hill
Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.

The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.

Wick Hill is particularly focused on providing a wide range of value-added support for its channel partners.

This includes strong lead generation and conversion, technical and consultancy support, and comprehensive training. Wick Hill has its headquarters in the UK and offices in Germany and Austria. Wick Hill also offers services to channel partners in fourteen EMEA countries and worldwide, through its association with Zycko, as part of Nuvias Group, the pan-EMEA, high value distribution business, which is redefining international, specialist distribution in IT.

For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com Wick Hill https://www.wickhill.com

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data. Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they’re likely vulnerable. Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria. According to the researchers, the script with the vulnerability (CVE-2016-4484) is in the Debian cryptsetup package 2:1.7.2-3 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs – a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven’t tested them yet. The problem stems from the incorrect handling of a password check when a partition is ciphered with LUKS, or Linux Unified Key Setup, a disk encryption specification that’s standard for Linux. Assuming an attacker has access to the computer’s console, when presented with the LUKS password prompt, they could exploit the vulnerability simply by pressing ‘Enter’ over and over again until a shell appears. The researchers say the exploit could take as few as 70 seconds. After a user exceeds the maximum number of three password tries, the boot sequence continues normally. Another script in the utility doesn’t realize this, and drops a BusyBox shell. After carrying out the exploit, the attacker could obtain a root initramfs, or rescue shell. Since the shell can be executed in the initrd, or initial ram disk, environment, it can lead to a handful of scary outcomes, including elevation of privilege, information disclosure, or denial of service. The researchers warn that the vulnerability is especially dangerous in public situations. “This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse,” the vulnerability disclosure reads. All an attacker would need in those instances – assuming the system is running Linux – would be access to the keyboard or mouse, Marco and Ripoll say. Tourist information kiosks or airport check in kiosks could be prime targets, the two write. While an attacker would have to have physical access to carry out the attack in most instances, the two warn that in some cloud environments, like those deployed by Ubuntu, the vulnerability could be exploited without physical access. Users can remedy the vulnerability by fixing the cryptroot script file – /scripts/local-top/cryptroot – directly, suspending execution forever, according to the researchers. It’s unclear when a true fix will make its way to the Linux distributions. Neither Debian or Ubuntu immediately returned a request for comment on the vulnerability Tuesday. Marco and Ripoll claim they reported the issue to Debian two weeks ago and while the distribution fixed it, the researchers claim they don’t fully agree with the way it did it. “This is just one of the problems that the boot sequence has in GNU/Linux. It is too permissive on errors, that is. There is the general idea that if the user has physical access to the computer, then the user IS THE OWNER of the computer (this dates from the very beginning of computing). The IoT will dramatically change this assumption,” Marco and Ripoll told Threatpost. “When Windows detects an error… it just shows the blue screen… which is very bad if you are a developer but it is the best solution for 99.9% of the users. Shall the system be developer/hacker friendly, or user secure?”

Spam and phishing in Q3 2016

 Download the full report (PDF) Spam: quarterly highlights Malicious spam Throughout 2016 we have registered a huge amount of spam with malicious attachments; in the third quarter, this figure once again increased significantly.

According to KSN data, in Q3 2016 the number of email antivirus detections totaled 73,066,751. Most malicious attachments contained Trojan downloaders that one way or another loaded ransomware onto the victim’s computer. Number of email antivirus detections, Q1-Q3 2016 The amount of malicious spam reached its peak in September 2016.

According to our estimates, the number of mass mailings containing the Necurs botnet alone amounted to 6.5% of all spam in September.

To recap, this kind of malicious spam downloads the Locky malware to computers. Most emails were neutral in nature. Users were prompted to open malicious attachments imitating bills supposedly sent by a variety of organizations, receipts, tickets, scans of documents, voice messages, notifications from stores, etc.
Some messages contained no text at all.

All this is consistent with recent trends in spam: fraudsters are now less likely to try and impress or intimidate users to make them click a malicious link or open an attachment.
Instead, spammers try to make the email contents look normal, indistinguishable from other personal correspondence.

Cybercriminals appear to believe that a significant proportion of users have mastered the basics of Internet security and can spot a fake threat, so malicious attachments are made to look like everyday mail. Of particular note is the fact that spam coming from the Necurs botnet had a set pattern of technical email headers, while the schemes used by the Locky cryptolocker varied a lot.

For example, the five examples above contain the following four patterns: JavaScript loader in a ZIP archive loads and runs Locky. Locky is loaded using a macro in the .docm file. Archived HTML page with a JavaScript script downloads Locky. Archived HTML page with a JavaScript script downloads the encrypted object Payload.exe, which runs Locky after decryption. Methods and tricks: links in focus IP obfuscation The third quarter saw spammers continue to experiment with obfuscated links.

This well-known method of writing IP addresses in hexadecimal and octal systems was updated by scammers who began to add ‘noise’.

As a result, an IP address in a link may end up looking like this: HTTP://@[::ffff:d598:a862]:80/ Spammers also began to insert non-alphanumeric symbols and slashes in domain/IP addresses, for example: http://0122.0142.0xBABD/ <a href=/@/0x40474B17 URL shortening services Spammers also continued experimenting with URL shortening services, inserting text between slashes.

For example: Sometimes other links were used to add text noise: The use of search queries Some spammers have returned to the old method of hiding the addresses of their sites as search queries.

This allows them to solve two problems: it bypasses black lists and makes the links unique for each email.
In the third quarter, however, spammers went even further and used the Google option “I’m Feeling Lucky”.

This option immediately redirects users to the website that’s displayed first in the list of search results, and it can be activated simply by adding “&btnI=ec” to the end of the link.

Clicking on the link redirects users to the spammer’s site rather than to the page displayed in the Google search results.

The advertising site itself is obviously optimized to appear first in the search results.

There could be lots of similar queries within a single mass mailing. The example above involves yet another trick.

The search query is written in Cyrillic.

The Cyrillic letters are first converted to a decimal format (e.g., “авто” becomes “Авто”), and then the whole query in decimal format, including special symbols, are converted to a hexadecimal URL format. Imitations of popular sites The third quarter saw phishers trying to cheat users by making a link look similar to that of a legitimate site.

This trick is as old as the hills.
In the past, real domain names were distorted very slightly; now, cybercriminals make use of either subdomains imitating real domain names or long domains with hyphens.
So, in phishing attacks on PayPal users we came across the following domain names: Phishing attacks targeting Apple users included the following names: Spammers have also found help from new “descriptive” domain zones, where a fake link can seem more topical and trusted, for example: Testers required Q3 email traffic contained mass mailings asking users to participate in free testing of a product that they could then keep.

The authors of the emails we analyzed were offering popular goods such as expensive brand-name home appliances (coffee machines, robot vacuum cleaners), cleaning products, cosmetics and even food. We also came across a lot of emails offering the chance to test the latest models of electronic devices including the new iPhone that was released at the end of the third quarter.

The headers used in these mass mailings include: “Register to test & keep a new iPhone 7S! Wanted:! IPhone 7S Testers”.

The release of the latest iPhone was met with the usual surge of spam activity dedicated exclusively to Apple products. The largest percentage of spam in the third quarter – 61.25% – was registered in September #KLReport Tweet The people sending out these messages are in no way related to the companies whose products they use as bait. Moreover, they send out their mass mailings from fake email addresses or from empty, newly created domains. The senders promise to deliver the goods for testing by post, and using this pretext they ask for the recipient’s postal and email addresses as well as other personal information.

A small postal charge in is imposed on the user, but even if the goods are delivered, there is no guarantee they will be good quality.

There are lots of posts on the Internet by users saying they never received any goods, even after paying the postage costs.

This has an element of old-fashioned non-virtual fraud: the cybercriminals receive money transfers under the pretext of a postal charges and then disappear. Gift certificates to suit all tastes Spam traffic in Q3 included some interesting mailings using the common theme of fake gift certificates. Recipients were offered the chance to participate in an online survey in return for a certificate worth anything from ten to hundreds of euros or dollars.

They were led to believe that the certificates were valid for large international retail chains, online hypermarkets, grocery stores, popular fast-food chains as well as gas stations. In some cases, the senders of these fraudulent messages said they were carrying out a survey to improve the customer support services of the organizations that were allegedly behind these generous offers, as well as to improve the quality of their products.
In other cases, the message was described as a stroke of luck and that the recipient’s email address was randomly selected for a generous gift as a mark of appreciation for using the brand’s goods or services.

The messages were indeed randomly sent out to email addresses that had been collected by spammers, and did not necessarily belong to customers of the companies named in emails. To confirm receipt of the gift certificate, the user is asked to follow a link in the email which in fact leads to an empty domain with a descriptive name (e.g. “winner of the day”).

Then, via the redirect, the user ends up at a newly created site with a banner designed in the style of the brand that supposedly sent out the mailing.

The user is notified that the number of certificates is limited and that they have only 90 seconds to click on a link, thereby agreeing to receive the gift.

After completing a short survey asking things such as “How often do you use our services?” and “How are you planning to use the certificate?” the user is asked to enter their personal data in a form.

And finally the “lucky winner” is redirected to a secure payment page where they have to enter their bank card details and pay a minor fee (in the case we analyzed the sum was 1 krone). In Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots #KLReport Tweet According to online reviews, some potential victims of this type of certificate fraud were asked to call a number to participate in a telephone survey rather than an online survey.

This type of fraudulent scheme is also quite common: the idea is to keep someone on the paid line for as long as possible until they give up on the promised reward. Like the offers to participate in the testing of goods, these themed messages were sent out from fake addresses with empty or newly created domains that had nothing to do with the organizations in whose name the cybercriminals were offering the certificates. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q2 and Q3 2016 The largest percentage of spam in the third quarter – 61.25% – was registered in September.

The average share of spam in global email traffic for Q3 amounted to 59.19%, which was 2 p.p. more than in the previous quarter. Sources of spam by country Sources of spam by country, Q3 2016 In Q3 2016, the contribution from India increased considerably – by 4 p.p. – and became the biggest source of spam with a share of 14.02%.
Vietnam (11.01%, +1 p.p.) remained in second place.

The US fell to third after its share (8.88%) dropped by 1.9 p.p. As in the previous quarter, fourth and fifth were occupied by China (5.02%) and Mexico (4.22%) respectively, followed by Brazil (4.01%), Germany (3.80%) and Russia (3.55%).

Turkey (2.95%) rounded off the TOP 10. Spam email size Breakdown of spam emails by size, Q2 and Q3 2016 Traditionally, the most commonly distributed emails are very small – up to 2 KB (55.78%), although the proportion of these emails has been declining throughout the year, and in Q3 dropped by 16 p.p. compared to the previous quarter. Meanwhile, the proportion of emails sized 10-20 KB increased considerably from 10.66% to 21.19%.

The other categories saw minimal changes. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the TOP 10 malware families to trigger mail antivirus.
TOP 10 malware families Trojan-Downloader.JS.Agent (9.62%) once again topped the rating of the most popular malware families.

Trojan-Downloader.JS.Cryptoload (2.58%) came second.
Its share increased by 1.34 p.p.

As in the previous quarter, Trojan-Downloader.MSWord.Agent (2.34%) completed the top three. The popular Trojan-Downloader.VBS.Agent family (1.68%) fell to fourth with a 0.48 p.p. decline.
It was followed by Trojan.Win32.Bayrob (0.94%). TOP 10 malware families in Q3 2016 A number of newcomers made it into the bottom half of this TOP 10. Worm.Win32.WBVB (0.60%) in seventh place includes executable files written in Visual Basic 6 (in both P-code and Native modes) that are not recognized as trusted by KSN.

The malware samples of this family are only detected by Mail Anti-Virus.

For this type of verdict File Antivirus only detects objects with names that are likely to mislead users, for example, AdobeFlashPlayer, InstallAdobe, etc. In Q3 2016 India (14.02%) became the biggest source of spam #KLReport Tweet Trojan.JS.Agent (0.54%) came eighth.

A typical representative of this family is a file with .wsf, .html, .js and other extensions.

The malware is used to collect information about the browser, operating system and software whose vulnerabilities can be used.
If the desired vulnerable software is found, the script tries to run a malicious script or an application via a specified link. Yet another newcomer – Trojan-Downloader.MSWord.Cryptoload (0.52%) – occupied ninth place.
It is usually a document with a .doc or .docx extension containing a script that can be executed in MS Word (Visual Basic for Applications).

The script includes procedures for establishing a connection, downloading, saving and running a file – usually a Trojan cryptor. Trojan.Win32.Agent (0,51%), which was seventh in the previous quarter, rounded off the TOP 10 in the third quarter. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots, although its share continued to decline – by 1.48 p.p. in Q3. Japan (8.76%), whose share increased by 2.36 p.p., moved up to second.

China (8.37%) in third saw its share drop by 5.23 p.p. In Q3 2016, fourth place was occupied by Russia (5.54%); its contribution increased by 1.14 p.p. from the previous quarter.
Italy came fifth with a share of 5.01%.

The US remained in seventh (4.15%).

Austria (2.54%) rounded off this TOP 10. Phishing In Q3 2016, the Anti-Phishing system was triggered 37,515,531 times on the computers of Kaspersky Lab users, which is 5.2 million more than the previous quarter. Overall, 7.75% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2016. Geography of attacks China (20.21%) remained the country where the largest percentage of users is affected by phishing attacks.
In Q3 2016, the proportion of those attacked increased by 0.01 p.p. Geography of phishing attacks*, Q3 2016 *Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country The percentage of attacked users in Brazil decreased by 0.4 p.p. and accounted for 18.23%, placing the country second in this rating. UAE added 0.88 p.p. to the previous quarter’s figure and came third with 11.07%.
It is followed by Australia (10.48%, -2.29 p.p.) and Saudi Arabia (10.13%, +1.5 p.p.). TOP 10 countries by percentage of users attacked: China 20.21% Brazil 18.23% United Arab Emirates 11.07% Australia 10.48% Saudi Arabia 10.13% Algeria 10.07% New Zealand 9.7% Macau 9.67% Palestinian Territory 9.59% South Africa 9.28% The share of attacked users in Russia amounted to 7.74% in the third quarter.
It is followed by Canada (7.16%), the US (6.56%) and the UK (6.42%). Organizations under attack Rating the categories of organizations attacked by phishers The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component.
It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases.
It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity.

After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.
In Q3 of 2016, the share of the ‘Financial organizations’ category (banks, payment systems, online stores) accounted for more than half of all registered attacks.

The percentage of the ‘Banks’ category increased by 1.7 p.p. and accounted for 27.13%.

The proportion of ‘Online stores’ (12.21%) and ‘Payment systems’ (11.55%) increased by 2.82 p.p. and 0.31 p.p. respectively. Distribution of organizations affected by phishing attacks by category, Q3 2016 In addition to financial organizations, phishers most often attacked ‘Global Internet portals’ (21.73%), ‘Social networking sites’ (11.54%) and ‘Telephone and Internet service providers’ (4.57%). However, their figures remained almost unchanged from the previous quarter – the change for each category was no more than a single percentage point. Hot topics this quarter Attacks on users of online banking The third quarter saw the proportion of attacked users in the ‘Banks’ category increase significantly – by 1.7 p.p.

The four banks whose clients were attacked most often are all located in Brazil.

For several years in a row this country has ranked among the countries with the highest proportion of users attacked by phishers, and occasionally occupies first place. Naturally, online banking users are priority targets for cybercriminals, since the financial benefits of a successful attack are self-evident. Links to fake banking pages are mostly spread via email. Example of a phishing email sent on behalf of a Brazilian bank.

The link in the email leads to a fake page that imitates the login page to the user’s banking account
‘Porn virus’ for Facebook users At the beginning of the previous quarter, Facebook users were subjected to phishing attacks.

Almost half a year later, the same scheme was used by fraudsters to attack users in Europe.

During the attack, a provocative adult video was used as bait.

To view it, the user was directed to a fake page (a page on the xic.graphics domain was especially popular) imitating the popular YouTube video portal. Example of a user being tagged in a post with the video This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information.

The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name. Phisher tricks Carrying on from the second quarter, we continue to talk about the popular tricks of Internet fraudsters.

The objectives are simple – to convince their victims that they are using legitimate resources and to bypass security software filters.
It is often the case that the more convincing the page is for the victim, the easier it is to detect with a variety of technologies for combating fraudsters. Nice domains We have already described a trick whereby spammers use genuine-looking links in emails to spread phishing content.

Fraudsters often resort to this technique regardless of how the phishing page is distributed.

They are trying to mislead users, who do actually pay attention to the address in the address bar, but who are not technically savvy enough to see the catch. The main domain of the organization that is being attacked might be represented, for example, by a 13th-level domain: Or might simply be used in combination with another relevant word, e.g., secure: These tricks help deceive potential victims, though they make it much easier to detect phishing attacks using security solutions. Different languages for different victims By using information about the IP address of a potential victim, phishers determine the country in which they are located.
In the example below, they do so by using the service http://www.geoplugin.net/json.gp?ip=. Depending on the country that has been identified, the cybercriminals will display pages with vocabulary in the corresponding language. Examples of files that are used to display a phishing page in a specified language The example below shows 11 different versions of pages for 32 different locations: Example of a script used by phishers to display the relevant page depending on the location of the victim TOP 3 attacked organizations Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies. The TOP 3 organizations attacked most frequently by phishers accounted for 21.96% of all phishing links detected in Q3 2016. Organization % of detected phishing links Facebook 8.040955 Yahoo! 7.446908 Amazon.com 6.469801 In Q3 2016, Facebook (8.1%, +0.07 p.p.) topped the ranking of organizations used by fraudsters to hide their attacks. Microsoft, the leader in the previous quarter, dropped out of the TOP 3.
Second place was occupied by Yahoo! (7.45%), whose contribution increased by 0.38 p.p.

Third place went to Amazon, a newcomer to the TOP 3 with 6.47%. Conclusion In the third quarter of 2016, the proportion of spam in email traffic increased by 2 p.p. compared to the previous quarter and accounted for 59.19%.

The largest percentage of spam – 61.25% – was registered in September.
India (14.02%), which was only fourth in the previous quarter, became the biggest source of spam.

The top three sources also included Vietnam (11.01%) and the US (8.88%). The top three countries targeted by malicious mailshots remained unchanged from the previous quarter.

Germany (13.21%) came first again, followed by Japan (8.76%) and China (8.37%). In Q3 2016, Kaspersky Lab products prevented over 37.5 million attempts to enter phishing sites, which is 5.2 million more than the previous quarter.

Financial organizations were the main target, with banks the worst affected, accounting for 27.13% of all registered attacks.

The most attractive phishing targets in Q3 2016 were clients of four banks located in Brazil.

Android patches fix Drammer RAM attack, but not Dirty Cow exploit

Google released a new monthly batch of security patches for Android, fixing a dozen critical vulnerabilities that could allow attackers to compromise devices. One of the mitigated issues is a bit-flipping attack against memory chips that could lead to privilege escalation, but a more widespread rooting vulnerability in the Linux kernel remains unpatched. While Google releases firmware updates for its Nexus and Pixel devices on the first Monday of every month, the security patches are shared with third-party device manufacturers one month in advance and are also contributed later to the Android Open Source Project to benefit the entire ecosystem. Like it has done in recent months, Google has split this month’s security fixes into several “security patch levels,” to make it easier for manufacturers to deploy only fixes that apply to specific devices.

The security patch level is a date string displayed in Android’s settings under “About phone” and indicates that the firmware contains all Android security patches up to that date. The new 2016-11-01 patch level contains fixes for flaws in Android’s own components.
It addresses two critical vulnerabilities, 16 high-risk flaws and 10 medium-risk ones. One of the critical flaws is located in the Mediaserver component, which has been a major source of serious Android vulnerabilities over the past year.

The flaw can be exploited by tricking users into downloading or opening a specially crafted media file. The second critical flaw is located in the libzipfile library and could enable malicious applications to execute code within the context of a privileged process.

This can lead to a full device compromise that requires reflashing the operating system to fix. The second patch level is 2016-11-05 and primarily includes fixes for vulnerabilities in kernel drivers for various hardware components.

This level covers 21 critical vulnerabilities, 23 high-risk ones and 10 with a moderate impact. The critical flaws are located in the kernel file system, SCSI driver, media driver, USB driver, ION subsystem, networking subsystem and sound subsystem, as well as in the Nvidia GPU driver and Qualcomm’s crypto driver, bootloader and other components. One of the patches for the ION memory allocator is intended to mitigate a physical attack against DRAM (dynamic random-access memory) chips that could be exploited by applications to gain root access on a device.

The attack is known as Drammer and was devised by researchers from the Vrije Universiteit Amsterdam in the Netherlands, the Graz University of Technology in Austria, and the University of California in Santa Barbara. The third patch level is 2016-11-06 and covers a privilege escalation vulnerability in the memory subsystem of the Linux kernel that was disclosed a few weeks ago.

The flaw, which the security community dubbed Dirty COW (copy-on-write) has existed in the Linux kernel for the past nine years and is already being exploited in the wild. Google has not patched this vulnerability in its Nexus and Pixel devices yet and will probably do it next month. However, device manufacturers can address the flaw by importing the upstream fix that was included in the Linux kernels versions 3.10 and 3.18.

The flaw was disclosed after this month’s patch levels had already been defined, which is why Google refers to the 2016-11-06 patch level as “supplemental.”