3.1 C
London
Sunday, November 19, 2017
Home Tags Google

Tag: google

Customers of Virgin Media who are increasingly convinced their service provider has been victim of a security breach have formed a Facebook group to share their experiences and push for answers. Virgin Media is firmly denying any breach of its systems but users are equally adamant that the cause of a widespread and ongoing email spoofing problem must be down to a problem with the ISP. The aggrieved customers say the issues at Virgin Media began in September last year, around the time the service provider migrated from the Google platform to its own. This was accompanied by some spamming, as we reported at the time, but this was only one aspect of a bigger and ongoing mail security problem – at least, according to disgruntled customers. According to this group, Virgin Media somehow managed to leak email addresses and address books held on its servers to hackers. Within days of the migration, ntlworld and blueyonder accounts were spoofed to distribute spam messages in junk mail runs limited to email addresses those users had previously been in contact with. “Around 70 of us have had our email web accounts compromised and [believe] that the spammer is sending out spoofed email to everyone in our sent/received items,” Simon, a victim of the apparent breach – who says he has worked in IT for 20 years – told El Reg. “Each email to five of these contacts contains a link to a compromised website with the aim of infecting a new PC. A spoofing event happens about every 3-4 weeks causing a large number of bounce-backs to the victim.” Virgin Media customers started to receive batches of undelivered email reports at the time the service provider changed its email platform last September and the problem remains unresolved, with spoofed emails still circulating. Virgin Media: It ain't us, guv In a statement, Virgin Media acknowledged its customers were experiencing a spoofed messages problem while firmly denying that a breach on its systems had precipitated the unwelcome behaviour. Ensuring customer data is secure is of utmost importance to Virgin Media. There has been no breach of our systems and our email platform is not the cause of reported email spoofing. We have advised customers how best to protect their email accounts from spoofing. The change of email platform meant that some emails (e.g. bouncebacks) that Gmail would have delivered to a customer’s junk box became visible in customers' inboxes, a Virgin Media PR representative added. The statement issued to El Reg dovetails with what the ISP has been telling its customers for months, a line that’s hard to disprove but has nonetheless failed to placate disgruntled users. Simon said the issue has caused him all sorts of inconvenience. He described Virgin’s statement and the position it reflects as “utterly implausible”. “Virgin have a good description of what spoofing is on their website and are making the claim that the increase post migration is due to the fact that their spam filters are not as good,” he said. “This is just not true as when a spoofing event happens I get several calls / email texts from irate friend colleagues and customers telling me I’ve been hacked and it’s only happened since the migration.” “It caused me personally a great amount of embarrassment and there is nothing that can be done to solve the problem now the addressees are out there. In trying to fix the symptoms of the problem, Virgin are now blocking swathes of legitimate email. The whole thing is a disaster and I am about to move to a new email provider, which is a significant pain as this has been my email address for 20+ years,” he concluded. 'Targeted' recipients Other Virgin Media users caught up in the spamming and spoofing storm remain equally frustrated. “When we looked at the emails, it was clear we had not sent them – they were spoofs,” explained Kate B, a Virgin Media customer who has also been in touch with El Reg about the issue. “What was more concerning was that the recipients were targeted. “They were all people who had email contact with the VM account. This includes people who were cc'd in emails sent and received years ago. They were not in any address books,” she added. Aggrieved punters have been complaining about the issue to Virgin Media but it has consistently denied any wrongdoing. Instead the ISP is blaming message storm problems on individual customers. Call centre staff are telling aggrieved punters to run various security checks on their computers and to change passwords, actions that don’t really tackle the problem, according to activist customers. “This is the not the issue,” another aggrieved user, AnnHelen P, told El Reg. “These email addresses [are] held in the address books or in emails on the Virgin Media web servers, not from customers’ computers. As a result, spoofed emails are being sent between the email addresses that were captured. “Also since many of the email addresses leaked have been for email addresses that no longer exist, many of these emails bounce back to the spoofed sender address,” she added. Complaints to the Information Commissioner Several customers have complained about Virgin Media to data privacy watchdogs at the Information Commissioner's Office (ICO). Asked to comment on the issue, an ICO spokeswoman told El Reg said: “We are aware of this issue and are making enquires.” She declined to answer follow-up questions from El Reg on whether or not Virgin Media was co-operating with its inquiries, explaining that the ICO has a policy of not commenting on ongoing inquiries. Virgin Media’s community forums are full of threads on the spoofing/malicious spam issue (examples: "Recieved about 20 of these, has my e-mail or system been hacked, virus, what's going on?" here; "email hacked?" here; "How does spoofer access my contact list?" here; "Outward spam emails being sent from my .ntlworld address" here; and "Email Spam Spoofing" here. Nonetheless, Virgin Media is sticking to its official line (see under email spoofing here) and maintaining that its customers are to blame for any problems they may be experiencing. VM has steadfastly stated there was no data breach but has not provided any information on how it managed to clear itself of any involvement in the ongoing malfeasance, aggrieved customers tell El Reg. In response, frustrated customers recently started a Facebook group on the issue, dubbed Virgin Media Email Problems - Spoofing, Hacked, Data Breach?. The group is designed to allow people whose emails have been compromised to exchange and pool their experiences. “We are not getting anywhere with Virgin,” AnnHelen P said. “We do realise that the emails are now out there and nothing can be done about that. We do, however, wish to know exactly what information these hackers were able to access, how it happened in the first place and how widespread this breach is.” Kate B added: “We are worried there has been a data breach. If VM does not know how it happened, how can they prevent it happening again? We are also very concerned that information was harvested from inside of our old emails... What else was taken?” She concluded: “We have found it hard to raise the profile of this issue. Many of the people in the group are IT professionals and very savvy; we estimate there are very many others who have been targeted but remain unaware.” ® Sponsored: Building secure multi-factor authentication
"Google stole a small amount of time and attention from a large number of people."
Concern over "dumbing down" of protections because of UK's weaker safeguards.
With many file formats and software popular in 1993 now obsolete and unreadable, company compliance and information governance teams are warned against losing critical digital information forever As 90s hit television series The X-Files returns to our screens next month after a 13 year hiatus, digital preservation specialist Preservica has launched an awareness campaign to highlight the danger of file format and software obsolescence, and an impending ‘Digital Dark Age’ – warned against by Google’s Vint Cerf last year. In conjunction with the new series of the popular US TV show, fans of the original series at Preservica have been pointing out the many changes in software that have occurred since the first episodes of The X-Files aired more than twenty years ago, in 1993. Many popular file formats and software applications popular in 1993 have already disappeared or become obsolete. With technology refresh rates and application de-commissioning programmes beginning to accelerate, critical long-term information and files are now more at risk than ever. “This has a particular impact on long-term business records that need to be retained for 10 years (or are already 10 years old) for compliance, legal and knowledge reuse,” said Jon Tilbury, CEO at Preservica. “Who could have thought that the systems we were using and trusting back in 1993 would become so obsolete that their files are no longer useable and readable - half a generation’s worth of data lost forever.“WordStar, Lotus 1 2 3, and Pagemaker are some of the most notable ‘ex-files’ no longer readable, whilst even software that is still used today can no longer support files from older versions – MS Excel Versions 2–5, Photoshop 2 & 3 and even Word (v1, v2, v6). It is not just files, but also media that has rapidly become obsolete: Betamax, floppy disks, smart drives and even now CD-ROMs have all but disappeared or become obsolete.Discontinued software Wikipedia pages serve to highlight the issue of software and file format obsolescence, however companies remain unaware of files ‘at risk’ in the future, or future ex-files. Technology analyst Gartner comments: “As formats change, software is retired and hardware becomes obsolete, the data that organizations might want to keep can be lost forever. Government documents are one example, but companies also have information that needs to be preserved in order to eliminate the risk that they will not be readable or usable when required.”“Preservica has seen a 50% increase in customers using its digital preservation software in the last six months, including major corporations like BT, HSBC, Lloyds Bank and Associated Press, as well as cultural institutions like Yale Library and the Museum of Modern Art (MoMA) in New York. All have recognised the need for a robust digital preservation strategy and software - over and above reliable long-term storage and archiving,” added Jon Tilbury.Preservica has championed the way in helping organisations address this critical challenge, working with the UK National Archives to build a Technical Registry of file formats and incorporating tools into its digital preservation platform to ensure files can be automatically migrated to newer formats as old formats and programs become obsolete. The Preservica software can now identify and characterise over 800 different formats, and supports over 300 migration pathways. To combat the issues of inaccessible files, the company has developed a white paper, discussing the issues and how to combat them. About Preservica Preservica is a world leader in digital preservation technology, consulting and research. Our active preservation solutions are used by leading businesses, archives, libraries, museums and government organisations globally, to safeguard and share valuable digital content, collections and electronic records, for decades to come. These include the UK National Archives, the Met Office, Texas State Archives, Wellcome Library and HSBC, to name a few.Preservica’s award-winning digital preservation and access software is a complete, standards-based (OAIS ISO 14721) trusted repository that includes connectors to leading Enterprise Content and Records Management systems to ensure long-term usability, trustworthiness and preservation of vital digital records, emails and content.Visit: www.preservica.com Twitter: @preservicaPR Contact: Ilona Hitel: ihitel@thecommsco.com, +44 (0) 20 8296 1874 or +44 (0) 7734 355205.Source: RealWire
The US and UK authorities are holding secret negotiations that would allow British domestic spies to tap into servers in the Land of the FreeTM when investigating Her Majesty's citizens. A draft proposal, seen by the Washington Post, would allow MI5 to get access to data stored on overseas computers run by American firms, and conduct live wiretaps if necessary. It's a reciprocal deal, so US agents would also get access to British servers. Currently, MI5 agents – who primarily tackle bad guys on Blighty's soil – can apply for access to data from US companies under a mutual legal assistance treaty, but it's a lengthy process that can take months. Under the proposed deal, US companies would be compelled to hand over the data on request. "This has been an issue with the UK and other countries for a number of years," said one senior US administration official. "More and more, UK nationals — including criminals in their country — are using providers like Google, Facebook, Hotmail. The more they are having challenges getting access to the data, the more our US providers are facing a conflict of laws." The plan may run into legal obstacles however, due to UK law. Wiretap orders don't require a judicial review in the UK – instead they can be issued by the British Home Secretary (the elected official who oversees the police) at her whim. "What it means is they're going to allow a country that doesn't require independent judicial authorization before getting a wiretap to continue that practice, which seems to be a pretty fundamental constitutional protection in the United States," said Eric King, visiting lecturer in surveillance law at Queen Mary University of London. "That's being traded away." Curiously, that doesn't seem to bother the US government. The UK "already [has] strong substantive and procedural protections for privacy," an administration official said. "They may not be word-for-word exactly what ours are, but they are equivalent in the sense of being robust protections. We are not weighing into legal process standards in the UK, no more than we would want the UK to weigh in on what our orders look like." Plenty of people don't agree, not least the NSA whistleblower Edward Snowden. "Last time they did this, we assembled the Minutemen," he commented on Twitter. US Congress might not agree either, particularly as the White House seems keen to strike a deal with the Brits. Any agreement would require changes to the Wiretap Act and the Stored Communications Act, and the Republican-controlled Congress might decide that that dog just won't hunt. ® Sponsored: Building secure multi-factor authentication
The year in figures According to Kaspersky Lab, in 2015 The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014. 79% of spam emails were no more than 2 KB in size. 15.2% of spam was sent from the US. 146,692,256 instances that triggered the ‘Antiphishing’ system were recorded. Russia suffered the highest number of phishing attacks, with 17.8% of the global total. Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers. 34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores). New domain zones in spam In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing. In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReportTweet However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone. This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases. Spammer tricks: methods for expressing domain names Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc. In 2015, 79% of spam emails were less than 2 KB in size #KLReportTweet In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages. Special features of the IP protocol: different IP formats The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly! These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats: oct – hex oct – dword hex – dword Addresses in hexadecimal format can be written with and without dots separating the numbers: Additionally, 4294967296 (256*4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address. In 2015, 15.2% of spam was sent from the US #KLReportTweet In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly. In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid: You can also insert any number of forward slashes in the address: Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to). Obfuscation of an IP address, or how many ways can a number be written in Unicode We have already written about the obfuscation of key words in spam using various Unicode ranges. The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics. We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.: Obfuscation of domains As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing). To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities: Interpreting URL symbols URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence: It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu. In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm. For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link. Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding): As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively. Reiteration of a popular domain name Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times: Emails without a URL It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code. Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results: World events in spam The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering. In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them. Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions. Statistics Proportion of spam in email traffic In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year. The proportion of spam in email traffic, 2015 The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points. Sources of spam by country Sources of spam by country, 2015 In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points. In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReportTweet As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.). The size of spam emails The size of spam emails in 2015 The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails. Malicious attachments in email The Top 10 malicious programs spread by email in 2015 The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals. Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites. Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks. Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient. Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run. Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals. Malware families Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap. MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology. The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families. In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReportTweet The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, 2015 For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014. The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country. We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places. Special features of malicious spam In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs. As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations. In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #bankingTweet The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds. In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression, which is used to reduce email sizes to a minimum and bypass spam filtering. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages. In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android. In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux. The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment. With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase. Phishing Main trends In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components. Methods of distributing phishing content The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising. Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015. The fraudulent page to which the victim is redirected by a pop-up advert Other popular themes of the year As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers. This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money. Phishing email sent on behalf of FedEx The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services. Email tricks Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering. These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations. Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page. We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file. A phishing email with an attached PDF file containing a redirect to a phishing website The geography of attacks Top 10 countries by percentage of attacked users Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year. The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015 Top 10 countries by percentage of attacked users Japan 21.68% Brazil 21.63% India 21.02% Ecuador 20.03% Mozambique 18.30% Russia 17.88% Australia 17.68% Vietnam 17.37% Canada 17.34% France 17.11% Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.). The distribution of attacks by country Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year. Distribution of phishing attacks by country in 2015 Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.). Organizations under attack The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases. Distribution of organizations subject to phishing attacks by category, 2015 In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories. Top 3 organizations attacked Organization % of detected phishing links 1 Yahoo! 14.17 2 Facebook 9.51 3 Google 6.8 In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name. Conclusion and forecasts In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant. The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam. The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.
Insecure commercial and internal mobile app coding practices leave the door wide open to cyber attackers, a security researcher has discovered. A lot emphasis is placed on the millions of mobile malware samples being detected, but insecure apps could represent an even greater threat, according to an analysis of the top 1,000 apps. “A scan of just over 600 of the top apps so far shows a very obvious and alarming trend,” said James Lyne, global head of security research at Sophos. “Programming practices are pretty bad despite there being ready-made security functionality available to consumers, but this is just not being used,” he told Computer Weekly. Although the study includes relatively few in-house mobile apps, Lyne said that so far, most are lining up with the worst of the commercial applications. The study compares the maturity of app development in the mobile and traditional desktop worlds, focusing on the use of encryption, data transmission, authentication and data storage. “It is really no surprise that these two worlds are not in alignment, but it is quite shocking how many applications, including large brands, are failing to make use of the security features available on mobile devices,” said Lyne. Despite the existence of easy-to- use application program interfaces (APIs) that will perform proper validation of the transport [layer], most app developers continue to use older, less secure methods of exchanging data.   The study shows that an alarming majority of apps are failing to do things such as certificate pinning or public key pinning to prevent man-in-the-middle attacks. “Many developers seem to be using recycled code for making connections that they have simply copied from somewhere that will accept any certificate, enabling attackers to steal data easily on open Wi-Fi connections unless a VPN [virtual private network] connection is being used, but relatively few people do,” said Lyne. Local storage of data Another area of common failings is local storage of data. Although most of the latest iOS and Android devices will do volume-based encryption by default and provide very good functionality to store “secrets” that have extra encryption applied and are unlocked only if the app is authenticated, Lyne said this functionality is used very poorly and inconsistently by most mobile apps. “Only around 3% of apps stick to an astonishing amount of best practice, like the Twitter app which has two-factor authentication, but then there is this cliff where all of the best standards and practices are not applied and all the data is put into the same unimportant bucket to be stored on the device,” he said. The result is a very weak app ecosystem, where app A can see data from app B and there is a “flat” data model on the device, similar to that which was on PCs up until a few years ago. The study also focuses on the use of credentials and authentication, and has found this to be another area of poor practice in about 90% of the apps analysed. Credentials are often sent “over the wire” using just hashing, often with outdated mechanisms such as MD5 and SHA-1, without salting instead of using standards such as OAuth and SAML.   “The majority of the authentication we have seen uses models that are abysmally poor,” said Lyne. “Loads of MD5 passwords unhashed are being sent, which requires the user to have an incredibly strong password to avoid it being cracked. Authentication poorly deployed “Authentication, which should be a very solved problem in 2016 with all the wonderful program libraries available and all the functionality built into mobiles, is very poorly deployed,” he added. In many cases, simply adding a single argument to the code would turn on the built-in functionality that would fix the problem, said Lyne. In some of the latest Android releases, he said, Google has done some “amazing work” to implement security features in the operating system. “We are seeing some really good generic exploit prevention in Android, but on top of that you have this layer of apps that are failing to do the security basics and check for basic flaws,” he added.   Lyne blames the huge focus on rapid app development over “quality solution engineering” and “almost no investment” in checking mobile apps for poor programming practices. “Any rudimentary penetration testing or quality assurance processes as part of a software development lifecycle would catch stuff like this,” said Lyne. The risk to the enterprise is that this failure to do rudimentary security controls can be picked up by attackers using any source code scanner, he said. “At the same time, businesses are putting pretty much the same sensitive company data on mobiles as they have put on PCs in the past, and tend to trust mobiles more than PCs,” he said. “But this study shows that the mobile industry does not have the same checks and balances or the same maturity.” This means the fear that mobiles will become an easy route for attackers into the enterprise is likely to be realised as the lines between PCs and mobiles continue to blur. “The lack of security basics in mobile apps and processes for checking flaws is a really bad combination now, but in one or two years’ time, when there is even more data on mobiles and they have an even greater position of trust, we are likely to end up with a really nasty mess,” said Lyne. Attackers are aware of this situation and could already be exploiting the fact that most mobile apps are “leaving the door wide open”, but it is hard to quantify that, he said. And even if it is not being exploited yet, Lyne said: “We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us.” We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us James Lyne, Sophos He believes there is an urgent need for fundamental change, but says regulation is unlikely to deliver the necessary results. “It is very difficult to create a regulatory framework that has sufficient specificity to drive the desired technical behaviours,” said Lyne. However, he said some legal action could be taken in light of the fact that some failures are so great and tantamount to releasing a car to market without testing the brakes once, that they could be classified as “negligence” and challenged legally. But even if regulators or others challenge the status quo on grounds of negligence, Lyne said it is unlikely to drive any significant change. “What is really required would be a change in consumer or end-user values to believe that mobile application security is important, but that is unlikely given the trust people have in mobiles and the fact that most are completely unaware of the flaws,” he said. “The only thing likely to break the back of it is a really, really bad or nasty series of incidents that force companies to make changes due to bad press and consumers becoming more wary and demanding in terms of security. But in the meantime, who knows how much data siphoning is occurring.”
The browser is now hardened against some classic Windows security flaws.
If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.
Comodo Chromodo browser,version 45.8.12.391,and possibly earlier,bundles the Ad Sanitizer extension,version 1.4.0.26,which disables the same origin policy,allowing for the possibility of cross-domain attacks by malicious or compromised web hosts. Chromodo is based on an outdated release of Chromium with known vulnerabilities.
Google plans to disable support for SSL 3.0 in an upcoming Chrome release. Mozilla has similar intentions. Google researchers first publicly disclosed a flaw dubbed "POODLE" in the SSL 3.0 protocol on Oct. 14. Though Google made a patch available for servers to help mitigate the risk, one of the best long-term solutions to the flaw is for browser vendors to drop support for SSL 3.0, which is now what Google is pledging to do for its Chrome browser. The POODLE, or Padding Oracle On Downgraded Legacy Encryption, vulnerability could potentially enable an attacker to access and read encrypted communications. SSL 3.0 is a legacy protocol that has been replaced by the newer TLS 1.2 although many browser and server vendors have still supported SSL 3.0 as a fallback mechanism. In a mailing list posting, Google developer Adam Langley wrote that for the upcoming Chrome 39 stable release, SSL 3.0 fallback will be disabled. "SSLv3 fallback is only needed to support buggy HTTPS servers," Langley wrote. "Servers that correctly support only SSLv3 will continue to work (for now), but some buggy servers may stop working." If a user hits a server or online application that doesn't work, due to the SSL 3.0 fallback removal, Chrome will show a yellow badge over the lock icon in the browser. By disabling the fallback and showing the yellow warning badge, Google is giving site owners a chance to update their sites before dropping SSL 3.0 entirely. The current plan is for Chrome 40 to completely disable SSL 3.0 support. Google isn't the only browser vendor to take steps to limit the risk of POODLE. The upcoming Mozilla Firefox 34 release is also set to remove support for SSL 3.0. Microsoft however is taking a slightly different tack for its Internet Explorer browser. There is now a "Fix it" tool from Microsoft to disable support for SSL 3.0. When POODLE was first reported on Oct. 14, Microsoft wrote in an advisory that, "considering the attack scenario, this vulnerability is not considered high risk to customers." Apple has also taken steps to limits its users' exposure to POODLE. In its Mac OS X operating systems, Apple has not entirely blocked SSL 3.0, but rather has disabled the use of CBC, or cipher block chaining, with Secure Sockets Layer (SSL), which is at the root cause of the POODLE flaw. Though the POODLE flaw was disclosed two weeks ago, to date there have been no public reports of any exploitation as a result of the vulnerability. In contrast, a SQL injection vulnerability reported in the open-source Drupal content management system on Oct. 15 was exploited by attackers within seven hours. The fact that POODLE has not been actively exploited is likely due to a number of factors, including very low usage of SSL 3.0. Mozilla noted when POODLE was first disclosed that SSL 3.0 only accounted for 0.3 percent of all HTTPS connections. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Spain is the third country to seek cash for Internet news excerpts.