Category Archives: Spam and scams

Security roundup for March 2016

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

July security roundup

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

Avoid Hola’s free VPN service

In the wake of Snowden’s revelations, many people have started using VPN services to encrypt their online activities. Until recently, one popular choice was Hola’s free VPN.

Researchers have discovered that Hola is selling access to the resources of its users, creating what has been described as a botnet, which may have been used for malicious activities.

Hola has been scrambling to deal with the public backlash over this news, but so far all they’ve done is retroactively update their FAQ, adding statements about what Hola can do with your computer if you’ve installed their software.

Recommendation: avoid Hola completely. This kind of deceptive behaviour should not be encouraged. If you’ve been using Hola, check your level of exposure using this handy tool.

Test your skill: spot the phishing email

A short quiz, provided by anti-malware software maker McAfee, allows you to test your skill at identifying phishing email.

In the quiz, you are presented with ten email samples, and asked to decide whether they are phishing email.

What is phishing? From Wikipedia: “Phishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Hint: look for links in each of the sample messages. Hover your mouse over each link, and compare the address with the supposed sender. If a link points to a site that’s unrelated to the supposed sender, the email is probably not legitimate.

Hat tip to reader tap tap.

Google’s efforts to clean up ad injection on the web

A recent post on the Chrome blog discusses Google’s recent efforts to clean up the growing problem of ad injection on the web.

From the post: “Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web.” If you’re seeing a lot of advertising on all the sites you visit, and much of it seems unrelated to the site, your computer may be running one or more ad injectors.

Ad injectors are unwanted software that is surreptitiously installed on victims’ computers through a variety of tricks, including “marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns.”

The ad injection ‘ecosystem’ is complex, and at any given time there are thousands of injection campaigns affecting web surfers.

To combat this problem, Google has identified and removed 192 apps – identified as contributing to ad injection systems – from the Chrome Web Store. Improvements in the Chrome Web Store and Chrome itself help to protect against ad injection software. And Google is reaching out to advertising networks, to assist them in eliminating ad injection. Most importantly, Google’s AdWords network policies have been tweaked, to make it more difficult for the perpetrators of ad injection schemes to promote malicious software.

Recent surge in spam likely due to Mumblehard botnet

If you noticed more spam than usual in your inbox in recent months, you’re not alone. You may also have noticed that using your email client to block the sender is typically ineffective. That’s because the spam is coming from thousands of different domains, each corresponding to a different compromised web server.

This is the work of the Mumblehard botnet, which was observed sending mass spam starting about seven months ago by ESet researchers. The Mumblehard code has existed on the web for at least five years, but seems to have started its spamming activities on a large scale only in the last year or so.

Computers infected with Mumblehard are typically Linux web servers. It remains unclear exactly how servers become infected, but researchers suspect that unpatched WordPress and Joomla vulnerabilities provide the key.

CRTC follows through on its efforts to curb spam

The Canadian Radio-television and Telecommunications Commission (CRTC) has handed out steep penalties to three organizations for failing to comply with Canada’s new anti-spam regulations.

Up to this point, there has been some doubt as to whether the CRTC and the Competition Bureau would follow through on the promise of the new law. Doubt no more: the worst offender was a Quebec company called Compu-Finder, which received a whopping 1.1 million dollar fine.

It’s not often that I find a reason to praise the CRTC, but this is one of those times. Nice work, folks! Keep it up.

WordPress sites targeted by pro-ISIL hacks

An active campaign pushing the agenda of ISIL is being perpetrated mainly via hacked WordPress sites. The FBI has issued a related warning.

Anyone who runs a WordPress site should immediately ensure that it is up to date with all WordPress and plugin updates. Of course this won’t help if your site has already been hacked, so if you have any doubt, please scan your site with one (or preferably all) of the following web-based site scanners:

Meanwhile, yet another popular WordPress plugin has been found to contain a serious vulnerability. The site caching plugin WP-Super-Cache has a nasty cross-site scripting bug. Anyone using this plugin on a WordPress site needs to update it to the fixed version (1.4.4) immediately.

Reporting hack attempts, phishing and spam

Over the years, I’ve tried to be a good Internet citizen and report abuse (hack attempts, spam, etc.) This can be a daunting task, and the results are often less than satisfactory. For most people, the time wasted on spotting and deleting spam is bad enough; the extra work of reporting spam can seem like a tedious chore.

Reporting abuse can produce wildly varying results. Here are a few examples from my own recent experience:

BT Italy

Over the past couple of months, one of the WordPress sites I manage has seen a steady stream of ‘admin’ login attempts from computers in Italy, most of which connect to the Internet via the ISPs albacom.net and fastweb.it. Literally thousands of different albacom.net and fastweb.it IP addresses were being used in the attacks.

Since the majority of these login attempts were from albacom.net, I initially focused on Albacom. I discovered that most of the devices at the other end of these attacks were Aethra BG1242W ISDN modem/routers. These appear to be the standard modem/router provided by Albacom to their customers. I was horrified to find that I could log into these devices via their web interface. Clearly Albacom’s dedication to security is severely lacking. Of course it’s difficult to know for sure whether the attacks were coming directly from these (presumably hacked) routers, or from (also presumably hacked) computers connected to them.

Apparently, British Telecom (BT Italy) is in the process of acquiring Albacom. This is undoubtedly creating some confusion there, but that’s really no excuse for any of this.

I tried various methods for reporting this to Albacom:

  • sent email to the abuse address on record for albacom.net, but every attempt bounced, saying that the user’s mailbox was full;
  • sent email to the technical contact on record for albacom.net, but this was ignored;
  • tweeted about the problem on the main BT Twitter account, but my tweets were immediately deleted.

This is a terrific example of how not to handle abuse reports. I don’t know what’s going on with BT ITaly, but clearly they are having serious issues.

I also reported this on the Wordfence support forum, to see if anyone else might be seeing this problem. Wordfence is an excellent WordPress security plugin, and it was Wordfence that was detecting (and blocking) these login attempts. Sure enough, several other people reported seeing this problem on their sites.

A few weeks later, the login attempts from Italy stopped – for my own site and for others. Then they started up again for some sites, but luckily not for mine.

SpamCop

I recently signed up at SpamCop.net and started submitting the numerous spam messages I receive daily for one particular address. SpamCop’s submission process analyzes submitted email and makes recommendations about where to report it. Note: you must configure your email client so that you can see the entire message source, including all headers, for this to work.

The submission process is well explained at each stage, and provides useful warnings to the submitter about making sure that the submission is actually spam, and so on. A lot of technical information is displayed with the analysis, but much of that can be hidden if you prefer to concentrate on the basics.

SpamCop uses spam submissions to create a block list, which is used in conjunction with similar lists from other sources, by ISPs and other mail providers, to help filter out spam before it reaches user inboxes.

If you’re willing to put in the effort, I highly recommend signing up.

Moonfruit

A few days ago, I received this (admittedly very lame) phishing attempt in my inbox:

Your mailbox is full of, 00.1 GB, Please reduce your mailbox size.
Delete any items you don't need from your mailbox and expand your
email quota (size) with the below web links: CLICK HERE
http://REMOVED.moonfruit.com/
Thank you for your understanding.
©2015 Helpdesk

I went to the site in question (with NoScript enabled and blocking all scripts) and confirmed that this was indeed an attempt to con me into entering private information into a form.

A bit of searching revealed that Moonfruit is a web-based service that allows clients to set up web sites with minimal effort. It’s a totally legitimate company. Customer web sites hosted by Moonfruit have URLs like this: whatever.moonfruit.com. Whoever set up the phishing site just happened to use Moonfruit as the host.

So I decided to try reporting this to Moonfruit support. I easily found the contact page on their web site and submitted a general query about the phishing attempt, including the text of the email. I wasn’t sure this would amount to anything, especially since I’m not a Moonfruit customer. I immediately received a confirmation of my submission, and was then delighted to receive the following response from Moonfruit, within an hour of my submission:

Thanks for bringing this to our attention.
We have closed the site and the associated accounts, and banned the user.

Now THAT’S how you deal with abuse reports. Nice work, Moonfruit!